A group of security researchers has devised a new technique for eavesdropping on conversations that relies on the analysis of a light bulb’s frequency response to sound.
Called Lamphone, the novel side-channel attack demonstrates that fluctuations in the air pressure on the surface of the hanging bulb can be exploited to recover speech and singing in real time, using a remote electro-optical sensor placed externally.
Researchers from the Ben-Gurion University of the Negev and Weizmann Institute of Science came up with an algorithm to recover sound from the optical measurements of the vibrations of a light bulb.
In a real-world test scenario, Lamphone successfully recovered both human speech (which can be identified by the Google Cloud Speech API) and singing (accurately identified by Shazam and SoundHound) from a bridge 25 meters (82 feet) away from the target room where the light bulb was hanging.
The researchers tested Lamphone by targeting an office room located on the third floor of an office building. A hanging E27 LED bulb (12 watt) was in the room and curtain walls would cover the entire building, thus reducing the amount of light emitted from the offices.
On a pedestrian bridge 25 meters away, the researchers mounted an electro-optical sensor (the Thorlabs PDA100A2, an amplified switchable gain light sensor that converts light to electrical voltage) on telescopes with different lens diameters (10, 20, 35 cm) — the sensor was mounted on one telescope at a time.
“The voltage was obtained from the electro-optical sensor via a 16-bit ADC NI-9223 card and was processed in LabVIEW script that we wrote. The sound that was played in the office during the experiments could not be heard at the eavesdropper’s location,” the researchers explain.
Using this setup, the researchers managed to successfully recover two songs and one sentence played via speakers in the office, using optical measurements that were obtained from a single telescope.
Because sound can be recovered using an electro-optical sensor that outputs information at a low resolution (a one pixel sample), Lamphone can be applied in real-time scenarios, the researchers say.
They also claim that the new technique brings numerous advantages compared to previously identified eavesdropping methods that would require device compromise, proximity to the victim, or functionality that can’t be used in real-world scenarios without being immediately detected (such as laser beams).
While they only managed to recover sound from 25 meters away, the researchers argue that better equipment (bigger telescope, 24/32 bit ADC, etc.) would allow an attacker to extend that range.
Related: Power Supply Can Turn Into Speaker for Data Exfiltration Over Air Gap
Related: Hackers Can Exfiltrate Data From Air-Gapped Computers Via Fan Vibrations
Related: Air-Gapped Computers Can Communicate Through Heat: Researchers