Slashdot Mirror
LED Lights: Friend or Foe?
elfdump writes: "In an article (pdf) soon
to be published in ACM Transactions
on Information and Systems Security, security researchers have discovered
that data transmitted through modems and routers can be remotely reconstructed
from the equipment's LED status indicators. According to experiments, their
light-to-information retrieval method is successful even when the light is
captured 'at a considerable distance' from the source. If you want to prevent
people from spying on your data, you may want to tape up those blinking LEDs!"
Just put a tiny capacitor on your Tx and Rx LEDs.
It's a hoax anyway...
I'm a 2000 man.
(having not yet read the article) the premise is unlikely since most LED's on front panels are designed to stay on for longer than the actual activity lasts - in order to present useful information. If there was a one-to-one correspondence between the data and the LED - it would usually appear to a human viewer as an always-on-but-dim LED since the blink-on time would be so short.
To put it another way - there's a buffer before the LED.
-a.e.mossberg
if you read the article, they implemented this at speeds up to 56k and said the physics should hold up until 10mb. look up at the light in your bedroom. you would probably say that its on. but its really flashing on and off faster than you can see. same thing with that led on your modem. when you see one blink it is most likely a lot of blinks faster than your eye can see, but not faster than optical equipment can see.
I'm not an electrical engineering expert, so I could have misinterpreted the story. However, as I read it, they claim that for cost saving reasons, the LEDs that just show status are internally electrically connected or at least influenced by the part of the circut that handles the data flow. In other words, the LED is not showing just generic activity, but is actually showing the bit flow.
I'm not sure I believe them though.
-- Erv Walter
Many LEDs have a response time of around 8 nano seconds, which means they can blink roughly 12.5 million times a second. Enough to transmit 12.5 Mb/s of data. If your on a 10Mb network then that's plenty good for the spy. If your on a 100Mb/s network, the spy is out of luck.
-... ---
if you looked at the article you would know that they claimed the information was subtlely encoded into the light. The light may be on, anytime there is a transmission, but the intensity varies slightly whether there is a 1 or a 0. That's what the article claims anyway, and I'm pretty sure it would depend on the specific hardware.
-- Adam
In the article the authors defined 3 classes of lights, only category III leds can be sniffed, link status (Cat I) and network activity (Cat II) lights can not be. The RD and SD lights on modem are classed as Category III, and then can be sniffed.
"+1, informative"? Heh, mods are on crack again.
Have a look into a Toslink digital audio connector some time. It's using a plain old LED to transmit information. It looks to the naked eye like it's on solid, there's no flicker whatsoever. What would you "think" if you saw that? Your gut reaction is totally off base here.
I don't think we have too much to worry about here. They have proved it to work (supposedly, no evidence) on 56kbps. Most results are for 14.4kbps or less. This is for modems - generally they have TD/RD lights which are direct indications of the RS232 lines, so show data.
NICs, routers, switches, and hubs, tend to slow down the light flashes, or flash to packets, rather than bits. It makes it far easier to see what is going on. An LED would have difficulty keeping up with the high data rates as well (as well as any driver circuits).
It could be possible on a switch that has activity lights for all the network to ascertain which ones have most traffic, and hence gateways/DNS servers, but these things are generally found out in much easier ways.
It seems as if most of the posts before this are from people who didn't read the article, and are claiming it can't be true. RTFA.
Here's a paper by the amazing Markus Kuhn (who has done many other brilliant security hacks besides this) showing how CRT display contents can be reconstructed from the light given off by the screen, even when the light is reflected diffusely off a wall. It makes me glad I use an LCD monitor.
When I first started in networking I was assigned to test some FDDI gear, which used in 1995 LEDs to send data down a fiber at 100 mbs. Now there is a limit to how fast a LED can blink, but we know how to design them for 100Mbs. I don't think we can do 1Gb/s with an led though, at least all the gigabit stuff I work with today is lazers. (much of it was back then too, but an LED is much cheaper than a laser so for short distances we used the leds.
If we could make LEDs work then, I'm sure today we can too, though having all the light guided to the destination by a fiber makes it much easier than reading the difuse light from a modem led which might or might not acually flash to indicate data. I know know of some routers that appeared to have tied the ethernet activity light to the datastream, and others where it was just on. Some hubs seem to do this too.
This is a PHYSICAL encoding, not something cooked up by them. It's used in a variety of devices. Look it up.
There are other schemes, including non-return-to-zero inverted, and non-return-to-zero space. However these two encoding schemes do not work with absolute values, only transitions from one value to another (ie. from one to zero, or zero to one). There is also Return-to-zero and biphase encoding schemes as well, which attempt to correct problems found in the non-return-to-* schemes. However, NRZ-L is the most simple form of encoding, IIRC.
