At first, hearing this might sound ridiculous. How could a hacker possibly monitor your activity and spy on you through a light bulb? Are they using cameras and such?
Except that’s exactly what I read on Forbes the other day. It particularly affects virtual assistants such as Alexa, Google Home, Siri, and any other microphone input (such as meeting apps) and involves you, unwittingly, literally shining a light at the microphone piece.
Now obviously, shining any old light at your home assistant isn’t going to do anything, it’s a special type of exposure that causes the vulnerability. In the research paper Lamphone: Real-Time Passive Sound Recovery from Lightbulb Variations, the researchers demonstrate how “dumb” light bulbs are sensitive to sound and make different vibrations depending on the audio coming out from the home assistant.
Theoretically, any object in the room could’ve been used to record vibrations, but light bulbs are the only ones that reflect any light to a long distance, and this attack needs light rays to work properly.
The attack method
The reason this method works is that it emulates how a microphone works. You see, a microphone consists of a diaphragm that converts analog sound into vibrations, a transducer that runs the vibrations through a magnetic field, turning them into an electrical current, and an Analog-to-Digital Converter (ADC) that samples the current using frequencies (e.g. 44.1KHz) that the device can understand. As far as the device is concerned, this is intelligible audio to them.
Obviously, the diaphragm part that makes vibrations some thieving machinery far away can’t replicate, but those vibrations can be “stolen” from the room with the help of an extremely close light bulb. This technique will not work with light bulbs more than a few centimeters away from the microphone piece because the intercepted sounds will be full of unintelligible noise.
Also, it will not work if the light bulb used for spying an enclosure, as most home lights have, that limits light radiation, since that reverts it to a normal household object that can’t be inspected without lots of noise.
So don’t worry about this device gleaming audio from your ceiling light. It simply is not possible (yet).
Basically, instead of vibrations, light signals are fed through a makeshift transducer and ADC some close distance away. This can record people’s voice input.
To be honest, the attack is only practical if you’re somewhere within 25 meters (a little above 80 feet) of the target device. Understandably, this means that you have to be really close to the target building to record a strong enough light signal. So it’s only practical if attached to places such as your neighbor’s building, or in the case of the researchers, a bridge.
But if you had those high-security requirements, you wouldn’t be placing sensitive stuff near a public bridge, now would you?
Fortunately, as fancy as this vulnerability sounds, there’s one obvious patch for it. Closing your curtains or blinds. This has been the standard privacy guard for decades for sensitive stuff you don’t want neighbors and snoops listening on or seeing. The researchers have also implied that opening the door might produce unintended side effects.
(Also, if you see giant telescopes outside pointing directly at your building, you should definitely go out and enquire about that. It’s not like there are scientific planetary objects of interest in your room.)
The power LED to the audio
Yesterday, another article was published on Forbes that describes how a variant of this attack, aptly called “Glowworm”, can be carried out using power LEDs instead of light bulbs for spying.
The Forbes author also points out in the article the no-brainer precautions also work for power LEDs as they do for light bulbs:
You’ve probably already jumped to the most obvious mitigation conclusion: as Glowworm requires a clear line of sight to the power LED, closing the curtains, turning speakers around to face away from any window or sticking a piece of, oh the irony, electrical tape over the LED will all kibosh it.FORBES
So should you be concerned about these things? Probably not. As well as having ridiculously simple precautions, it needs specialized equipment that you can probably see from your window, and take the appropriate actions: closing blinds, calling the police on that location, and such.