Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security

LED Lights: Friend or Foe? 606

Posted by michael
from the brilliant-deductions dept.
elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"
This discussion has been archived. No new comments can be posted.

LED Lights: Friend or Foe?

Comments Filter:
  • by francism (563893) on Wednesday March 06, 2002 @09:22AM (#3118033)
    So I should put big, bulky Duck Tape over my beautiful Airport Base Station? No way! Plus, I get poor enough reception in some parts of my own house, never mind my neighbors spying on me. ;-)
  • I imagine it would need a lot of things to actually monitor my leds so I'm not worried. Plus, I like too look at them and I won't let them take that away from me :)
    • by hagardtroll (562208) on Wednesday March 06, 2002 @11:15AM (#3118818) Journal
      At least in this case you know where your data is going. You can see the light coming out of your modem.

      If you look around and see someone with some sort of optical device pointed at your modem you can bonk them on the head and tell them to cut it out.

      Once it heads out the wire into the rest of the world, you have no clue. If it comes to privacy/security, the modem lights are the least of my concerns.
  • Yikes... (Score:5, Funny)

    by mystery_bowler (472698) on Wednesday March 06, 2002 @09:25AM (#3118059) Homepage
    At one time I worked with what I thought was a highly paranoid CIO for a manufacturing company. He had custom-made black plastic covers made for every modem in the modem pool (this was waaaay back) for this very reason.

    I tried not to think about it but he was convinced that eventually someone would create technology that would re-construct the data transmission based on those LEDs.

    If he's reading this (and he knows who he is), you paranoid sod, damn you for being right. *grin*
    • Re:Yikes... (Score:5, Funny)

      by DiveX (322721) <slashdotcontact@oasisofficepark.com> on Wednesday March 06, 2002 @09:27AM (#3118074) Homepage
      "custom-made black plastic covers made for every modem"

      You mean electrical tape?
    • There's a syndrome to describe this sort of irrational paranoid behavior and I'm sure they make a drug to fix it. Yikes in deed! I shutter to think what horror would come to pass if someone could reconstruct this post from across the street. Oh wait, I have an internal modem. These are the same kind of people who refuse to shop on line because it requires that they transmit their credit card number through an SSL conenction, but gladly give their credit card to an 18 year old waitress in chili's who makes less than minimum wage. I bet he is reading this alright... assuming his aluminum foil hat isn't blocking his eyes.
  • by Fraize (44301) on Wednesday March 06, 2002 @09:26AM (#3118066) Homepage Journal
    ...where the main character, in fear of his computer being Van Eck phreaked, redirects output from a decryption program to turn on-and-off his scroll-lock key in morse-code.
  • arrch! (Score:3, Funny)

    by digitalsushi (137809) <slashdot@digitalsushi.com> on Wednesday March 06, 2002 @09:28AM (#3118082) Journal
    ibm defaced my slashdot page! :'(

  • Actually (Score:2, Funny)

    by Corby911 (250281)
    It makes quite a bit of sense if you think about it. Audiophiles have been using optical output for years (essentially just an LED and a bit of fiber optic cable). What really caught me off gaurd was the distance they were able to capture the data from. Apparently for some, they found they could capture data from "at least across the street".

    Almost makes me wish someone cared enough to spy on me so I could prevent it (Duct tape to the rescue!).

    Beez
  • by eples (239989) on Wednesday March 06, 2002 @09:28AM (#3118085)

    Just put a tiny capacitor on your Tx and Rx LEDs.
    It's a hoax anyway... ;)

  • by mrneutron (61365) on Wednesday March 06, 2002 @09:29AM (#3118096)
    I knew I should have heeded this warning:

    ACHTUNG! Alles touristen und non-technischen peepers!
    Das machine control is nicht fur gerfinger-poken und mittengrabben. Oderwise is easy schnappen der springenwerk, blowen fuse, und poppencorken mit spitzensparken.

    Der machine is diggen by experten only. Is nicht fur geverken by das dummkopfen. Das rubbernecken sightseenen keepen das cotten picken hands in das pockets, so relaxen und watchen das blinkenlights.
  • Unlikely (Score:2, Informative)

    by inicom (81356)
    (having not yet read the article) the premise is unlikely since most LED's on front panels are designed to stay on for longer than the actual activity lasts - in order to present useful information. If there was a one-to-one correspondence between the data and the LED - it would usually appear to a human viewer as an always-on-but-dim LED since the blink-on time would be so short.

    To put it another way - there's a buffer before the LED.

