Lamphone is a new side-channel attack that can be used to eavesdrop sound. The attack has been discovered by researchers Ben Nassi, Yaron Pirutin, Adi Shamir, and Yuval Elovici from Ben-Gurion University of the Negev and Weizmann Institute of Science.
In their report, the researchers showcase “how fluctuations in the air pressure on the surface of the hanging bulb (in response to sound), which cause the bulb to vibrate very slightly (a millidegree vibration), can be exploited by eavesdroppers to recover speech and singing, passively, externally, and in real time.”
The research team performed an analysis on a hanging bulb’s response to sound using an electro-optical sensor, thus discovering how to isolate the audio signal from the optical signal. The analysis helped them develop an algorithm that recovers sound from the optical measurements obtained from the vibrations of a light bulb and captured by the electro-optical sensor.
According to their evaluations:
Lamphone’s performance in a realistic setup and show that Lamphone can be used by eavesdroppers to recover human speech (which can be accurately identified by the Google Cloud Speech API) and singing (which can be accurately identified by Shazam and SoundHound) from a bridge located 25 meters away from the target room containing the hanging light bulb.
Lamphone Attack Can Be Exploited to Recover Speech
The team performed tests of their attack to establish its ability to recover speech and songs from a specific location when the attacker is not present at the same location. They used an office located on the third floor of an office building, covered in curtain walls that cover the entire building to emit the amount of light.
It is also important to note that the target office contained a hanging E27 LED bulb (12 watt). Other details of the eavesdropping scenario include the eavesdropper being located on a pedestrian bridge, 25 meters away (aerial distance) from the office.
The researchers also used three telescopes with different lens diameters (10, 20, 35 cm), which they mounted on an electro-optical sensor (the Thorlabs PDA100A2) to one telescope at a time.
“The sound that was played in the office during the experiments could not be heard at the eavesdropper’s location,” the report notes.
Under the specific conditions descried above, the team was to recover two songs and one sentence that were played via speakers in the office with the help of optical measurements that were obtained from a single telescope.
More technical details about the Lamphone attack are available in the paper.
“As a future research direction, we suggest analyzing whether sound can be recovered via other light sources,” the researchers said. “One interesting example is to examine whether it is possible to recover sound from decorative LED flowers instead of a light bulb.”
Last year, cybersecurity researchers outlined a new type of attack involving Intel server-grade processors since 2012. The attack was based on a vulnerability named NetCAT (Network Cache Attack). The vulnerability could allow sniffing data by mounting a side-channel attack over the network. The discovery of the NetCAT attack came from researchers from the VUSec group at Vrije Universiteit Amsterdam.