I just typed "led diode response time" at google. The first link is
here.
-... ---
You didn't actually read the paper, did you? It turns out that the LEDs on modems actually do indicate the data pattern. Most modems have "Class III" LED emanations (i.e. "strongly correlated with the content of data being transmitted"). Most LAN and WAN equipment does not have Class III optical emissions, with the exception of an LED on the back panel of certain CISCO routers (page 11). See the table on page 10 of the paper.
In fact, they reconstruct actual data from actual modems over various distances ranging from 5 metres to 30 metres. They believe that, given the right optics, this could be done over several hundred metres.
They also found that the Paradyne Infolock 2811-11 DES encryptor has an LED on the plaintext data.
And they have a great appendix on using keyboard LEDs as a high-bandwidth covert channel, with the obligatory reference to Cryptonomicon.
This is a great theory, but not actually true, at least for modems. Read the paper.
Read the .pdf linked from the article. Pay attention to the top of page 2. As the paper states, "[a] high correlation is evident." (the example is evidently a TXD or RXD activity LED on a 9600 bps modem) Whether or not a piece of equipment is built to leak information in this manner is a secondary consideration. The fact remains that some equipment does leak info through status LEDs.
Mail? Put "slashdot" in the subject to pass the spam filters.
The Cisco 4000 and 7000 IP Routers are "Class III" devices, and they're relatively popular.
The responses to this article seem to all question the switching speed of LEDs. Even the least expensive LEDs are capable of at least 100kHz operation, with many, many, common LEDs capable of operating at several MHz. Remember, most of the fiber-based transceivers use LEDs, not laser diodes. I've used LED-based 3com equipment over a 2 km 62.5/125 um MM fiber link without trouble. These LEDs (not IR LEDs) were easily able to handle 10 Mbps.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Kuhn did not invent this technique, I read about this being doable in Popular Science in the mid-to-late 80's. It's called 'van Eck phreaking' after Wim van Eck, its discoverer. As I recall from that long-ago article, he sat in an equipped van parked outside a building, tuned in on a CRT that was inside the building, and read the contents of that screen right off his. I think I was about 12 or 13 at the time, and this was the coolest thing I had ever heard of-- in fact, it made such an impression on me that "kinda like van Eck" was the first thought that crossed my mind when I read the posting on here.
Here's some info about the van Eck phreaking method.
~Philly
You are forgetting that most of these LEDs are on the other side of a very small capacitor. Many hardware manufacturers chose this to fix the problem of dim LEDs because it was a cheep and dirty patch which was easier and cheaper than changing the chip design or redoing the whole circuit. The light shifts in intensity during the pulse but so slightly that the human eye cannot detect it.
The capacitor chosen is carefully chosen to be only strong enough to keep the LED from going dim between byte pulses, but the pause between packets is sufficient to let the LED go dim.
Look at a spectrum annalasys of a couple of the LEDs and you will see that I am right.
Really people, just 'cause you can't see it doesn't mean it doesn't happen.
Even Linksys, the most popular routers/hubs/switches out there, pules on bytes not on packets.
My $0.02 will always be worth more than your â0.02, so
Then be amazed. To your eyes its a blur but not to a photo transistor or similar. Both the LED and the receiver are easily capable of these frequencies and as mentioned in the article 10MHz is not a problem. A good example where this technique is used delibrately is on TV remotes. OK the data rate is low (10kb/s??) but the parts used are very low tech.
You see that big white thing hanging from the ceiling that wonderfully lights up the room? Is that a steady light or pulsed? The 50Hz (or 60Hz for you yanks) supply causes filament bulbs to pulse at 100Hz (120Hz) and is very obvious if you have the right sensor to pick it up. (Your eyes are not the right sensor.) Florescent lights are even better and are completely dark for quite a proportion of their on time.
The best bit is at the end of the pdf. A slight modification to somebodies keyboard will cause the scroll lock led to output details of every last keypress you make. Encription does not matter if you have access to the plain text...
Time to get our paranoid hats on....
wot no sig
On projection, a light would be shone through this track onto a photosensitive plate (hell it could've even been a solar cell of some sort). This would generate an electrical signal that, when amplified, created the sound for the film.
I'm old enough to remember seeing some of these films in the theater. Sometimes the film would get misaligned in the projector and you'd be able to see this track. Looked like a buzzing string turned sideways.
This is also why when you see an old film that's been spliced you see the cut before you hear the "pop" in the soundtrack. The sound is read in a different part of the projector, "downstream" of the image.
