LED Lights: Friend or Foe? 606
elfdump writes: "In an article (pdf) soon
to be published in ACM Transactions
on Information and Systems Security, security researchers have discovered
that data transmitted through modems and routers can be remotely reconstructed
from the equipment's LED status indicators. According to experiments, their
light-to-information retrieval method is successful even when the light is
captured 'at a considerable distance' from the source. If you want to prevent
people from spying on your data, you may want to tape up those blinking LEDs!"
LED's magically decrypt your data? (Score:1, Insightful)
On my network, you will not find any unencrypted packets, but for ARP and DNS.
erm.... (Score:1, Insightful)
Therefore, I can access the router/switch. Maybe I have to break some glass cabinet first..... but that is probably about as noticeable as putting a great big frigging light detection source right in front of the glass cabinet.
OK, so I can see the lights, therefore I can access the device. Can you think of an easier way of accessing data than blinking LEDs?
Here.. Look into this live fiber.. (Score:1, Insightful)
It makes more sense to SQID the CRT from a mile away..
Re:bullshit (Score:5, Insightful)
Isn't this how fiber optic cable works? Light pluses traveling down a thin strand of glass to transmit data at high speed over long distances.
I'm not claiming to be an engineer or scientist, but I guess I could see how it might be possible (probably with the same type of fiber-optic reader) to decode some of information from your LED.
If anyone has more techincal info, please post.
Re:Here.. Look into this live fiber.. (Score:2, Insightful)
The number 50 as it is seen in pulses: (| is a positive pulse and _ is no pulse).
||__|_
As seen in an led (keep in mind that your eye will only see two flashes (if that).
[flash][flash][pause][pause][flash][pause]
And this doesn't happen anywhere near as quickly as the light pulses in fiber optics. Another thing that makes it easy to read is that you only have to read one wavelength. This is like fiber technology from 10 years ago.
One thing the article doesn't mention is that many of the hubs/switches/routers out there don't actually pulse for every bite, just when a packet goes over the line. I think they will all quickly start flashing only for packets now, not bytes.
Sniffing GigabitEthernet... (Score:2, Insightful)
Re:ummm...doubtful (Score:5, Insightful)
For example, in high school, I attached an LED to the output of a radio or microphone (can't remember which) and then aimed it at a solar cell attached to the input of a speaker. And it worked! I'm not sure if the quality was good enough to capture a modem signal, but it was certainly a poor-man's wireless speaker.
If the spy has more sensitive equipment, and if the LED on a modem really is tied to the phone line, then there should be nothing stopping the spy from capturing the transmission and decoding it later.
Re:This is the stupidest thing I've ever heard (Score:5, Insightful)
But then I remembered my Digital Electronics class in college where we ran square waves at high frequencies through LEDs... seeing the light seem to fix itself on "on" past any respectable Hertz, I mentioned to the professor "so its power-on time must be shorter than its power-off." His response was "...well, or your eyes just aren't good enough to see that fast." He was right: LEDs aren't like incandescent lights, they can turn on and off very, very fast.
I had just never thought of the little RD/SD lights as transmitting any information, under the refresh rate of my eye. If you'd asked me I would have assumed the manufacturers would have considered this and put a delay into the power-on/power-off times of their LEDs, even one millisecond would do fine.
But many of them didn't. And nobody thought to check until these guys decided to write their paper.
OT:Slashdot readers (Score:5, Insightful)
There are at least 50 posts now on this story claiming it is a hoax. It's clear from many of these that few have actually read the synopsis at the top of the paper, never mind the rest of it.
It is not talking about 10Mbps communications. It is talking about lower data rate comms, like modems, serial lines, and the like.
It does work, only on a small amount of devices. It is short range. This doesn't make it a hoax.
TEMPEST is at a stage where it is hard to perform - we're talking government/big company level to manage anything impressive or useful. Take a look at this tempest radio site [erikyyy.de]. Neat, but not very useful.
If you have no idea what you are talking about or don't have anything useful to add, keep quiet. Is it just so you can get your karmas up???
When I was young.... (Score:2, Insightful)
Need A New Moderation (Score:5, Insightful)
reminds me of Cryptonomicon. Yeah, that's probably why Cryptonomicon is one of the references in the article!
The LED's don't indicate the data pattern, just the transmission pattern.. It depends on the equipment. Many older serial devices do indicate the data.
I call BS on this one... (Score:2, Informative) Uh, OK. Trying reading the article. And who modded this up?
Tempest (Score:4, Informative)
Yeah Right (Score:3, Interesting) After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time. OK. Maybe you read the article. But this is just silly. Any good packet analyzer like Ethereal will do all this.
Anyways, this is complete FUD. You cannot pick out binary packet data from transmit/receive status lights. OK. Try reading the article next time.
The light blinks ON when data is going, OFF when it's not. Might make a nice indication of when there is data, but not what that data was. Once again. Read the article. Some things work this way. Some don't.
