A team of academics from Israeli Ben-Gurion University of the Negev and the Weizmann Institute of Science demonstrated how to spy on secret conversations in a room from a nearby remote location just by measuring the amount of light emitted by an overhead hanging light bulb.
The Lamphone technique analyzes minuscule sound waves optically through an electro-optical sensor directed at the bulb.
The researchers detect vibrations from hanging bulbs caused by the air pressure fluctuations generated by sound waves that hit their surfaces. Then the experts measure the tiny changes in the bulb’s output caused by these small vibrations.
“In this paper, we introduce “Lamphone,” a novel side-channel attack for eavesdropping sound; this attack is performed by using a remote electro-optical sensor to analyze a hanging light bulb’s frequency response to sound.” reads the post published on the website set up by the academics. “We show how fluctuations in the air pressure on the surface of the hanging bulb (in response to sound), which cause the bulb to vibrate very slightly (a millidegree vibration), can be exploited by eavesdroppers to recover speech and singing, passively, externally, and in real time.We analyze a hanging bulb’s response to sound via an electro-optical sensor and learn how to isolate the audio signal from the optical signal.”
To watch the light bulb from a distance the researchers used a telescope and mounted an electro-optical sensor on it to convert light into an electrical current. Then an analog-to-digital converter (ADC) transforms the sensor output to a digital signal that is processed by a laptop that provides the recovered sound data in output.
To test the Lamphone technique the researchers placed the eavesdropper on a pedestrian bridge, positioned an aerial distance of 25 meters from the target office. The experts used three telescopes with different lens diameters (10, 20, 35 cm) and an electro-optical sensor (the Thorlabs PDA100A2. The voltage was obtained from the electro-optical sensor via a 16-bit ADC NI-9223 card and was processed with a LabVIEW script developed by the researchers.
The researchers were able to recover an audible extract of President Donald Trump’s speech that could be transcribed by Google’s Speech to Text API. They were also able to reproduce a recording of the Beatles’ “Let It Be” and Coldplay’s “Clocks” that were recognized by Shazam and SoundHound services.
Below the video PoC published by the experts:
The Lamphone technique is very effective, its efficiency could be improved by using high-range equipment.
The technique can be applied in real-time scenarios and unlike other attack methods don’t require the attackers to compromise the target’s device.
As a countermeasure, the researchers propose to reduce the amount of light captured by the electro-optical sensor by using a weaker bulb and a curtain wall to reduce the light emitted from a room.
The researchers also suggest reducing a hanging bulb’s vibration using a heavier bulb
“Lamphone leverages the advantages of the Visual Microphone (it is passive) and laser microphone (it can be applied in real-time) methods of recovering speech and singing,” conclude the researchers.
“As a future research direction, we suggest analyzing whether sound can be recovered via other light sources. One interesting example is to examine whether it is possible to recover sound from decorative LED flowers instead of a light bulb.”
(SecurityAffairs – Lamphone, hacking)