A team of researchers discovered a new type of attack dubbed Glowworm, which measures an audio output device’s LED power light changes and converts them to audio reproductions, allowing threat actors to listen to private conversations.

The Glowworm attack is an optical TEMPEST (Telecommunications Electronics Material Protected from Emanating Spurious Transmissions) attack that can be used by eavesdroppers to recover sound by analyzing optical measurements obtained via an electro-optical sensor directed at the power indicator LED of various devices (e.g., speakers, USB hub splitters, and microcontrollers).

Researches Note

An increasing amount of organizations have been conducting their daily businesses over platforms such as Microsoft Teams, Google Meet,  Zoom, Skype, and others, making their data even more vulnerable to cyberattacks.

These new findings present an entirely new attack vector for electronic communications The spurious transmission is an almost imperceptible flicker on a speaker, USB hub, splitters or microcontroller LED power.

Researches demonstrated by pointing a telescope with an electro-optical sensor from 35 meters away at speakers connected to a laptop. The sensor was aimed at the speakers’ power-indicator LED and the laptop screen was not visible.The team successfully captured a statement played on the speakers and translated by Glowworm.

The Glowworm attack can be applied by eavesdroppers to recover: (1) the speech of any person speaking to the victim during a virtual meeting, and (2) any sound that is played by the speakers during the virtual meeting, which may or may not be related to the meeting; in this paper, we present the attack in the context of recovering speech from a virtual meeting.

Scenarios for attack

Platforms like Skype is far from sensitive enough to attract eavesdroppers armed with telescopes and Glowworm, the researchers’ discovery is a good reminder that despite the government’s best efforts, manufacturers can’t always be relied upon to consider these types of TEMPEST attacks.

Although Glowworm is able to spy on victims without drawing attention to itself, people won’t have to worry much about it. Glowworm does not interact with actual audio but only with a side effect of electronic devices that produce audio.

Glowworm attack used to spy on a conference call would not capture the audio of the participants in the room only of the remote participants whose voices are played over the conference room audio system.