LED Lights: Friend or Foe?

elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"

WAPs + Airport

[francism]

So I should put big, bulky Duck Tape over my beautiful Airport Base Station? No way! Plus, I get poor enough reception in some parts of my own house, never mind my neighbors spying on me. ;-)

I'll take that risk.

[Corpset]

I imagine it would need a lot of things to actually monitor my leds so I'm not worried. Plus, I like too look at them and I won't let them take that away from me :)

Re:I'll take that risk.

[hagardtroll]

At least in this case you know where your data is going. You can see the light coming out of your modem.

If you look around and see someone with some sort of optical device pointed at your modem you can bonk them on the head and tell them to cut it out.

Once it heads out the wire into the rest of the world, you have no clue. If it comes to privacy/security, the modem lights are the least of my concerns.

Yikes...

[mystery_bowler]

At one time I worked with what I thought was a highly paranoid CIO for a manufacturing company. He had custom-made black plastic covers made for every modem in the modem pool (this was waaaay back) for this very reason.

I tried not to think about it but he was convinced that eventually someone would create technology that would re-construct the data transmission based on those LEDs.

If he's reading this (and he knows who he is), you paranoid sod, damn you for being right. *grin*

Re:Yikes...

[DiveX]

"custom-made black plastic covers made for every modem"

You mean electrical tape?

Re:Yikes...

[infinite9]

There's a syndrome to describe this sort of irrational paranoid behavior and I'm sure they make a drug to fix it. Yikes in deed! I shutter to think what horror would come to pass if someone could reconstruct this post from across the street. Oh wait, I have an internal modem. These are the same kind of people who refuse to shop on line because it requires that they transmit their credit card number through an SSL conenction, but gladly give their credit card to an 18 year old waitress in chili's who makes less than minimum wage. I bet he is reading this alright... assuming his aluminum foil hat isn't blocking his eyes.

Re:I know how he feels.

[Snowfox]

That funny. I to sometimes think that if I stare at those blinking lights long enough I would be able to discern a message. I just chalked it up to my familys history of mental illness.

But it turns out I was right all along.

Don't be so sure. We're all commenting on a kernel update story. What are you seeing!?

reminds me of Cryptonomicon

[Fraize]

...where the main character, in fear of his computer being Van Eck phreaked, redirects output from a decryption program to turn on-and-off his scroll-lock key in morse-code.

arrch!

[digitalsushi]

ibm defaced my slashdot page! :'(

Actually

[Corby911]

It makes quite a bit of sense if you think about it. Audiophiles have been using optical output for years (essentially just an LED and a bit of fiber optic cable). What really caught me off gaurd was the distance they were able to capture the data from. Apparently for some, they found they could capture data from "at least across the street".

Almost makes me wish someone cared enough to spy on me so I could prevent it (Duct tape to the rescue!).

Beez

Could be a hoax, but here's a simple solution:

[eples]

Just put a tiny capacitor on your Tx and Rx LEDs.
It's a hoax anyway... ;)

Das Blinkenlights

[mrneutron]

I knew I should have heeded this warning:

ACHTUNG! Alles touristen und non-technischen peepers!
Das machine control is nicht fur gerfinger-poken und mittengrabben. Oderwise is easy schnappen der springenwerk, blowen fuse, und poppencorken mit spitzensparken.

Der machine is diggen by experten only. Is nicht fur geverken by das dummkopfen. Das rubbernecken sightseenen keepen das cotten picken hands in das pockets, so relaxen und watchen das blinkenlights.

Re:Das Blinkenlights

[getagrip]

Here is the babelfish translation:

NOTE! All tourist and non technical peepers! The machine control is not fur gerfinger poken and mittengrabben. Oderwise is easy snatch that branching factory, blowen fuse, and poppencorken with sharpen-deactivate. The machine is by experts diggen only. Is fur do not geverken by the dummkopfen. Rubbernecken sightseenen keepen the that cotten picken hands in pockets, then relaxen and watchen blinkenlights.

Re:Translation of Parent Post

[Ctrl-Z]

Uh, try the Jargon File entry for blinkenlights [tuxedo.org].

Unlikely

[inicom]

(having not yet read the article) the premise is unlikely since most LED's on front panels are designed to stay on for longer than the actual activity lasts - in order to present useful information. If there was a one-to-one correspondence between the data and the LED - it would usually appear to a human viewer as an always-on-but-dim LED since the blink-on time would be so short.

To put it another way - there's a buffer before the LED.

Fixing this issue

[pudge_lightyear]

I'll just put my modem upside down...that way, everything will transmit backwards...

Before calling it a hoax, read the article!

[albat0r]

I know, I've thought the same before reading the entire .pdf... But hey, before saying it's a hoax, go read what you're talking about!

I know it sounds crazy, but it seems to be true!

At least, it's easy to fix this security problem... Where have I put that damn duck tape?

Tempest

[Bruce Perens]

Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions.

To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data.

Bruce

Re:Tempest

[kitchen]

Tempest for home use [erikyyy.de]

Re:Tempest

[Nick Barnes]

To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0.

This is a great theory, but not actually true, at least for modems. Read the paper.

Re:Tempest

[CaseyB]

It's a question of whether the indicator is what the article terms a "Class II" device (signal based on activity) or a "Class III" indicator (signal based on data). You, and everyone else that failed to read the article before posting hunches, can read go read page 10, which has a list of various devices shows those that have class III indicators that are susceptible to the snooping in question.

The Cisco 4000 and 7000 IP Routers are "Class III" devices, and they're relatively popular.