  • by pudge_lightyear (313465) on Wednesday March 06, 2002 @09:34AM (#3118128) Homepage
    I'll just put my modem upside down...that way, everything will transmit backwards...
  • I know, I've thought the same before reading the entire .pdf... But hey, before saying it's a hoax, go read what you're talking about!

    I know it sounds crazy, but it seems to be true!

    At least, it's easy to fix this security problem... Where have I put that damn duck tape?
  • Tempest (Score:5, Interesting)

    by Bruce Perens (3872) <bruce@perens.com> on Wednesday March 06, 2002 @09:34AM (#3118138) Homepage Journal
    Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions.

    To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data.

    Bruce

    • Re:Tempest (Score:3, Interesting)

      by kitchen (112068)
      Tempest for home use [erikyyy.de]

    • Re:Tempest (Score:2, Informative)

      by Nick Barnes (11927)
      To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0.

      This is a great theory, but not actually true, at least for modems. Read the paper.

    • Re:Tempest (Score:5, Informative)

      by CaseyB (1105) on Wednesday March 06, 2002 @10:03AM (#3118364)
      It's a question of whether the indicator is what the article terms a "Class II" device (signal based on activity) or a "Class III" indicator (signal based on data). You, and everyone else that failed to read the article before posting hunches, can read go read page 10, which has a list of various devices shows those that have class III indicators that are susceptible to the snooping in question.

      The Cisco 4000 and 7000 IP Routers are "Class III" devices, and they're relatively popular.

    • Re:Tempest (Score:5, Interesting)

      by fsmunoz (267297) <fsmunoz@@@member...fsf...org> on Wednesday March 06, 2002 @10:04AM (#3118373) Homepage
      Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions

      Indeed. Here is a program [erikyyy.de] that implements just that. Tempest for Eliza is an interisting program... it actually played classical music on my AM radio using the monitor color intensity! There's a mod for mp3 even. Check it out.

      cheers,

      fsm
  • by smaughster (227985) on Wednesday March 06, 2002 @09:37AM (#3118162)
    Just hide your hub in a teddy bear, noone will point his eavesdropping device on such an innocent toy, would they?
  • ...let alone OC-x, would be like trying to drink from a fire hose :) Besides, if LEDs would blink so well that you can reconstruct the signal with consumer-grade equipment, wouldn't we all be using optical networks by now?!
  • I don't think we have too much to worry about here. They have proved it to work (supposedly, no evidence) on 56kbps. Most results are for 14.4kbps or less. This is for modems - generally they have TD/RD lights which are direct indications of the RS232 lines, so show data.

    NICs, routers, switches, and hubs, tend to slow down the light flashes, or flash to packets, rather than bits. It makes it far easier to see what is going on. An LED would have difficulty keeping up with the high data rates as well (as well as any driver circuits).

    It could be possible on a switch that has activity lights for all the network to ascertain which ones have most traffic, and hence gateways/DNS servers, but these things are generally found out in much easier ways.

    It seems as if most of the posts before this are from people who didn't read the article, and are claiming it can't be true. RTFA.
  • by phr2 (545169) on Wednesday March 06, 2002 @09:40AM (#3118197)
    Here's a paper [cam.ac.uk] by the amazing Markus Kuhn (who has done many other brilliant security hacks besides this) showing how CRT display contents can be reconstructed from the light given off by the screen, even when the light is reflected diffusely off a wall. It makes me glad I use an LCD monitor.
    • Pffft. (Score:3, Informative)

      by phillymjs (234426)
      Kuhn did not invent this technique, I read about this being doable in Popular Science in the mid-to-late 80's. It's called 'van Eck phreaking' after Wim van Eck, its discoverer. As I recall from that long-ago article, he sat in an equipped van parked outside a building, tuned in on a CRT that was inside the building, and read the contents of that screen right off his. I think I was about 12 or 13 at the time, and this was the coolest thing I had ever heard of-- in fact, it made such an impression on me that "kinda like van Eck" was the first thought that crossed my mind when I read the posting on here.

      Here's some info [techtarget.com] about the van Eck phreaking method.

      ~Philly
  • Yeah Right (Score:2, Interesting)

    by Wolfier (94144)
    After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time.
    • Exactly. To quote from the text: "The attacker gains access to all data going through the device, including plaintext in the case of encryption systems." This is obviously bullshit, since the LED is equal to the signal on the cable, in other words OSI layer 1. The method is equal to a wiretap the phone line or coax cable. Encryption such as SSH and SSL happens at higher OSI layers and therefore this method does definitely not offer access to clear text data.

