LED Lights: Friend or Foe?

elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"

LED's magically decrypt your data?

[gehirntot]

It is a good practise to encrypt all of your data to begin with. Even if it should be possible to reconstruct any kind of data from the LEDs, they will not magically decrypt the network packets.

On my network, you will not find any unencrypted packets, but for ARP and DNS.

erm....

[President Chimp Toe]

I can see the light

Therefore, I can access the router/switch. Maybe I have to break some glass cabinet first..... but that is probably about as noticeable as putting a great big frigging light detection source right in front of the glass cabinet.

OK, so I can see the lights, therefore I can access the device. Can you think of an easier way of accessing data than blinking LEDs?

Here.. Look into this live fiber..

[jabber01]

Ok, so by sensing the LED, you can tell that transmission took place.. So what? The LED's don't indicate the data pattern, just the transmission pattern.. You can't tell a 1 from a 0 by looking at the LEDs..

It makes more sense to SQID the CRT from a mile away..

Re:bullshit

[jweb]

reconstruct the data from the flashing lights??? whatever. That's so ridiculous it's laughable.

Isn't this how fiber optic cable works? Light pluses traveling down a thin strand of glass to transmit data at high speed over long distances.

I'm not claiming to be an engineer or scientist, but I guess I could see how it might be possible (probably with the same type of fiber-optic reader) to decode some of information from your LED.

If anyone has more techincal info, please post.

Re:Here.. Look into this live fiber..

[SkyLeach]

Sure you can. Don't you know that a 1 in a pulse and a 0 is nothing. The light only flashes on a pulse (1).

The number 50 as it is seen in pulses: (| is a positive pulse and _ is no pulse).

||__|_

As seen in an led (keep in mind that your eye will only see two flashes (if that).

[flash][flash][pause][pause][flash][pause]

And this doesn't happen anywhere near as quickly as the light pulses in fiber optics. Another thing that makes it easy to read is that you only have to read one wavelength. This is like fiber technology from 10 years ago.

One thing the article doesn't mention is that many of the hubs/switches/routers out there don't actually pulse for every bite, just when a packet goes over the line. I think they will all quickly start flashing only for packets now, not bytes.

Sniffing GigabitEthernet...

[forged]

...let alone OC-x, would be like trying to drink from a fire hose :) Besides, if LEDs would blink so well that you can reconstruct the signal with consumer-grade equipment, wouldn't we all be using optical networks by now?!

Re:ummm...doubtful

[pmz]

It really can be done.

For example, in high school, I attached an LED to the output of a radio or microphone (can't remember which) and then aimed it at a solar cell attached to the input of a speaker. And it worked! I'm not sure if the quality was good enough to capture a modem signal, but it was certainly a poor-man's wireless speaker.

If the spy has more sensitive equipment, and if the LED on a modem really is tied to the phone line, then there should be nothing stopping the spy from capturing the transmission and decoding it later.

Re:This is the stupidest thing I've ever heard

[jamie]

Your unwarranted presupposition is why this article is so interesting. My first reaction too was "there's no way."

But then I remembered my Digital Electronics class in college where we ran square waves at high frequencies through LEDs... seeing the light seem to fix itself on "on" past any respectable Hertz, I mentioned to the professor "so its power-on time must be shorter than its power-off." His response was "...well, or your eyes just aren't good enough to see that fast." He was right: LEDs aren't like incandescent lights, they can turn on and off very, very fast.

I had just never thought of the little RD/SD lights as transmitting any information, under the refresh rate of my eye. If you'd asked me I would have assumed the manufacturers would have considered this and put a delay into the power-on/power-off times of their LEDs, even one millisecond would do fine.

But many of them didn't. And nobody thought to check until these guys decided to write their paper.

OT:Slashdot readers

[cybergibbons]

Over time, you notice that people that read and post on Slashdot are extremely misinformed, narrow minded, and self centred.