Re:Tempest

[fsmunoz]

Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions

Indeed. Here is a program [erikyyy.de] that implements just that. Tempest for Eliza is an interisting program... it actually played classical music on my AM radio using the monitor color intensity! There's a mod for mp3 even. Check it out.

cheers,

fsm

A quick solution

[smaughster]

Just hide your hub in a teddy bear, noone will point his eavesdropping device on such an innocent toy, would they?

Re:A quick solution

[Happy Monkey]

As I stare intently into the glowing eyes of your bear, I can almost make out a message...

Sniffing GigabitEthernet...

[forged]

...let alone OC-x, would be like trying to drink from a fire hose :) Besides, if LEDs would blink so well that you can reconstruct the signal with consumer-grade equipment, wouldn't we all be using optical networks by now?!

Only applicable to low data rates and short range

[cybergibbons]

I don't think we have too much to worry about here. They have proved it to work (supposedly, no evidence) on 56kbps. Most results are for 14.4kbps or less. This is for modems - generally they have TD/RD lights which are direct indications of the RS232 lines, so show data.

NICs, routers, switches, and hubs, tend to slow down the light flashes, or flash to packets, rather than bits. It makes it far easier to see what is going on. An LED would have difficulty keeping up with the high data rates as well (as well as any driver circuits).

It could be possible on a switch that has activity lights for all the network to ascertain which ones have most traffic, and hence gateways/DNS servers, but these things are generally found out in much easier ways.

It seems as if most of the posts before this are from people who didn't read the article, and are claiming it can't be true. RTFA.

CRT's can nail you too

[phr2]

Here's a paper [cam.ac.uk] by the amazing Markus Kuhn (who has done many other brilliant security hacks besides this) showing how CRT display contents can be reconstructed from the light given off by the screen, even when the light is reflected diffusely off a wall. It makes me glad I use an LCD monitor.

Pffft.

[phillymjs]

Kuhn did not invent this technique, I read about this being doable in Popular Science in the mid-to-late 80's. It's called 'van Eck phreaking' after Wim van Eck, its discoverer. As I recall from that long-ago article, he sat in an equipped van parked outside a building, tuned in on a CRT that was inside the building, and read the contents of that screen right off his. I think I was about 12 or 13 at the time, and this was the coolest thing I had ever heard of-- in fact, it made such an impression on me that "kinda like van Eck" was the first thought that crossed my mind when I read the posting on here.

Here's some info [techtarget.com] about the van Eck phreaking method.

~Philly

Yeah Right

[Wolfier]

After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time.

Re:Yeah Right

[osolemirnix]

Exactly. To quote from the text: "The attacker gains access to all data going through the device, including plaintext in the case of encryption systems." This is obviously bullshit, since the LED is equal to the signal on the cable, in other words OSI layer 1. The method is equal to a wiretap the phone line or coax cable. Encryption such as SSH and SSL happens at higher OSI layers and therefore this method does definitely not offer access to clear text data.

In addition it does not explain how it would be possible to decode data that is being sent by a multiplexing device, as the LED only shows that data is being sent. A modern modem (e.g. DSL) does however spread several data bits over different frequencies and thus it's impossible to decode them all from the LED light, since that does not reflect the full frequency spectrum of the cable.
They claim "We have successfully recovered error-free data at speeds up to 56 kb=s; the physical principles involved ought to continue to work up to about 10 Mbits/s.", but I seriously doubt it would scale up to DSL modems.

Re:Yeah Right

[E-Rock]

So you'll let anyone who wants hook up a promiscuous NIC to your LAN? Why not, since there's no way they could put all those bits back together to get anything useful.

That's what this does, just from range and with some different hardware in between. I'm sure if they wanted to, some EE geek could use this to build the strangest wireless LAN device ever.

Re:Yeah Right

[Anarchofascist]

..good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer...

Read the friggin article numbnuts!

The modem light indicates all transmitted bits on the RS232 output stream including the start and stop bits. Feed that signal to a standard UART and you'll get a byte stream, probably in PPP protocol. Feed that byte stream into pppd, and I get a copy of every packet you send or receive. I can now read the TCP byte stream and UDP packets to and from every protocol on your machine, so yes, I can "separate the signals" as you call it.

Does that sounds secure to you?

*Can* tell 1 from 0

[mclearn]

I see lots of posts already from people claiming this is a hoax based on the fact that you can't tell a one from a zero. Well if you RTFA (article), they explain how this can be done through the use of decoding the physical encoding done by the hardware. They explain that the encoding scheme used is a NRZ-L (non-return-to-zero level). This means that everything can be assumed to be a one except for when data is being transmitted, in which case the bits are zeros.

This is a PHYSICAL encoding, not something cooked up by them. It's used in a variety of devices. Look it up.

There are other schemes, including non-return-to-zero inverted, and non-return-to-zero space. However these two encoding schemes do not work with absolute values, only transitions from one value to another (ie. from one to zero, or zero to one). There is also Return-to-zero and biphase encoding schemes as well, which attempt to correct problems found in the non-return-to-* schemes. However, NRZ-L is the most simple form of encoding, IIRC.

Hmm - April fool?

[Pete (big-pete)]

In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security...

Hmm - April 1st isn't that far off now - maybe this is being prepared to be published then...

-- Pete.

Ok...

[Psmylie]

I'll get right on that, as soon as I finish my tinfoil hat.

Good lord.