AMCGLTD.COM. Where cats, science fictio
An 8 nanosecond pulse is therefore 125 Megahertz (1 Gigahertz divided by 8). So the theoretical limit is 125 Mb/s, not 12.5.
Ever play with resistors? You run current through them one way, and the resistor gets hot. Run the current the other way, and the resistor gets hot. Just because the current through filament changes directions doesn't mean that it isn't still flowing.
You didn't read the article. If you had read the article you would know that you are describing what the authors call a Class II device.
The authors also describe Class III devices which do blink along with the data stream (if you RTA you'll even know why) these include TD and RD lights on modems and routers.
They also point out the the information given off by Class II devices can be useful for traffic analysis and covert channels.
But you knew that, right?
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Down 6db at 20hz. It'll it still blink prettily, but no data.
http://www.angelfire.com/ca3/marlowe Better a smartass than a dumbass.
There are two ways to put in an LED to show when a device is transmitting or receiving. One is to tie it to the transmit or receive enable/detect signal, IF there is any. The other is to tie it to the data line. In that case, the LED may be blinking right along with the data, although too fast for the human eye to see. It looks like it is on continually, but the signal could be recovered with a fast enough detector. This depends on the LED turn-on/turn-off time; if it's 8 nS (pretty common), a 56K modem would be easy to pick up. ADSL or cable modems at a few MHZ would be sending out a clear signal; I'm not sure if there are cheap optical detectors that will work at those speeds, but there are expensive ones that go into the gigahertz. 10MHz ethernet signals would be "blurry" but with a good detector, a fast ADC, and some signal processing you could recover them. With 100MHZ ethernet, no data could be recovered.
But before you can do any of that, you have to be able to _see_ the blinking lights. If someone can get into your wiring closet and focus an optical detector on your hub, it would be a heck of a lot simpler to just connect the network sniffer by cable. The real hazard is if the blinking lights are pointed out the window -- that's an unusual location for a network hub, switch, router. or server, but it's quite likely your business has some desktop computers with the back towards a window and the LED's for the NIC and modem cards visible from outside, so a telescope in a van parked across the street could, in theory, extract the data. For instance the receptionist's computer is probably oriented this way; it probably isn't worthwhile for someone to go to this much trouble to find out what a receptionist is up to, but if the NIC is showing data flowing to and from other machines on a shared network cable, better stick on a bit of electrical tape...
I was in the US Army Signal Corps. and worked with communication equipment such as the KW26 which did the encryption of data on the comm. lines. It had the little blinking light on the transmitter side to let you know it was working all right,...till the Army found out that light (a neon) was broadcasting all the data! Part of the tech. job was to lock the system from "Tempest" leaking and we had to remove that light and cut out the wires to it.
This was in 1968, (yes.. I'm a old fart)so this has been known for quite some time, or it should have been known,...looks like they forgot!
Your eyes can't discern discrete changes past, say, 24 Hz (movie frame rate). Data is modulated in the LED in pulses that match the data rate. So to your eye, it appears to be solidly on. To a sensitive solid-state photoreceptor, the changes are discernible (according to the article, at rates up to 10 Mb/s).
Frankly, I'm amazed this wasn't determined to be a problem a long time ago. This is indeed a tangible risk, you naysayers. Passively sniffing a box is a much more subtle way of eavesdropping than cracking open the box or plugging in a new MAC. That flashy data center with the big wire-mesh windows and cipher lock might want to think about some opaque-ish drapes.
Some newer, energy-efficient fluorescents operate at frequencies >60Hz, and have long-decay phosphor coatings effectively eliminating the "on-off" effect.
(A fluorescent lamp operates by an electric arc which vaporizes and excites mercury in an otherwise near-vacuum; the mercury gas emits light in the ultraviolet spectrum. The ultraviolet light excites a fluorescent coating which in turn emits light in the visible spectrum. Different colors of fluorescent lamps are made by introducing different materials into the fluorescent coating.)
LED's, on the other hand, lacking a fluorescent material, have very steep attack and decay slopes, allowing them to respond (flicker) at very high rates.
P.S. -- "Fluorescent" means to become excited by light in one spectrum and emit it in another spectrum. A more precise word would probably be "photoluminescent." Neon and LED's are types of "electroluminescent" lamps -- light is emitted when the material is excited by electricity. Incandescent is "thermoluminescent" -- light is emitted when the material becomes thermally excited (hot). A fluorescent lamp is a combination of electroluminescent and photoluminescent technologies.
P.P.S. -- I like to make up big words. It makes me sound smart.
Give me my freedom, and I'll take care of my own security, thank you.
Uh, try the Jargon File entry for blinkenlights.
www.timcoleman.com is a total waste of your time. Never go there.