There are at least 50 posts now on this story claiming it is a hoax. It's clear from many of these that few have actually read the synopsis at the top of the paper, never mind the rest of it.

It is not talking about 10Mbps communications. It is talking about lower data rate comms, like modems, serial lines, and the like.

It does work, only on a small amount of devices. It is short range. This doesn't make it a hoax.

TEMPEST is at a stage where it is hard to perform - we're talking government/big company level to manage anything impressive or useful. Take a look at this tempest radio site [erikyyy.de]. Neat, but not very useful.

If you have no idea what you are talking about or don't have anything useful to add, keep quiet. Is it just so you can get your karmas up???

When I was young....

[Anonymous Coward]

...around 3rd or 4th grade (around 1970-1971 timeframe --yep I'm a genuine "Olde Pharte" who reads /. :), I once built an electronic kit from Radio Shack that transmitted voice, one direction only, from an LED to a phototransistor. LEDs were fairly new devices back then, at least for the average joe to get his hands on them. Military electronics and high dollar commercial electronics had them for a while. Anyway, back to the LED "wireless" voice xmitter, it actually had a pretty good range, about 20 feet or so, but the audio quality was extremely poor, only good for voice, not music. There were no IC chips in the kit either, everything was individual transistors.

Need A New Moderation

[BeBoxer]

of "-1 Didn't Bother To Read The Article". The number of people in this thread who posted and clearly did not read the article is astounding. We need some way of making everybody actually read the article and then start the thread over again. Sheesh.

reminds me of Cryptonomicon. Yeah, that's probably why Cryptonomicon is one of the references in the article!

The LED's don't indicate the data pattern, just the transmission pattern.. It depends on the equipment. Many older serial devices do indicate the data.

I call BS on this one... (Score:2, Informative) Uh, OK. Trying reading the article. And who modded this up?

Tempest (Score:4, Informative) ....To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data. True for some devices but not others. Please read the article. It's quite clear about where this does and does not work.

Yeah Right (Score:3, Interesting) After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time. OK. Maybe you read the article. But this is just silly. Any good packet analyzer like Ethereal will do all this.

Anyways, this is complete FUD. You cannot pick out binary packet data from transmit/receive status lights. OK. Try reading the article next time.

The light blinks ON when data is going, OFF when it's not. Might make a nice indication of when there is data, but not what that data was. Once again. Read the article. Some things work this way. Some don't.

I would have to agree with you on this one. Even if the router were only serving a 1.5Mbit T1, that's still 1.5 million bits per second. I have a hard time believing that an LED can blink fast enough to reliably recreate that data. Read the article. Your T1 CSU/DSU probably isn't going to drive the LED at 1MHz or more but the LED is quite capable of switching at up to 10MHz.

That's pretty feasable, but even if it would blink for every packet you recieved, or even every byte, you still wouldn't know the contents of the bits, or whether it's a one or a zero. I'm still calling BS. Read the article.

Another vote for "Bullsh*t". I'm pretty certain that the LED doesn't blink for *every* single bit. And what about compression techniques that use phase and so on? You are not actually putting just ones and zeros onto the wire you know. Read the article. The external modems which are vulnerable are transmitting data from the RS-232 side of the modem which has very simple encoding. This is clearly explained in the article.

Wow. We get a nice, well written article with lots of specifics and details about exactly which devices were tested and which leak information, all the way to including comparative graphs of received optical signals, and people call BS on it? I suggest the folks making "tin foil hat" jokes invest in a different type of head gear: reading glasses!

Re:Yeah Right

[Anarchofascist]

..good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer...

Read the friggin article numbnuts!

The modem light indicates all transmitted bits on the RS232 output stream including the start and stop bits. Feed that signal to a standard UART and you'll get a byte stream, probably in PPP protocol. Feed that byte stream into pppd, and I get a copy of every packet you send or receive. I can now read the TCP byte stream and UDP packets to and from every protocol on your machine, so yes, I can "separate the signals" as you call it.

Does that sounds secure to you?