Sheer, delicious evil

[eples]

From the paper:

/*
// sl.c -- a covert channel using the Caps Lock LED.
//
// For Solaris 2.x on SPARC; compile with ${CC} sl.c -lposix4
*/

*THAT* is cool. Bundle it w/ a screensaver that makes the other two lights blink randomly and you're set!

Office dweeb: "Look at this neat screensaver, it makes my keyboard lights blink! Wheee!"
Uber-Geek: *jots down keystroke log from caps-lock LED* 47-46-58-82-85-76-69-83......

OT:Slashdot readers

[cybergibbons]

Over time, you notice that people that read and post on Slashdot are extremely misinformed, narrow minded, and self centred.

There are at least 50 posts now on this story claiming it is a hoax. It's clear from many of these that few have actually read the synopsis at the top of the paper, never mind the rest of it.

It is not talking about 10Mbps communications. It is talking about lower data rate comms, like modems, serial lines, and the like.

It does work, only on a small amount of devices. It is short range. This doesn't make it a hoax.

TEMPEST is at a stage where it is hard to perform - we're talking government/big company level to manage anything impressive or useful. Take a look at this tempest radio site [erikyyy.de]. Neat, but not very useful.

If you have no idea what you are talking about or don't have anything useful to add, keep quiet. Is it just so you can get your karmas up???

Speed of LEDs

[Muad'Dave]

The responses to this article seem to all question the switching speed of LEDs. Even the least expensive LEDs are capable of at least 100kHz operation, with many, many, common LEDs capable of operating at several MHz. Remember, most of the fiber-based transceivers use LEDs, not laser diodes. I've used LED-based 3com equipment over a 2 km 62.5/125 um MM fiber link without trouble. These LEDs (not IR LEDs) were easily able to handle 10 Mbps.

One of two things will happen

[A_Non_Moose]

Either they take away our blinkey lights and shiney objects

or

Electrical tape to cover up said blinkey lights will be labeled as a circumvention device under the DMCA, so we'll be forced to look at the lights (ooooohhh, blinkey).
(Which is a bad thing because the electrical tap is the only thing holding my 1950's style fins on my tinfoil hat.)

Cheap backup solution!

[JMZero]

I can backup the whole network by videotaping the front panel of our switch.

.

Cripes, did anyone actually read this?

[dcigary]

Par for many Slashdot folks to naysay without actually reading the article...

4.3.1 Results of the Survey of Devices.
Dial-up and leased-line modems were found to faithfully broadcast data transmitted and received by the device. Only one device of this type did not exhibit Class III emanations: the Practical Peripherals PM14400FXMT fax modem. The shortest pulse duration measured from this device was 20 ms, even at high data rates. None of the LAN interface cards tested, including 10 Mbits/s Ethernet and 16 Mbits/s Token Ring adapters, were found to broadcast any recognizable data. Examination of the data sheet for a chipset used in fiber optic Ethernet devices reveals a possible reason for this finding. According to [Hewlett-Packard Company 1993a], LED drivers for transmit, receive, and collision indicators are filtered through pulse stretching circuits to make their activity more visible. The pulse stretcher extends the on-time of LED indicators to a minimum of several milliseconds. This makes short pulses easier to see, but severely limits the bandwidth of the LED from the perspective of compromising optical emanations. All of the Ethernet and Token Ring devices examined showed similar behavior in this regard.

They're not stating that ALL LED's exhibit this behavior, just some lower bandwidth ones.

Although I still highly doubt that any useful information would be gleaned from me looking in my neighbor's window and counting pulses from his MODEM LED while he's browing the internet, a spy agency could very well have the technology to figure out how to do this if the particular device is known to have this problem (or "feature", whatever...)

Read, people, read. That's what the paper is there for you to do, not to just hear the title and claim it's impossible.

Need A New Moderation

[BeBoxer]

of "-1 Didn't Bother To Read The Article". The number of people in this thread who posted and clearly did not read the article is astounding. We need some way of making everybody actually read the article and then start the thread over again. Sheesh.

reminds me of Cryptonomicon. Yeah, that's probably why Cryptonomicon is one of the references in the article!

The LED's don't indicate the data pattern, just the transmission pattern.. It depends on the equipment. Many older serial devices do indicate the data.

I call BS on this one... (Score:2, Informative) Uh, OK. Trying reading the article. And who modded this up?

Tempest (Score:4, Informative) ....To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data. True for some devices but not others. Please read the article. It's quite clear about where this does and does not work.

Yeah Right (Score:3, Interesting) After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time. OK. Maybe you read the article. But this is just silly. Any good packet analyzer like Ethereal will do all this.

Anyways, this is complete FUD. You cannot pick out binary packet data from transmit/receive status lights. OK. Try reading the article next time.

The light blinks ON when data is going, OFF when it's not. Might make a nice indication of when there is data, but not what that data was. Once again. Read the article. Some things work this way. Some don't.

I would have to agree with you on this one. Even if the router were only serving a 1.5Mbit T1, that's still 1.5 million bits per second. I have a hard time believing that an LED can blink fast enough to reliably recreate that data. Read the article. Your T1 CSU/DSU probably isn't going to drive the LED at 1MHz or more but the LED is quite capable of switching at up to 10MHz.

That's pretty feasable, but even if it would blink for every packet you recieved, or even every byte, you still wouldn't know the contents of the bits, or whether it's a one or a zero. I'm still calling BS. Read the article.

Another vote for "Bullsh*t". I'm pretty certain that the LED doesn't blink for *every* single bit. And what about compression techniques that use phase and so on? You are not actually putting just ones and zeros onto the wire you know. Read the article. The external modems which are vulnerable are transmitting data from the RS-232 side of the modem which has very simple encoding. This is clearly explained in the article.