      In addition it does not explain how it would be possible to decode data that is being sent by a multiplexing device, as the LED only shows that data is being sent. A modern modem (e.g. DSL) does however spread several data bits over different frequencies and thus it's impossible to decode them all from the LED light, since that does not reflect the full frequency spectrum of the cable.
      They claim "We have successfully recovered error-free data at speeds up to 56 kb=s; the physical principles involved ought to continue to work up to about 10 Mbits/s.", but I seriously doubt it would scale up to DSL modems.

    • So you'll let anyone who wants hook up a promiscuous NIC to your LAN? Why not, since there's no way they could put all those bits back together to get anything useful.

      That's what this does, just from range and with some different hardware in between. I'm sure if they wanted to, some EE geek could use this to build the strangest wireless LAN device ever.

    • Re:Yeah Right (Score:2, Insightful)

      by Anarchofascist (4820)
      ..good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer...

      Read the friggin article numbnuts!

      The modem light indicates all transmitted bits on the RS232 output stream including the start and stop bits. Feed that signal to a standard UART and you'll get a byte stream, probably in PPP protocol. Feed that byte stream into pppd, and I get a copy of every packet you send or receive. I can now read the TCP byte stream and UDP packets to and from every protocol on your machine, so yes, I can "separate the signals" as you call it.

      Does that sounds secure to you?

  • *Can* tell 1 from 0 (Score:5, Informative)

    by mclearn (86140) on Wednesday March 06, 2002 @09:46AM (#3118251) Homepage
    I see lots of posts already from people claiming this is a hoax based on the fact that you can't tell a one from a zero. Well if you RTFA (article), they explain how this can be done through the use of decoding the physical encoding done by the hardware. They explain that the encoding scheme used is a NRZ-L (non-return-to-zero level). This means that everything can be assumed to be a one except for when data is being transmitted, in which case the bits are zeros.

    This is a PHYSICAL encoding, not something cooked up by them. It's used in a variety of devices. Look it up.

    There are other schemes, including non-return-to-zero inverted, and non-return-to-zero space. However these two encoding schemes do not work with absolute values, only transitions from one value to another (ie. from one to zero, or zero to one). There is also Return-to-zero and biphase encoding schemes as well, which attempt to correct problems found in the non-return-to-* schemes. However, NRZ-L is the most simple form of encoding, IIRC.


  • In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security...

    Hmm - April 1st isn't that far off now - maybe this is being prepared to be published then...

    -- Pete.

  • Ok... (Score:4, Funny)

    by Psmylie (169236) on Wednesday March 06, 2002 @09:58AM (#3118333) Homepage
    I'll get right on that, as soon as I finish my tinfoil hat.

    Good lord.

  • From the paper:

    /*
    // sl.c -- a covert channel using the Caps Lock LED.
    //
    // For Solaris 2.x on SPARC; compile with ${CC} sl.c -lposix4
    */


    *THAT* is cool. Bundle it w/ a screensaver that makes the other two lights blink randomly and you're set!

    Office dweeb: "Look at this neat screensaver, it makes my keyboard lights blink! Wheee!"
    Uber-Geek: *jots down keystroke log from caps-lock LED* 47-46-58-82-85-76-69-83......

  • by cybergibbons (554352) on Wednesday March 06, 2002 @10:02AM (#3118361) Homepage
    Over time, you notice that people that read and post on Slashdot are extremely misinformed, narrow minded, and self centred.

    There are at least 50 posts now on this story claiming it is a hoax. It's clear from many of these that few have actually read the synopsis at the top of the paper, never mind the rest of it.

    It is not talking about 10Mbps communications. It is talking about lower data rate comms, like modems, serial lines, and the like.

    It does work, only on a small amount of devices. It is short range. This doesn't make it a hoax.

    TEMPEST is at a stage where it is hard to perform - we're talking government/big company level to manage anything impressive or useful. Take a look at this tempest radio site [erikyyy.de]. Neat, but not very useful.

    If you have no idea what you are talking about or don't have anything useful to add, keep quiet. Is it just so you can get your karmas up???
  • Speed of LEDs (Score:3, Informative)

    by Muad'Dave (255648) on Wednesday March 06, 2002 @10:07AM (#3118392) Homepage

    The responses to this article seem to all question the switching speed of LEDs. Even the least expensive LEDs are capable of at least 100kHz operation, with many, many, common LEDs capable of operating at several MHz. Remember, most of the fiber-based transceivers use LEDs, not laser diodes. I've used LED-based 3com equipment over a 2 km 62.5/125 um MM fiber link without trouble. These LEDs (not IR LEDs) were easily able to handle 10 Mbps.

  • Either they take away our blinkey lights and shiney objects

    or

    Electrical tape to cover up said blinkey lights will be labeled as a circumvention device under the DMCA, so we'll be forced to look at the lights (ooooohhh, blinkey).
    (Which is a bad thing because the electrical tap is the only thing holding my 1950's style fins on my tinfoil hat.)