Re:Bull SHIT

[MrIcee]

Actually - not true at all. Not only is this VERY doable (and a very nice piece of research I might add) - but if you bothered to look at some of the references he points out - you will realize that our government has been doing way harder things for quite a while.

As the article states - TEMPEST technology has been around for quite awhile. TEMPEST technology is MUCH HARDER than what this research attempted - thus his experiment is much easier (note please that he states that it does not work on ALL equipment - only equipment where the LED's are tied to the traffic in a certain way).

But to put TEMPEST in perspective for you - just to see how easy it is... all you need for simple tempest is a RF receiver and an old black and white TV with the cover ripped off. A few connections and you simply aim the receiver at a wall where you know on the other side is a computer monitor. Next - you play SYNC by hand tweaking the vertical sync of the TV until what is on the computer monitor behind the wall - is now also on your TV. Note that in order for this to work - the TV you are using should be capable (by tweaking) of reaching scan resolutions of the monitor your trying to view.

Similar techniques are also used to reverse CPU running instruction sets by listening to the RF generated by the CPU. Extremely complex algorithms can take the RF and reconvert it back to original instruction set.

This is also similar to what all of us older programmers used to do years ago with AM radios. To tell if our computers crashed, or were looping forever - or were in some other state - we would tune our AM radios until we could hear the individual instructions (old computers were slow enough that their instruction clock speed was in the AM range). You could actually hear loops, xor's etc.. - each would produce a different *tone* that you could learn to recognize after experimenting.

The only difference between TEMPEST and the old AM RADIO trick is that computers are now much much faster - and their clock speeds produce radiation near the microwave range (which is why you can't use AM/FM radios anymore to do the trick).

So yes... it is no surprise to me that the same info can be taken from the status LED's on much of the equipment.

BTW... even though TEMPEST capabilities of our government is considered classified - you can still find quite a bit of info on it - on the net. Mainly because government computer centers are supposed to be TEMPEST certified (e.g., can't be spied upon in this way) -- thus there are a number of companies out there who manufacturer TEMPEST safe rooms and equipment, etc... their info is available on the net.

Re:I'll take that risk.

[hagardtroll]

At least in this case you know where your data is going. You can see the light coming out of your modem.

If you look around and see someone with some sort of optical device pointed at your modem you can bonk them on the head and tell them to cut it out.

Once it heads out the wire into the rest of the world, you have no clue. If it comes to privacy/security, the modem lights are the least of my concerns.

Re:According to the article

[sjames]

LED is not showing just generic activity, but is actually showing the bit flow.

Think about it. What is the cheapest way to make those status lights work? Have special status lines built in to the DSP, or a cheap buffer connected between the RS232 pins on the serial input and the LEDs? The line levels are appropriate for that. Remember, we're talking about manufacturers who actually care about saving $0.10 per unit on a part. The same industry that developed the Win modem/audio combo just to save about $5.00 on a modem card.

Compared to the whole Winmodem crap, tying the status lights to the serial pins seems innocent enough if you're not accustomed to thinking about security at that level (as most people aren't).

Re:Perhaps covered in article?

[CaseyB]

This poster asked a serious question, and gets a "troll" metamod.

He asked no question. He merely called the paper a hoax and the authors frauds, with no proof.

Troll.

this is dumb

[dAzED1]

modulation doesn't occur on the bit or even the byte level, they occur on the packet level. At least, on many of the types of equiptment you all are thinking this would apply to. Sure...on a serial modem, I suppose a relatively idiotic modem manufacturer or two could have made the LED's modulate per each bit...but my god...if so, then those companies should be hung.

When a router passes data, the led doesn't modulate on the bit level. Stop being so stinkin paranoid. Sheesh. The sky isn't falling.

Re:bullshit

[Cadderly]

Hmm... but you keep forgetting that the lamp has a thermal delay... just like a heating resistor. Ieff = Imax / Sqrt(2) The IR and lightoutput is the same as the same lamp on 110V DC...