Wow. We get a nice, well written article with lots of specifics and details about exactly which devices were tested and which leak information, all the way to including comparative graphs of received optical signals, and people call BS on it? I suggest the folks making "tin foil hat" jokes invest in a different type of head gear: reading glasses!

Most likely nonsense

[uradu]

I've glanced at the article, and it seems like a lot of hot air: lots and LOTS of background and diagrams on LED technology, but relatively little detail on how LEDs could betray the data stream in current, modern equipment. Most current data transmissions around a PC occur in heavily encoded form (usually amplitude AND phase modulation). So there is no cable (other than the serial port cable) that you could just splice an LED into and simply read the data stream out. You would have to inject the LED somewhere into the device electronics where the data stream bits are flowing in decoded, truly serial fashion. Why bother, if from a firmware perspective it's much easier to toggle an LED control bit on at the start of a logical data group (packet or whatever), and off when you're done processing it?

This reminds me...

[psych031337]

...of my long-gone phreaking and phrauding days. Here in .de it was still safe to bluebox and card calls because the entire was analog at that time and tracing had to be done by hand - certainly not something the german telco would do on a regular basis if only fraud was the crime. Well, i used to know some guy who was a security risk in that matter - before dialing someone or using a card with him in 3way, you had to kick him out or something - he could just recognize DTMF tones with his ears. Prolly not as sophisticated as a LED-to-bitstream hack but it still jumps up in my brain while reading this.

The horror!

[stinky wizzleteats]

First they take away my command line and replace it with windoze. Then they take away my sexy jet-engnine-spin-up sounding RLL and MFM hard drives. And now no blinky lights?!

Sure, I can leave behind the days where troubleshooting Ethernet required a resistance meter, and when you could hear the memory counting up, and when a goddammed power switch was a goddammed power switch, but now I have to give up blinky lights? What is the world coming to where a computer geek can't proudly behold his array of blinky lights!?

Where's the joy? These evil led sniffing bastards simply must be stopped, that's all there is to it. I'll 3DES the signal going to the LEDs before I resort to covering my beloved LEDs. Duck tape be damned.

That does it

[Bartmoss]

This really shows that you cannot be paranoid enough. That's it, I am ordering my tinfoil hat today.

Seriously, who would've thought about this? Certainly not me. I'd never thought that an LED might actually represent the state - I merely figured it's activity in general.

Move over 802.11x

[uigrad_2000]

If it can really pick up signals with few enough errors to be usable, then I want to use it for networking! Some posts here claim that it can easily do 10MBit/sec. What's stopping someone from making an array of them, for high speed wireless access?

Actually, now that I think of it, that must have been what all those big clunky lights were on ST:TOS. Networking of the future!

Physical access...

[markmoss]

There are two ways to put in an LED to show when a device is transmitting or receiving. One is to tie it to the transmit or receive enable/detect signal, IF there is any. The other is to tie it to the data line. In that case, the LED may be blinking right along with the data, although too fast for the human eye to see. It looks like it is on continually, but the signal could be recovered with a fast enough detector. This depends on the LED turn-on/turn-off time; if it's 8 nS (pretty common), a 56K modem would be easy to pick up. ADSL or cable modems at a few MHZ would be sending out a clear signal; I'm not sure if there are cheap optical detectors that will work at those speeds, but there are expensive ones that go into the gigahertz. 10MHz ethernet signals would be "blurry" but with a good detector, a fast ADC, and some signal processing you could recover them. With 100MHZ ethernet, no data could be recovered.

But before you can do any of that, you have to be able to _see_ the blinking lights. If someone can get into your wiring closet and focus an optical detector on your hub, it would be a heck of a lot simpler to just connect the network sniffer by cable. The real hazard is if the blinking lights are pointed out the window -- that's an unusual location for a network hub, switch, router. or server, but it's quite likely your business has some desktop computers with the back towards a window and the LED's for the NIC and modem cards visible from outside, so a telescope in a van parked across the street could, in theory, extract the data. For instance the receptionist's computer is probably oriented this way; it probably isn't worthwhile for someone to go to this much trouble to find out what a receptionist is up to, but if the NIC is showing data flowing to and from other machines on a shared network cable, better stick on a bit of electrical tape...

I do this already

[AgentTim3]

Yeah, that's right. I just head into the server room, turn all the lights out, and stare at the routers.

Sure, it takes awhile to learn how to read it...

But after awhile, I just see Blonde here, Brunette there, Redhead over there...

They may mean more than you think

[horza]

I remember when I was in the office at Acorn Computers chatting to a guy called Dave Walker. Someone walked up to his desk, plonked down an Acorn PC and said it wasn't working. He plugged it in and watched it for a moment (just the box, no monitor was plugged in). After a few seconds he pulled the top off, pushed in a certain chip (loose memory or something), put the lid on and booted... this time the PC whirred into life properly. When I asked him how he did that magic trick, he told me that when there is an error the floppy drive light blinks it out in morse code. I'd had one of these machines for years and had never known that was staring me in the face!

Phillip.

Tested up to 56k...

[pieterh]

The article looks real, but is probably about 5 years too late. I don't know of many people who use external modems. As for routers: the theoretical upper limit is 10Mbs, so my 100Mbps network is safe.

Re:ummm...doubtful

[garcia]

even if it did work, wouldn't it be easier to just find some other method of stealing the information? Who the hell would want to sit there and reconstruct the data sent from blinking lights?