  • by JMZero (449047) on Wednesday March 06, 2002 @10:18AM (#3118464) Homepage

    I can backup the whole network by videotaping the front panel of our switch.

    .
  • Par for many Slashdot folks to naysay without actually reading the article...
    4.3.1 Results of the Survey of Devices.
    Dial-up and leased-line modems were found to faithfully broadcast data transmitted and received by the device. Only one device of this type did not exhibit Class III emanations: the Practical Peripherals PM14400FXMT fax modem. The shortest pulse duration measured from this device was 20 ms, even at high data rates. None of the LAN interface cards tested, including 10 Mbits/s Ethernet and 16 Mbits/s Token Ring adapters, were found to broadcast any recognizable data. Examination of the data sheet for a chipset used in fiber optic Ethernet devices reveals a possible reason for this finding. According to [Hewlett-Packard Company 1993a], LED drivers for transmit, receive, and collision indicators are filtered through pulse stretching circuits to make their activity more visible. The pulse stretcher extends the on-time of LED indicators to a minimum of several milliseconds. This makes short pulses easier to see, but severely limits the bandwidth of the LED from the perspective of compromising optical emanations. All of the Ethernet and Token Ring devices examined showed similar behavior in this regard.

    They're not stating that ALL LED's exhibit this behavior, just some lower bandwidth ones.

    Although I still highly doubt that any useful information would be gleaned from me looking in my neighbor's window and counting pulses from his MODEM LED while he's browing the internet, a spy agency could very well have the technology to figure out how to do this if the particular device is known to have this problem (or "feature", whatever...)

    Read, people, read. That's what the paper is there for you to do, not to just hear the title and claim it's impossible.
  • by BeBoxer (14448) on Wednesday March 06, 2002 @10:38AM (#3118590)
    of "-1 Didn't Bother To Read The Article". The number of people in this thread who posted and clearly did not read the article is astounding. We need some way of making everybody actually read the article and then start the thread over again. Sheesh.

    reminds me of Cryptonomicon. Yeah, that's probably why Cryptonomicon is one of the references in the article!

    The LED's don't indicate the data pattern, just the transmission pattern.. It depends on the equipment. Many older serial devices do indicate the data.

    I call BS on this one... (Score:2, Informative) Uh, OK. Trying reading the article. And who modded this up?

    Tempest (Score:4, Informative) ....To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data. True for some devices but not others. Please read the article. It's quite clear about where this does and does not work.

    Yeah Right (Score:3, Interesting) After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time. OK. Maybe you read the article. But this is just silly. Any good packet analyzer like Ethereal will do all this.

    Anyways, this is complete FUD. You cannot pick out binary packet data from transmit/receive status lights. OK. Try reading the article next time.

    The light blinks ON when data is going, OFF when it's not. Might make a nice indication of when there is data, but not what that data was. Once again. Read the article. Some things work this way. Some don't.

    I would have to agree with you on this one. Even if the router were only serving a 1.5Mbit T1, that's still 1.5 million bits per second. I have a hard time believing that an LED can blink fast enough to reliably recreate that data. Read the article. Your T1 CSU/DSU probably isn't going to drive the LED at 1MHz or more but the LED is quite capable of switching at up to 10MHz.

    That's pretty feasable, but even if it would blink for every packet you recieved, or even every byte, you still wouldn't know the contents of the bits, or whether it's a one or a zero. I'm still calling BS. Read the article.

    Another vote for "Bullsh*t". I'm pretty certain that the LED doesn't blink for *every* single bit. And what about compression techniques that use phase and so on? You are not actually putting just ones and zeros onto the wire you know. Read the article. The external modems which are vulnerable are transmitting data from the RS-232 side of the modem which has very simple encoding. This is clearly explained in the article.

