Researchers at Ben-Gurion University identified a previously unknown type of attack, dubbed Glowworm. Glowworm enables hackers to intercept audio files. In other words, it’s a new form of eavesdropping.

Experts state that Glowworm represents an optical TEMPEST (Telecommunications Electronics Material Protected from Emanating Spurious Transmissions) attack. The mechanisms underlying the attack operations involve sound analysis through optical measurements, which are obtained through an electro-optical sensor. This is directed at the power indicator LED belonging to a given target’s devices. These devices include speakers, USB hub splitters and microcontrollers.

Although federal agencies protect classified information from TEMPEST attacks, most enterprises do not have appropriate measures in place to prevent these threats. Could the novel audio attack represent a serious concern for businesses?

Glowworm in-depth

In showing how Glowworm works, researchers directed a telescope at speakers connected to a laptop. The telescope included an electro-optical sensor, pointed at the speakers’ power indicator LED. During the demonstration, the laptop screen was not visible.

Glowworm attack image

Image courtesy of Ben Nassi et. al

Researchers learned that the Glowworm attack permits threat actors to:

  • Listen to the speech of anyone talking during a virtual meeting
  • Capture any audio played during a meeting (ex. YouTube, PowerPoint, video files…etc)

However, researchers also state that if Glowworm were used to spy on a conference call, only virtual participants’ audio would register for the threat actors.

Glowworm: Further illumination

The attack has not yet appeared in the wild. Researchers state that the attack’s passivity makes it different from similar listening attempts. For example, a laser microphone can absorb audio information through the vibrations on a window pane, or a lightbulb. If concerned about an emerging Glowworm threat, defenders may be able to observe the attack in-progress through the use of smoke or vapor. This technique can be even more effective if the targets know the likely frequency ranges that an attacker may employ.

Unlike other eavesdropping attacks, Glowworm does not require signal leakage or direct intrusion. That said, for hackers to conduct the attack would require a clean line of sight. Access to a window is critical, as is a view of the power LEDs on a computer speaker.

Despite the need for a clean line of sight, the attack does work at a substantial distance. Researchers obtained intelligible audio from 35 meters away from the conversation in question.

So what now?

Although manufacturers and development teams take precautions around cyber security, their efforts might not stand up against TEMPEST attacks.  Researchers suggest that hardware manufacturers take the time to explore whether or not their devices might inadvertently allow Glowworm attacks to manifest. Otherwise, electrical circuits may remain vulnerable to Glowworm until additional regulations surface or major incidents emerge.

Any organizations concerned about the attack can alleviate fears by ensuring that devices do not have window-facing LEDs. “Particularly paranoid defenders can also mitigate the attack by placing opaque tape over any LED indicators that might be influenced by audio playback,” writes Ars Technica.

If you’d like to learn more about this attack, visit the researchers’ website, here. For past Cyber Talk coverage of audio attacks, click here or here. Lastly, sign up for the Cyber Talk newsletter, here.