Just my worthless .02

Re:ummm...doubtful

[swagr]

Many LEDs have a response time of around 8 nano seconds, which means they can blink roughly 12.5 million times a second. Enough to transmit 12.5 Mb/s of data. If your on a 10Mb network then that's plenty good for the spy. If your on a 100Mb/s network, the spy is out of luck.

A correction to my post

[swagr]

If your on a 100Mb/s network, the spy is out of luck.
Maybe not. There is quite a bit of redundancy in most network protocols (predictable headers, checksums, etc) as well as in most languages. It might be possible for the spy to squeeze more data out of the signal.

Put a capacitor across it if you're concerned

[JohnTheFisherman]

An appropriate value will slow down the transitions enough without interfering with the fascination of staring at a blinking light. That means it's working, you know?

Correction

[Proaxiom]

A nanosecond is a billionth of a second, so a nanosecond pulse would be 1 Gigahertz.

An 8 nanosecond pulse is therefore 125 Megahertz (1 Gigahertz divided by 8). So the theoretical limit is 125 Mb/s, not 12.5.

Re:ummm...doubtful

[swagr]

I just typed "led diode response time" at google. The first link is
here [bell.ac.uk].

Re:ummm...doubtful

[Zaknafein500]

I would have to agree with you on this one. Even if the router were only serving a 1.5Mbit T1, that's still 1.5 million bits per second. I have a hard time believing that an LED can blink fast enough to reliably recreate that data.

Re:ummm...doubtful

[pmz]

It really can be done.

For example, in high school, I attached an LED to the output of a radio or microphone (can't remember which) and then aimed it at a solar cell attached to the input of a speaker. And it worked! I'm not sure if the quality was good enough to capture a modem signal, but it was certainly a poor-man's wireless speaker.

If the spy has more sensitive equipment, and if the LED on a modem really is tied to the phone line, then there should be nothing stopping the spy from capturing the transmission and decoding it later.

Re:ummm...doubtful

[Bandman]

right, but wasn't this radio signal analogue? With all the equiptment I've had, a light blinks when you send data, and a light blinks when you recieve data. Now, an LED has a fast response..really fast...one reply to my origional post said 8 uSeconds or something. That's pretty feasable, but even if it would blink for every packet you recieved, or even every byte, you still wouldn't know the contents of the bits, or whether it's a one or a zero. I'm still calling BS.

Re:ummm...doubtful

[Bandman]

ok, that MAY be the case (i don't think it is, but but could be), but it's not really likely that the equipment that will record light flashing at this rate is common, and as many people have said there are better ways to get the data. oh well

Sound to Movies

[dscottj]

Interestingly, this is almost exactly how sound was recorded onto film until the 1970s, maybe longer. A microphone was connected to a light source, which was pointed at a very specific part of the film (to the left of the images, before the sprocket holes). The light would vary with the sound.

On projection, a light would be shone through this track onto a photosensitive plate (hell it could've even been a solar cell of some sort). This would generate an electrical signal that, when amplified, created the sound for the film.

I'm old enough to remember seeing some of these films in the theater. Sometimes the film would get misaligned in the projector and you'd be able to see this track. Looked like a buzzing string turned sideways.

This is also why when you see an old film that's been spliced you see the cut before you hear the "pop" in the soundtrack. The sound is read in a different part of the projector, "downstream" of the image.

Re:ummm...doubtful

[CaseyB]

I've seen my lights blink, and I don't think that there's any way... I'm throwing in the towell and saying I don't think so....

"+1, informative"? Heh, mods are on crack again.

Have a look into a Toslink digital audio connector some time. It's using a plain old LED to transmit information. It looks to the naked eye like it's on solid, there's no flicker whatsoever. What would you "think" if you saw that? Your gut reaction is totally off base here.

Re:ummm...doubtful

[Technician]

Be sure to use a low capacitance diode to pick up the light. An old large apature 35mm camera lens focesed on a diode array from a compact disk player detector is a great source of a high speed photodiode. It can povide great bandwidth at a long range. Larger photodiodes have larger capacitance and do not carry enough current in the short amount of time to capture high data rates. A large apature telephoto camera lens has the nessary gain to drive high enough light current to provide high speed detection. Alignement and focus are critical for good signal to noise ratio. Any hardware types want to try it? I have and used a scope to check the current waveform. Many pieces of equipment do tie the indicator lights to the signal and do reveal the data. Other equipment has an activity light (ethernet cards as prime example) because the average data traffic is too low of a duty cycle to provide useful illumination for an indicator light.

Thanks slashdot moderators

[Anonymous Coward]

For modifying someone's unsubstantiated "hunch" as informative.

I've seen my lights blink, and I don't think that there's any way
Yes, and I've looked on a CD and I just don't see any data on it.

Re:Thanks slashdot moderators

[RandomPeon]

Yeah, I picked up the phone while somebody was using a modem. I didn't hear any of the webpage they were downloading, just noise. Random-sounding noise that always sounded random.

Re:ummm...doubtful

[Anonymous Coward]

You should be in the Guiness book of world records. You apparently have the ability to see lights blinking or modulate at rates in excess of 100 hz.

Going to the movies must be pretty tough on you. Watching all that blank time between frames must be pretty nerve racking. I can't even imagine how terrible television appears to you.

If you read the paper, it is based on some pretty coherent testing and past work by others. I think there would be some peer review before publication of an article. But since you have weighed in with your amazing visual prowess, they should just toss out the guy's work.

Just a guess...

[underwhelm]

When the light is ON, the data is "1"
When the light is off, the data is "0"

Re:Just a guess...

