A group of cybersecurity researchers discovered a novel side-channel attacking technique that allows eavesdroppers to spy on conversations happening in a room from a nearby location by watching a light bulb hanging in that room.
In a research report, security researchers Ben Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici, and Boris Zadov from the Israeli’s Ben-Gurion University of the Negev and the Weizmann Institute of Science stated that a technique called “Lamphone Attack” works by capturing microscopic sound waves via an electro-optical sensor focused at the bulb and using it to recover speech and recognize music.
“Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room. You just need line of sight to a hanging bulb, and this is it,” the researchers said.
Lamphone Attack
The Lamphone attack is based on detecting vibrations produced from hanging bulbs that are caused due to air pressure fluctuation occurred from sound waves. The researchers stated that when sound waves hit surfaces in the room, it brings tiny changes in the bulb’s output and triggers small vibrations which will pick up bits of conversations and identify music.
“We analyze a hanging bulb’s response to sound via an electro-optical sensor and learn how to isolate the audio signal from the optical signal. Based on our analysis, we develop an algorithm to recover sound from the optical measurements obtained from the vibrations of a light bulb and captured by the electro-optical sensor. We evaluate Lamphone’s performance in a realistic setup and show that Lamphone can be used by eavesdroppers to recover human speech (which can be accurately identified by the Google Cloud Speech API),3 and singing from a bridge located 25 meters away from the target room containing the hanging light bulb,” researchers explained.
Attack Demonstration
For their experiment, the researchers set up a series of telescopes around 80 feet away from a target office’s light bulb, and kept each telescope’s eyepiece in front of a Thorlabs PDA100A2 electro-optical sensor. They also used an analog-to-digital converter to transform the electrical signals from that sensor to digital information.
“We assume a victim located inside a room/office that contains a hanging light bulb,” the researchers said. “We consider an eavesdropper a malicious entity that is interested in spying on the victim in order to capture the victim’s conversations and make use of the information provided in the conversation (e.g., stealing the victim’s credit card number, performing extortion based on private information revealed by the victim, etc.),” researchers explained.
The Result
The researchers were able to reproduce a recording of the Beatles’ Let It Be and Coldplay’s Clocks. “We evaluated Lamphone’s performance in terms of its ability to recover non-speech audio. In order to do so, we decided to recover two well-known songs: “Let it Be” by the Beatles and “Clocks” by Coldplay. Experimental Setup: We played the beginning of these songs in the target office. In these experiments we used a telescope with a 20 cm lens diameter to obtain the optical signals via the electro-optical sensor (the internal gain of the sensor was set to 70 dB). We applied Algorithm 1 to the optical measurements and recovered the songs,” researchers added.
The researchers are planning to demonstrate this experiment at the Black Hat USA 2020 conference this August.