I would have to agree with you on this one. Even if the router were only serving a 1.5Mbit T1, that's still 1.5 million bits per second. I have a hard time believing that an LED can blink fast enough to reliably recreate that data. Read the article. Your T1 CSU/DSU probably isn't going to drive the LED at 1MHz or more but the LED is quite capable of switching at up to 10MHz.
That's pretty feasable, but even if it would blink for every packet you recieved, or even every byte, you still wouldn't know the contents of the bits, or whether it's a one or a zero. I'm still calling BS. Read the article.
Another vote for "Bullsh*t". I'm pretty certain that the LED doesn't blink for *every* single bit. And what about compression techniques that use phase and so on? You are not actually putting just ones and zeros onto the wire you know. Read the article. The external modems which are vulnerable are transmitting data from the RS-232 side of the modem which has very simple encoding. This is clearly explained in the article.
Wow. We get a nice, well written article with lots of specifics and details about exactly which devices were tested and which leak information, all the way to including comparative graphs of received optical signals, and people call BS on it? I suggest the folks making "tin foil hat" jokes invest in a different type of head gear: reading glasses!
Re:Yeah Right (Score:2, Insightful)
Read the friggin article numbnuts!
The modem light indicates all transmitted bits on the RS232 output stream including the start and stop bits. Feed that signal to a standard UART and you'll get a byte stream, probably in PPP protocol. Feed that byte stream into pppd, and I get a copy of every packet you send or receive. I can now read the TCP byte stream and UDP packets to and from every protocol on your machine, so yes, I can "separate the signals" as you call it.
Does that sounds secure to you?
Re:Bull SHIT (Score:2, Insightful)
As the article states - TEMPEST technology has been around for quite awhile. TEMPEST technology is MUCH HARDER than what this research attempted - thus his experiment is much easier (note please that he states that it does not work on ALL equipment - only equipment where the LED's are tied to the traffic in a certain way).
But to put TEMPEST in perspective for you - just to see how easy it is... all you need for simple tempest is a RF receiver and an old black and white TV with the cover ripped off. A few connections and you simply aim the receiver at a wall where you know on the other side is a computer monitor. Next - you play SYNC by hand tweaking the vertical sync of the TV until what is on the computer monitor behind the wall - is now also on your TV. Note that in order for this to work - the TV you are using should be capable (by tweaking) of reaching scan resolutions of the monitor your trying to view.
Similar techniques are also used to reverse CPU running instruction sets by listening to the RF generated by the CPU. Extremely complex algorithms can take the RF and reconvert it back to original instruction set.
This is also similar to what all of us older programmers used to do years ago with AM radios. To tell if our computers crashed, or were looping forever - or were in some other state - we would tune our AM radios until we could hear the individual instructions (old computers were slow enough that their instruction clock speed was in the AM range). You could actually hear loops, xor's etc.. - each would produce a different *tone* that you could learn to recognize after experimenting.
The only difference between TEMPEST and the old AM RADIO trick is that computers are now much much faster - and their clock speeds produce radiation near the microwave range (which is why you can't use AM/FM radios anymore to do the trick).
So yes... it is no surprise to me that the same info can be taken from the status LED's on much of the equipment.
BTW... even though TEMPEST capabilities of our government is considered classified - you can still find quite a bit of info on it - on the net. Mainly because government computer centers are supposed to be TEMPEST certified (e.g., can't be spied upon in this way) -- thus there are a number of companies out there who manufacturer TEMPEST safe rooms and equipment, etc... their info is available on the net.
Re:I'll take that risk. (Score:5, Insightful)
If you look around and see someone with some sort of optical device pointed at your modem you can bonk them on the head and tell them to cut it out.
Once it heads out the wire into the rest of the world, you have no clue. If it comes to privacy/security, the modem lights are the least of my concerns.
Re:According to the article (Score:3, Insightful)
LED is not showing just generic activity, but is actually showing the bit flow.
Think about it. What is the cheapest way to make those status lights work? Have special status lines built in to the DSP, or a cheap buffer connected between the RS232 pins on the serial input and the LEDs? The line levels are appropriate for that. Remember, we're talking about manufacturers who actually care about saving $0.10 per unit on a part. The same industry that developed the Win modem/audio combo just to save about $5.00 on a modem card.
Compared to the whole Winmodem crap, tying the status lights to the serial pins seems innocent enough if you're not accustomed to thinking about security at that level (as most people aren't).
Re:Perhaps covered in article? (Score:3, Insightful)
He asked no question. He merely called the paper a hoax and the authors frauds, with no proof.
Troll.
this is dumb (Score:2, Insightful)
When a router passes data, the led doesn't modulate on the bit level. Stop being so stinkin paranoid. Sheesh. The sky isn't falling.
Re:bullshit (Score:2, Insightful)