[Znork]

Nah, not really these days. The few times I've checked, the LED indicators actually indicate something other than the actual data; a full packet, a certain number of bytes, a byte plus a switchoff delay time, because otherwise it has become a sortof weird indicator where you can barely see traffic if it's low density.

So I think the risks are a bit outdated.

Re:Just a guess...

[VoiceOfRaisin]

When the light is ON, the data is "1"
When the light is off, the data is "0"

I guess that modem in my closet is receiving a lot of 0s then

Re:Agreed

[monkeydo]

You didn't read the article. If you had read the article you would know that you are describing what the authors call a Class II device.

The authors also describe Class III devices which do blink along with the data stream (if you RTA you'll even know why) these include TD and RD lights on modems and routers.

They also point out the the information given off by Class II devices can be useful for traffic analysis and covert channels.

But you knew that, right?

Re:Wow!

[Enry]

Incandescent lights burn out. LEDs last just about forever (or at least the life of the product).

Re:bullshit

[k2enemy]

if you read the article, they implemented this at speeds up to 56k and said the physics should hold up until 10mb. look up at the light in your bedroom. you would probably say that its on. but its really flashing on and off faster than you can see. same thing with that led on your modem. when you see one blink it is most likely a lot of blinks faster than your eye can see, but not faster than optical equipment can see.

Re:bullshit

[rcw-home]

look up at the light in your bedroom. you would probably say that its on.

If it's incandescant, it is on.

Unless you believe that tungsten element flips between cold and white hot with every half sine wave.

Flourescents are a different story.

Re:bullshit

[k2enemy]

i guess i should have been more clear in my original post. if its incadescant and runs on a dc current it is in fact on. if it runs on an ac current (as almost all do) it is oscillating between on and off very fast. the fillament never actually gets dark but it does dim and brighten with each oscillation.

Re:bullshit

[Kymermosst]

And today, we are going to learn about math and electricity:

AC current flows in a sine wave. Now, I will assume you know what a sine curve looks like.

At a sine curve's peaks, at pi/2 radians from zero in either direction on the unit circle, the absolute unit is 1. Its zero is at zero.

Now, it is only zero at zero degrees. At all other times it is NOT zero, and thus, current is flowing. On a cycle of pi radians, there are an infinite number of points where current is flowing, and only THREE where it is zero, and "stopped" as you say. Since an incandescent bulb is resistant no matter the volage, and has a slow cooling time, the bulb is infinitely "on" for the complete cycle, because it does not turn "off" during the infinitely small zero points of the curve.

Now, the reason LEDs pulse is because their switching speed is near-instantaneous, and they only flow current in one direction.

Flourescents are similar, but generally more apparent in their flickering because of "threshold voltage", which basically, increases the size of the zero points on the curve, because light output is effectively zero for input voltages less than a certain amount. LEDs have a threshold voltage too, but it's a lot smaller percentage generally, for zero light output.

Re:bullshit

[Webmoth]

Some newer, energy-efficient fluorescents operate at frequencies >60Hz, and have long-decay phosphor coatings effectively eliminating the "on-off" effect.

(A fluorescent lamp operates by an electric arc which vaporizes and excites mercury in an otherwise near-vacuum; the mercury gas emits light in the ultraviolet spectrum. The ultraviolet light excites a fluorescent coating which in turn emits light in the visible spectrum. Different colors of fluorescent lamps are made by introducing different materials into the fluorescent coating.)

LED's, on the other hand, lacking a fluorescent material, have very steep attack and decay slopes, allowing them to respond (flicker) at very high rates.

P.S. -- "Fluorescent" means to become excited by light in one spectrum and emit it in another spectrum. A more precise word would probably be "photoluminescent." Neon and LED's are types of "electroluminescent" lamps -- light is emitted when the material is excited by electricity. Incandescent is "thermoluminescent" -- light is emitted when the material becomes thermally excited (hot). A fluorescent lamp is a combination of electroluminescent and photoluminescent technologies.

P.P.S. -- I like to make up big words. It makes me sound smart.

Re:bullshit

[jweb]

reconstruct the data from the flashing lights??? whatever. That's so ridiculous it's laughable.

Isn't this how fiber optic cable works? Light pluses traveling down a thin strand of glass to transmit data at high speed over long distances.

I'm not claiming to be an engineer or scientist, but I guess I could see how it might be possible (probably with the same type of fiber-optic reader) to decode some of information from your LED.

If anyone has more techincal info, please post.

And what about IR?

[zmokhtar]

Good point. Besides, if this is possible, then why in the world are IR transfers so slow? I want 100mbps transfers from ipaq to ipaq over a blinking LED!

Re:bullshit

[CrazyBrett]

Not necessarily BS, though it depends on the way the hardware is made. A very simple way (engineering-wise) to implement an indicator LED on a cable modem would be as follows: Whenever the modem is receiving a "1" bit, turn the LED on, otherwise, turn the LED off. Being a type of diode, LEDs are capable of extremely high switching rates (remote controls generally use infrared LEDs pulsed at 56 kHz to transmit data. They can actually switch much faster). Hence, for each packet received, the LED would actually blink dozens of times. To a person, this looks like just a single blink, but a high-speed photodetector would be able to measure the length of each pulse, and use that information to reconstruct the data that was received.

Of course, all this relies on the construction of the modem. Using a slightly less naive algorithm (when a packet arrives, turn the LED on for 1 ms and then shut it off) would defeat this unique kind of sniffing. Still, after staring at my lan hub for a few minutes, I'm wondering if it uses the former technique for flashing the light...

