22 June 2020

The “Lamphone”

Liviu Ioniţă

The geolocation systems – which can determine where people are, through phones, as well as the facial recognition systems – which show who could have made contact with individuals who tested positive, have started to become part of our lives from the moment the surveillance of people’s behavior was one of the solutions adopted by governments to stop the coronavirus outbreak.Before the pandemic, we were used to the idea that intelligence services are able to listen … the phone and, generally, to intercept data from different types of communication, using high-tech devices and software.But what happens when an ordinary hacker wants to spy a remote discussion?I have recently found out that a remote conversation’s surveillance could theoretically be done by everyone, and the devices that eases this process is a …lamp.

Image source: Profi Media

The “Lamphone” techniques or another function of the lamp

A conversation could be remotely be intercepted only by observing a lamp which is in that space and by measuring the quantity of light it emanates.

Some researchers in the cyber security field from Israel have developed a new technology called “Lamphone”, which is based on detecting the sound waves through an electro-optical sensor directed towards a lamp and using it to understand the discussion and recognize the “music”.

"We assume a victim located inside a room/office that contains a hanging light bulb," the researchers said. "We consider an eavesdropper a malicious entity that is interested in spying on the victim in order to capture the victim's conversations and make use of the information provided in the conversation (e.g., stealing the victim's credit card number, performing extortion based on private information revealed by the victim, etc.).

That “entity” needs a telescope to provide a close-up view of the room containing the bulb from a distance, an electro-optical sensor that's mounted on the telescope to convert light into an electrical current, an analog-to-digital converter to transform the sensor output to a digital signal, and a laptop to process incoming optical signals and output the recovered sound data.

The researchers have then recovered an extract from the Donald Trump’s speech (“We will make America great again”) and recordings of the song “Let it be”/Beatles and “Clocks”/Coldplay.

The distance the interception can be made from is 25 meters but those who have developed this method say it can be increased by using more advanced equipment.  

The team is coordinated by Ben Nassi, PhD student at the Ben Gurion University, from Negev (yes, the desert with the same name), former Google employee, the same who, at the beginning of the year, used a cheap projector to fool the Tesla’s autopilot, by creating false positives, known as “phantom objects”.

He is accompanied by Yuval Elovici, professor at the Software Departments and the Engineering of Informational Systems at the Ben Gurion University, Negev, Boris Zadov, researcher at the Cyber-Security Research Center, from the same university, and Adi Shamir, professor at the Informatics Department and Applied Mathematics, from the Weizmann Science Institute, and Israeli IT and cryptographer, winner, in 2002, along with American IT men Leonard Adleman and Ronald Rivest, of the prize “A.M. Turing”, awarded by Association for Computing Machinery, for important contributions to the informatics field.

The paperwork “Lamphone: Real-Time Passive Sound Recovery from Light Bulb Vibrations” is a new side-channel attack for sound’s interception.

A side channel attack breaks cryptography by using information leaked by cryptography, by analyzing and connecting the physical sigs it sends. For example, the electromagnetic field radiation emitted by a computer oscillates in a way that’s extremely hard to decode.

The technical phenomenon was used for the first time during some tests for the American encryption device 131-B2, produced by Bell Telephone Laboratories and used by the American forces in the World War II, according to a secrete NSA report, from 1972, and declassified in September 2007.

The study departs from the idea that various side-channel attacks for eavesdropping sound by analyzing the side effects of sound waves on nearby objects and devices (e.g., motion sensors), which pose a great threat to privacy. However, they are limited in one of the following ways: they cannot be applied in real time (e.g., Visual Microphone), are not external, requiring the attacker to compromise a device with malware (e.g., Gyrophone), or are not passive, requiring the attacker to direct a laser beam at an object (e.g., laser microphone).

As for Lamphone, is performed by using a remote electro-optical sensor to analyze a hanging light bulb’s frequency response to sound. They show how fluctuations in the air pressure on the surface of the hanging bulb (in response to sound), which cause the bulb to vibrate very slightly (a millidegree vibration), can be exploited by eavesdroppers to recover speech and singing, passively, externally, and in real time. Then they analyze a hanging bulb’s response to sound via an electro-optical sensor and learn how to isolate the audio signal from the optical signal. Based on the analysis, it is developed an algorithm to recover sound from the optical measurements obtained from the vibrations of a light bulb and captured by the electro-optical sensor. Lamphone can be used by eavesdroppers to recover human speech (which can be accurately identified by the Google Cloud Speech API) and singing (which can be accurately identified by Shazam and SoundHound) from a bridge located 25 meters away from the target room containing the hanging light bulb.