    Wow. We get a nice, well written article with lots of specifics and details about exactly which devices were tested and which leak information, all the way to including comparative graphs of received optical signals, and people call BS on it? I suggest the folks making "tin foil hat" jokes invest in a different type of head gear: reading glasses!
  • I've glanced at the article, and it seems like a lot of hot air: lots and LOTS of background and diagrams on LED technology, but relatively little detail on how LEDs could betray the data stream in current, modern equipment. Most current data transmissions around a PC occur in heavily encoded form (usually amplitude AND phase modulation). So there is no cable (other than the serial port cable) that you could just splice an LED into and simply read the data stream out. You would have to inject the LED somewhere into the device electronics where the data stream bits are flowing in decoded, truly serial fashion. Why bother, if from a firmware perspective it's much easier to toggle an LED control bit on at the start of a logical data group (packet or whatever), and off when you're done processing it?
  • ...of my long-gone phreaking and phrauding days. Here in .de it was still safe to bluebox and card calls because the entire was analog at that time and tracing had to be done by hand - certainly not something the german telco would do on a regular basis if only fraud was the crime. Well, i used to know some guy who was a security risk in that matter - before dialing someone or using a card with him in 3way, you had to kick him out or something - he could just recognize DTMF tones with his ears. Prolly not as sophisticated as a LED-to-bitstream hack but it still jumps up in my brain while reading this.
  • First they take away my command line and replace it with windoze. Then they take away my sexy jet-engnine-spin-up sounding RLL and MFM hard drives. And now no blinky lights?!

    Sure, I can leave behind the days where troubleshooting Ethernet required a resistance meter, and when you could hear the memory counting up, and when a goddammed power switch was a goddammed power switch, but now I have to give up blinky lights? What is the world coming to where a computer geek can't proudly behold his array of blinky lights!?

    Where's the joy? These evil led sniffing bastards simply must be stopped, that's all there is to it. I'll 3DES the signal going to the LEDs before I resort to covering my beloved LEDs. Duck tape be damned.

  • This really shows that you cannot be paranoid enough. That's it, I am ordering my tinfoil hat today.

    Seriously, who would've thought about this? Certainly not me. I'd never thought that an LED might actually represent the state - I merely figured it's activity in general.

  • Move over 802.11x (Score:3, Interesting)

    by uigrad_2000 (398500) on Wednesday March 06, 2002 @11:01AM (#3118736) Homepage Journal
    If it can really pick up signals with few enough errors to be usable, then I want to use it for networking! Some posts here claim that it can easily do 10MBit/sec. What's stopping someone from making an array of them, for high speed wireless access?

    Actually, now that I think of it, that must have been what all those big clunky lights were on ST:TOS. Networking of the future!

  • Physical access... (Score:4, Informative)

    by markmoss (301064) on Wednesday March 06, 2002 @11:36AM (#3119010)
    There are two ways to put in an LED to show when a device is transmitting or receiving. One is to tie it to the transmit or receive enable/detect signal, IF there is any. The other is to tie it to the data line. In that case, the LED may be blinking right along with the data, although too fast for the human eye to see. It looks like it is on continually, but the signal could be recovered with a fast enough detector. This depends on the LED turn-on/turn-off time; if it's 8 nS (pretty common), a 56K modem would be easy to pick up. ADSL or cable modems at a few MHZ would be sending out a clear signal; I'm not sure if there are cheap optical detectors that will work at those speeds, but there are expensive ones that go into the gigahertz. 10MHz ethernet signals would be "blurry" but with a good detector, a fast ADC, and some signal processing you could recover them. With 100MHZ ethernet, no data could be recovered.

    But before you can do any of that, you have to be able to _see_ the blinking lights. If someone can get into your wiring closet and focus an optical detector on your hub, it would be a heck of a lot simpler to just connect the network sniffer by cable. The real hazard is if the blinking lights are pointed out the window -- that's an unusual location for a network hub, switch, router. or server, but it's quite likely your business has some desktop computers with the back towards a window and the LED's for the NIC and modem cards visible from outside, so a telescope in a van parked across the street could, in theory, extract the data. For instance the receptionist's computer is probably oriented this way; it probably isn't worthwhile for someone to go to this much trouble to find out what a receptionist is up to, but if the NIC is showing data flowing to and from other machines on a shared network cable, better stick on a bit of electrical tape...
  • by AgentTim3 (447311) on Wednesday March 06, 2002 @01:03PM (#3119680) Journal
    Yeah, that's right. I just head into the server room, turn all the lights out, and stare at the routers.


    Sure, it takes awhile to learn how to read it...


    But after awhile, I just see Blonde here, Brunette there, Redhead over there...

  • by horza (87255) on Wednesday March 06, 2002 @03:15PM (#3120599) Homepage
    I remember when I was in the office at Acorn Computers chatting to a guy called Dave Walker. Someone walked up to his desk, plonked down an Acorn PC and said it wasn't working. He plugged it in and watched it for a moment (just the box, no monitor was plugged in). After a few seconds he pulled the top off, pushed in a certain chip (loose memory or something), put the lid on and booted... this time the PC whirred into life properly. When I asked him how he did that magic trick, he told me that when there is an error the floppy drive light blinks it out in morse code. I'd had one of these machines for years and had never known that was staring me in the face!

    Phillip.

Old programmers never die, they just branch to a new address.

Working...