Re:LED Mods

[Maran]

Yeah, but then you get some wag at the manufacturer who programs the LEDs to make it seem as if you spend your entire time looking at porn, downloading strange software and sharing your semi-legal files with other geeks.

(Remembers where he's posting)

Never mind!

Maran

Re:LED Mods

[JPriest]

I wonder where I can get an LED mod that fakes my downloading of the DMV's database. It'll be cool when they take my HDD and horde my pr0n instead.

According to the article

[Erv Walter]

I'm not an electrical engineering expert, so I could have misinterpreted the story. However, as I read it, they claim that for cost saving reasons, the LEDs that just show status are internally electrically connected or at least influenced by the part of the circut that handles the data flow. In other words, the LED is not showing just generic activity, but is actually showing the bit flow.

I'm not sure I believe them though.

Re:According to the article

[sjames]

LED is not showing just generic activity, but is actually showing the bit flow.

Think about it. What is the cheapest way to make those status lights work? Have special status lines built in to the DSP, or a cheap buffer connected between the RS232 pins on the serial input and the LEDs? The line levels are appropriate for that. Remember, we're talking about manufacturers who actually care about saving $0.10 per unit on a part. The same industry that developed the Win modem/audio combo just to save about $5.00 on a modem card.

Compared to the whole Winmodem crap, tying the status lights to the serial pins seems innocent enough if you're not accustomed to thinking about security at that level (as most people aren't).

Re:I call BS on this one...

[87C751]

I vote for blowing smoke.

Read the .pdf linked from the article. Pay attention to the top of page 2. As the paper states, "[a] high correlation is evident." (the example is evidently a TXD or RXD activity LED on a 9600 bps modem) Whether or not a piece of equipment is built to leak information in this manner is a secondary consideration. The fact remains that some equipment does leak info through status LEDs.

Re:Here.. Look into this live fiber..

[SkyLeach]

Sure you can. Don't you know that a 1 in a pulse and a 0 is nothing. The light only flashes on a pulse (1).

The number 50 as it is seen in pulses: (| is a positive pulse and _ is no pulse).

||__|_

As seen in an led (keep in mind that your eye will only see two flashes (if that).

[flash][flash][pause][pause][flash][pause]

And this doesn't happen anywhere near as quickly as the light pulses in fiber optics. Another thing that makes it easy to read is that you only have to read one wavelength. This is like fiber technology from 10 years ago.

One thing the article doesn't mention is that many of the hubs/switches/routers out there don't actually pulse for every bite, just when a packet goes over the line. I think they will all quickly start flashing only for packets now, not bytes.

Re:Here.. Look into this live fiber..

[Znork]

Actually, I think they all _are_ indicating something other than data. Somewhere around when we went from 300/300 baud modems, most manufacturers changed to indicate traffic activity rather than data, because it became hard to see low-level traffic. You can probably try pinging with different packet sizes over your equipment, or transmitting files with different content, for example all 1's or all 0's, and see if there is a marked difference in the reactions of the leds.

On the equipment I have, it's easy to compare the intensity of full-on leds with the transmission indication leds. If the actual data traffic was indicated on the leds, they'd have different intensity, due to them being only half-on. There is no difference in intensity, so the pulses likely indicate something else, with a delay-switchoff time.

Thank you, bits and baud

[jabber01]

Right.. Seems that on MODEMS (not LANs) the 'on' of the LED is a baud transition, not a bit marker. Granted, so easy enough to decode Huffmann encoding that even silicon can do it, but still.. I just don't buy this as a serious means of breeching security. It's novel, and it even might work at very low thruput rates, but when you're dealing with fast data rates, the response of the LED will mangle whatever pattern it is trying to represent..

Re:Here.. Look into this live fiber..

[SkyLeach]

You are forgetting that most of these LEDs are on the other side of a very small capacitor. Many hardware manufacturers chose this to fix the problem of dim LEDs because it was a cheep and dirty patch which was easier and cheaper than changing the chip design or redoing the whole circuit. The light shifts in intensity during the pulse but so slightly that the human eye cannot detect it.

The capacitor chosen is carefully chosen to be only strong enough to keep the LED from going dim between byte pulses, but the pause between packets is sufficient to let the LED go dim.

Look at a spectrum annalasys of a couple of the LEDs and you will see that I am right.

Really people, just 'cause you can't see it doesn't mean it doesn't happen.

Even Linksys, the most popular routers/hubs/switches out there, pules on bytes not on packets.

Re:Here.. Look into this live fiber..

[delphin42]

if you looked at the article you would know that they claimed the information was subtlely encoded into the light. The light may be on, anytime there is a transmission, but the intensity varies slightly whether there is a 1 or a 0. That's what the article claims anyway, and I'm pretty sure it would depend on the specific hardware.

Cheap wireless links?

[Ed Avis]

It's surprising that you can actually construct a real data signal from the LED flashes - I thought that an LED would be too slow to respond to a rapidly changing signal so it would just be half-on all the time. But on page 2 of the report they show an LED emitting light that allows you to perfectly reconstruct a 9600b/s signal. I guess LEDs are rather different from lights based on resistors getting hot; they don't need time to warm up or cool down.

This sounds like a dirt-cheap way to construct wireless links, with no risk to human health (unlike lasers). An LED taped to one window and a $29 webcam in the building opposite could get speeds approaching those of a modem, if you designed a protocol specifically for this purpose. The authors of this paper managed to reconstruct data even without a specially-designed protocol.

