LED Lights: Friend or Foe?

elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"

Mmm hmm.

[FlorentinePogen]

Yeah. If the lights on my switch are any indication, I'm getting about 20bps throughput on my network. Last I checked, the LEDs simply indicated activity, they didn't represent the binary pattern of data going through the ports or any other pertinent information.

Tempest

[Bruce Perens]

Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions.

To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data.

Bruce

And what about IR?

[zmokhtar]

Good point. Besides, if this is possible, then why in the world are IR transfers so slow? I want 100mbps transfers from ipaq to ipaq over a blinking LED!

Re:bullshit

[CrazyBrett]

Not necessarily BS, though it depends on the way the hardware is made. A very simple way (engineering-wise) to implement an indicator LED on a cable modem would be as follows: Whenever the modem is receiving a "1" bit, turn the LED on, otherwise, turn the LED off. Being a type of diode, LEDs are capable of extremely high switching rates (remote controls generally use infrared LEDs pulsed at 56 kHz to transmit data. They can actually switch much faster). Hence, for each packet received, the LED would actually blink dozens of times. To a person, this looks like just a single blink, but a high-speed photodetector would be able to measure the length of each pulse, and use that information to reconstruct the data that was received.

Of course, all this relies on the construction of the modem. Using a slightly less naive algorithm (when a packet arrives, turn the LED on for 1 ms and then shut it off) would defeat this unique kind of sniffing. Still, after staring at my lan hub for a few minutes, I'm wondering if it uses the former technique for flashing the light...

Yeah Right

[Wolfier]

After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time.

Re:Tempest

[kitchen]

Tempest for home use [erikyyy.de]

Re:Tempest

[fsmunoz]

Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions

Indeed. Here is a program [erikyyy.de] that implements just that. Tempest for Eliza is an interisting program... it actually played classical music on my AM radio using the monitor color intensity! There's a mod for mp3 even. Check it out.

cheers,

fsm

Re:bullshit

[k2enemy]

i guess i should have been more clear in my original post. if its incadescant and runs on a dc current it is in fact on. if it runs on an ac current (as almost all do) it is oscillating between on and off very fast. the fillament never actually gets dark but it does dim and brighten with each oscillation.

Move over 802.11x

[uigrad_2000]

If it can really pick up signals with few enough errors to be usable, then I want to use it for networking! Some posts here claim that it can easily do 10MBit/sec. What's stopping someone from making an array of them, for high speed wireless access?

Actually, now that I think of it, that must have been what all those big clunky lights were on ST:TOS. Networking of the future!

I'm a clueless slashdot reader

[Anonymous Coward]

but I actually skimmed over the article, which states that it could be useful up to 10Mbps. Since I've got a 100Mbps connection to my modem router, this shouldn't apply to me, right?

WRONG!!!!!!

Wrong because the modem router (probably 56Kbps) is the critical point. Also wrong because even if an LED is showing the data stream on a 100Mbps link, it's still possible for the data to flow at a slower rate, even the rates they mention in the article.

What I found extremely cool in the article was that it explained how a KEYBOARD could be modified to exploit the scroll lock LED to transmit keystroke data to an optical capture device. Another possible exploit is to mod a keyboard so that an IR LED is installed inside but beside the scroll lock LED (leaving the scroll lock LED intact); the emissions would probably still be detectable but not by the human eye.

Now, what do you think the NSA is doing

[Anonymous Coward]

Certainly you don't think that the best funded, most brainy intel outfit in the world didn't think this up already, maybe over two decades ago? *grin* Given that the NSA manages to soak up the biggest and brightest in the computer and communications world, even before people realize that someone is a bright one, don't you think this has been done before, maybe for decades???

I still think that Tempest operations are more likely.

Trivia fact... The State Farm Insurance Company's world headquarters building in Bloomington, Illinois, is built to defeat tempest operations. All windows through out the facility are darkly tinted and have embedded micro mesh wiring to keep EM emissions from leaking out. Their safety system for securing their outgoing data lines and satellite communications center is built, well... lets say it's built better than anything you might find on all but the latest military facilities.

The SW tower used to house the mainframe systems. Because of this, that tower has even additional EM and Visual shielding. The rooms are all set back from the windows, with an interviening metal sandwich/composit wall (making all outside windows a hallway, unlike the other three short towers and the high rise exec tower). Floors as well in this tower got a treatment of EM shielding, and all floors are raised on purpose with data drop floor panels for routing cables. Cable trunk guides and tubeways are EM shielded as well.

They may mean more than you think

[horza]

I remember when I was in the office at Acorn Computers chatting to a guy called Dave Walker. Someone walked up to his desk, plonked down an Acorn PC and said it wasn't working. He plugged it in and watched it for a moment (just the box, no monitor was plugged in). After a few seconds he pulled the top off, pushed in a certain chip (loose memory or something), put the lid on and booted... this time the PC whirred into life properly. When I asked him how he did that magic trick, he told me that when there is an error the floppy drive light blinks it out in morse code. I'd had one of these machines for years and had never known that was staring me in the face!

Phillip.

this reminds me of ...

[LennyDotCom]

My favorite spying technique you mount a laser on a telescoce put a photo sensor in the correct range as the laser on the eye peice of the scope then hook the photosensor to a amplifier and aim it at a window
you should hear what ever sound is in the room you are aiming at I never tried it but someday I will