What is Lamphone?
This may sound like a trick from a Science-fiction movie but it is possible to spy on personal conversations that take place in a room only by looking at a flashlight from the window and measuring the amount of light it provides.
A cyber security team of academics from the Israel Ben-Gurion University of the Negev and the Weizmann Institute of Science has developed and demonstrated how this fictionary side-channel attacking technique can be applied by malicious actors who want to extract full sound from an overhead bulb in the victim’s room. The researchers have published their findings in a publication which will be presented at the Black Hat USA 2020 conference later in August. The so-called “Lamphone” technique for long distance eavesdropping works by optically capturing tiny sound waves through an electro-optical sensor on the bulb and using this sensor to recover speech and music.
At the core of the “Lamphone” attack method is the detection of vibration from hanging bulbs as a result of fluctuations in air pressure that occur naturally when sound waves reach their surface. The demonstration team basically measures the small changes in the output of the bulb, which those small vibrations trigger to capture conversation snitches and to recognize music.
The researchers explain that, through this method, the eavesdroppers who are interested in spying on the victim can capture personal conversations and use the collected information for various malicious purposes, including for financial theft, identity theft, business secrets or even personal abuse and blackmail. For the needs of the demonstration, the team has prepared a setup consisting of a telescope that provides a close-up view of a room with a the bulb from a distance, an electrical and optical sensors mounted on the telescope that convert light into an electric current, analog-to-digital converter that converts the sensors output into a digital signal, and, of course, a laptop to process the incoming optical signals and turn them into sound data.
With the above-described setup, the academic researchers managed to retrieve an audible extract of President Donald Trump ‘s speech that was transcribable by Google’s Speech to Text API. They also reproduced the Beatles’ “Let It Be” and Coldplay’s “Clocks” songs clear enough to recognize them through song identification services such as SoundHound and Shazam. The new method of capturing sound from light bulb is an addition to a growing list of state-of-the-art techniques for snooping suspected users and extracting sound information from devices developed to work like microphones such as motion sensors, speaker devices, vibration devices, hard drives, etc.
How far an attacker can be to spy you through the Lamphone method?
With the help of a high-range equipment, the “Lamphone” method of espionage can be performed from great distances, but even a single telescope and an electro-optical sensor for a few hundred bucks can do the job from a distance of 25 meters away from the target. Lamphone attacks may be carried out in real-time, as opposed to Visual Microphone eavesdropping systems that are hampered by long processing times to recover even a few seconds’ speaking time. Moreover, because the attack is a fully external, the malicious attacker doesn’t need to compromise the victim’s computer. Still, since the attack relies the most on light output, the countermeasures that the authors of the demonstration propose involve using a weaker light bulb and a curtain wall to limit the amount of light emitted from the room and in this way reducing the amount of light the electro-optical sensor catches. The researchers also recommend using a heavier bulb to minimize the air pressure vibrations.