A bank of say 1000 LEDs, with a zoom lens at the other end to make sure each one is distinguishable, could transmit *at least* 9.6Mb/s, ie more than a megabyte per second. You could do this by taping a pair of binoculars to your webcam.

Re:Cheap wireless links?

[talonyx]

I doubt that a webcam would have a fast enough refresh rate to distinguish that kind of data.

Re:Here.. Look into this live fiber..

[Nick Barnes]

The LED's don't indicate the data pattern, just the transmission pattern.. You can't tell a 1 from a 0 by looking at the LEDs..

You didn't actually read the paper, did you? It turns out that the LEDs on modems actually do indicate the data pattern. Most modems have "Class III" LED emanations (i.e. "strongly correlated with the content of data being transmitted"). Most LAN and WAN equipment does not have Class III optical emissions, with the exception of an LED on the back panel of certain CISCO routers (page 11). See the table on page 10 of the paper.

In fact, they reconstruct actual data from actual modems over various distances ranging from 5 metres to 30 metres. They believe that, given the right optics, this could be done over several hundred metres.

They also found that the Paradyne Infolock 2811-11 DES encryptor has an LED on the plaintext data.

And they have a great appendix on using keyboard LEDs as a high-bandwidth covert channel, with the obligatory reference to Cryptonomicon.

Re:Here.. Look into this live fiber..

[Reziac]

Wouldn't matter if you can't tell 1's from 0's. If the data retrieved doesn't make sense, just ROTT1 it. :)

Re:Simple math says no

[bluGill]

When I first started in networking I was assigned to test some FDDI gear, which used in 1995 LEDs to send data down a fiber at 100 mbs. Now there is a limit to how fast a LED can blink, but we know how to design them for 100Mbs. I don't think we can do 1Gb/s with an led though, at least all the gigabit stuff I work with today is lazers. (much of it was back then too, but an LED is much cheaper than a laser so for short distances we used the leds.

If we could make LEDs work then, I'm sure today we can too, though having all the light guided to the destination by a fiber makes it much easier than reading the difuse light from a modem led which might or might not acually flash to indicate data. I know know of some routers that appeared to have tied the ethernet activity light to the datastream, and others where it was just on. Some hubs seem to do this too.

Re:This is the stupidest thing I've ever heard

[jamie]

Your unwarranted presupposition is why this article is so interesting. My first reaction too was "there's no way."

But then I remembered my Digital Electronics class in college where we ran square waves at high frequencies through LEDs... seeing the light seem to fix itself on "on" past any respectable Hertz, I mentioned to the professor "so its power-on time must be shorter than its power-off." His response was "...well, or your eyes just aren't good enough to see that fast." He was right: LEDs aren't like incandescent lights, they can turn on and off very, very fast.

I had just never thought of the little RD/SD lights as transmitting any information, under the refresh rate of my eye. If you'd asked me I would have assumed the manufacturers would have considered this and put a delay into the power-on/power-off times of their LEDs, even one millisecond would do fine.

But many of them didn't. And nobody thought to check until these guys decided to write their paper.

Re:This is the stupidest thing I've ever heard

[somethingwicked]

Does anybody really think that those little blinky lights are going fast enough to transmit any data

Yes, its called "Fiber Optic" and there are a few companies pursuing the technology right now. I tell you this "Fiber Optic" thing is going to be big if they can ever get those "little blinky lights" going fast enough *smirk*

RTFA and they explain the following among other things:

It only worked on 36% of the subjects tested

The ANP Model 100 short-haul modem, Hayes Smartmodem OPTIMA 9600 and 14400, and a Practical
Peripherals PM14400FXMT fax modem were all examined.

There tons of these old "standards" still running in the real world. Well above your 300 baud assumption

*MUST RESIST URGE TO FLAME...*

When I was young....

[Anonymous Coward]

...around 3rd or 4th grade (around 1970-1971 timeframe --yep I'm a genuine "Olde Pharte" who reads /. :), I once built an electronic kit from Radio Shack that transmitted voice, one direction only, from an LED to a phototransistor. LEDs were fairly new devices back then, at least for the average joe to get his hands on them. Military electronics and high dollar commercial electronics had them for a while. Anyway, back to the LED "wireless" voice xmitter, it actually had a pretty good range, about 20 feet or so, but the audio quality was extremely poor, only good for voice, not music. There were no IC chips in the kit either, everything was individual transistors.

Re:There must be meaning behind this maddness

[Maddog Batty]

I'd be amazed if they can blink on-off distinctly more than 100 times a second. Anything faster else would blur

Then be amazed. To your eyes its a blur but not to a photo transistor or similar. Both the LED and the receiver are easily capable of these frequencies and as mentioned in the article 10MHz is not a problem. A good example where this technique is used delibrately is on TV remotes. OK the data rate is low (10kb/s??) but the parts used are very low tech.

You see that big white thing hanging from the ceiling that wonderfully lights up the room? Is that a steady light or pulsed? The 50Hz (or 60Hz for you yanks) supply causes filament bulbs to pulse at 100Hz (120Hz) and is very obvious if you have the right sensor to pick it up. (Your eyes are not the right sensor.) Florescent lights are even better and are completely dark for quite a proportion of their on time.

The best bit is at the end of the pdf. A slight modification to somebodies keyboard will cause the scroll lock led to output details of every last keypress you make. Encription does not matter if you have access to the plain text...

Time to get our paranoid hats on....

Re:Perhaps covered in article?

[CaseyB]

This poster asked a serious question, and gets a "troll" metamod.

He asked no question. He merely called the paper a hoax and the authors frauds, with no proof.

Troll.