What a bunch of software freaks.
Hello, an LED is a diode.. a semiconductor P-N junction that happens to emit light in the visible spectrum when properly forward biased.
Guess what other devices use P-N junctions? That's right, all those transistors in your fancy new 2.0 GHz Pentium 4 or Athlon.
Hmm. 2.0 GHz on the P-N junctions in the microprocessor? Ever think that maybe the P-N junction in an LED can switch at a fraction of that rate?
Just because your miserable non-cyborg human eye can't see the on-off transitions above 60Hz doesn't mean that my Borg eye can't pull every little last bit of information that is being transferred off that LED.
And today, we are going to learn about math and electricity:
AC current flows in a sine wave. Now, I will assume you know what a sine curve looks like.
At a sine curve's peaks, at pi/2 radians from zero in either direction on the unit circle, the absolute unit is 1. Its zero is at zero.
Now, it is only zero at zero degrees. At all other times it is NOT zero, and thus, current is flowing. On a cycle of pi radians, there are an infinite number of points where current is flowing, and only THREE where it is zero, and "stopped" as you say. Since an incandescent bulb is resistant no matter the volage, and has a slow cooling time, the bulb is infinitely "on" for the complete cycle, because it does not turn "off" during the infinitely small zero points of the curve.
Now, the reason LEDs pulse is because their switching speed is near-instantaneous, and they only flow current in one direction.
Flourescents are similar, but generally more apparent in their flickering because of "threshold voltage", which basically, increases the size of the zero points on the curve, because light output is effectively zero for input voltages less than a certain amount. LEDs have a threshold voltage too, but it's a lot smaller percentage generally, for zero light output.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
Yeah, you can take LEDs and solar cells to transfer sound. Check this link out: http://scitoys.com/scitoys/scitoys/light/light.htm l#laser_communicator
Orange
Actually, only the Fast Serial card TD LED was listed as a class 3 device. The "Front Panel Light" (which ever one that is) is a class 2.
Personally I can't see getting anything meaningful out of a moderatley used POS or ATM line card's LEDs.
It's van Eck Phreaking, check whatis or google.
daniel
Actually, for Ethernet (i.e. typical hubs/switches/routers) your supposition is wrong, 50 will not be encoded as you've indicated, since Ethernet uses Manchester encoding, which involves a state transition for every bit (e.g. 0->1 might indicate a 1 and 1->0 transition a 0, in which case the number 50 would be more like
_|_||_|__||_
There are numerous other signal schemes in use, with various pros/cons for the hardware, and uses such as recovering the signal clock on the receiving side.
Here is a prime example of blatant illogical thinking on the part of the
o op ing.reut/index.html
media:
http://www.cnn.com/2002/TECH/ptech/03/07/led.sn
Keep in mind I've done embedded modem code, and my primary technical job
at work is to deal with fault situations, including displaying status
codes on LEDs so I'm familar witht he technology and its limitations.
Here's what's wrong with this article:
1) LED's are very slow devices. That means they can only turn off so many
times in a second - on average, 50 times a second. That means *50* baud,
which is about 6 characters in a second. There is no technical way that
these LEDs can turn on and off fast enough to support even the slowest of
modems! It's like driving at 500 MPH and snapping 6 pictures over the
course of 50 miles and saying that you can figure out what's in between
the pictures. Not technically possible.
2) The author makes the assumption that the blinking lights are actually
connected directly to the data stream. This isn't true! One problem we had
with our modems initially is we did have the data stream tied to the
lights. Once the speed of modems edged up (we're talking 9600bps, here
folks, so this was a LONG time ago), the data was toggling so fast that
all we could get out of the status LEDs was a dim glow. So we wrote code
to keep the status LEDs on for a minimum period of time so they'd actually
show up.
3) The author knows nothing about ATMs and their protocols. Even if
internal modems built in to ATMs (to which almost all are internal with no
indicator lights of any sort), having the data stream, byte by byte will
not be a repeatable sequence anyway. There is a trust set up between each
ATM and their servers and no two transactions are identical. The stream is
encrypted. When was the last time you saw any LEDs on ATMs?
4) The article infers that one can even detect network traffic from the
LED. Come on - an LED capable of 50 baud revealing the actual traffic on
even something as slow as 10 megabit network?
5) Most of the LEDs that people see on devices don't display any critical
information anyway. Power status, fault status, drive activity, etc.. is
most of it.
It's asinine things like this that just make me want to scream. They
spread fear, uncertainty, and doubt based on factless speculation to
promote themselves to groups of people who don't know better.
Don't ever believe anything technical you read in the media. It's almost always wrong.