Therefore, the Lamphone technique is created starting from the idea that objects vibrate when the sound wave reaches their surface, and researchers think that when this happens in a bulb, vibrations create also small variations in the light emissions.

As any other new surveillance technique, Lamphone has also its advantages and disadvantages. Attackers need a direct line of sight to the light bulb in a room or public space. Light bulbs protected by decorative covers or other constructs are safe from this attack, and so are conversations that take place in rooms without windows. Also, the attack works against all types of bulbs, and results can be different, depending on the brand, model and technical characteristics of the bulb, as well as the width of the outside window and the emission capacity of light.

The Lamphone technology will be presented by researchers at the future Back Hat USA 2020

Black Hat includes a series of training events and sessions in intelligence security field, which offer access to tendencies in the field to public and private participants – IT specialists, security analysts, risk management, security architects/ engineers, security software developers, cryptographers, programmers, governmental employees, teachers, students, personnel recruitment companies.

Since its foundation, in 1997, the Black Hat evolved from one conference held in Las Vegas to a series of large-scale events which are annually attracting more than 17.000 experts, developed in the United States, Europe and Asia. The Black Hat Briefings section offers the InfoSec community the most recent researches regarding the security threats, developments and tendencies of information. Global security experts are presenting their last-minute researches but also new vulnerabilities and the topics go from the critical infrastructures to the Internet of Things, the system’s security and mobile devices.

Black Hat Trainings offer the participants technical attack and defence classes, thought by global experts.

The Black Hat US 2020 is the 23th event of such kind in the US and, given the pandemic, will be held virtually, between 1 and 6 of August.

Among the announced classes this year we have: Advance Cloud Security Practitioner (and official programs of certification and development from Cloud Security Alliance), Advance Hacking and Securing Windows Infrastructure(seen as the only workshop which offers access to a Windows code, a class that covers all Windows’ infrastructure security aspects „from the hacker’s perspective” and which closes with a CQURE Academy certificate), Attack Techiniques for Beginners, Advanced Hacking and Securing Windows Infrastructure, Acces Denied – Social Engineering Detection and Incident Response (are presented the principles of training for a possble IT incident).

In the Black Hat Briefings are enlisted, along with Lanphone, around 90 works, 995 being the total cost to full access to all presentations, which have titles such as: Breaking Brains, Solving Problems: Lessons Learned from Two Years of Setting Puzzles and Riddles for infoSec Professionals (Matt Wixey), Hacking the Voter: Lessons from a Decade of Russian Military Operations (Nate Beach-Westmoreland), Improving Mental Models of End-to-End Encrypted Communication (Omer Akgul, Wei Bai), Mind Games: Using Data to Solve for the Human Element (Masha Sedova), Practical Defenses Against Adversarial Machine Learning (Ariel Herbert-Voss), Repurposing Neural Networks to Generate Synthetic Media for Information Operations (Philip Tully, Lee Foster), Superman Powered by Kryptonite: Turn the Adversarial Attack into Your Defense Weapon (Kailiang Ying, Tongbo Luo, Jimmy Su, Xinyu Xing), You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication (Jianjun Chen, Vern Paxson, Jian Jiang).

Although they did not get the same publicity, it seems that there are also important the presentations: Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks, which ofers a perspective on satellite broadband  communication, revealing that an attacker can, with its own TV equipment, worth of $300, to spy at thousands of miles away, and Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication, supported by Sourcell Xu and Xin Xin, who are presenting a zero day vulnerability of the Android system.

And, not least, Election Security: Securing America’s Future, the presentation on how the US gets ready to organize safe elections in 2020, in the middle of the COVID-19 epidemic, supported by Christopher Krebs, the director of Cybersecurity and Infrastructure Agency, an American governmental agency, founded in 2018.

And if someone... misses them, Black Hat Europe 2020 will take place in London, between 9 and 12th of November.

Translated by Andreea Soare