Slashdot Mirror

← Back to Stories (view on slashdot.org)

LED Lights: Friend or Foe?

Posted by michael on from the brilliant-deductions dept.

elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"

17 of 597 comments (clear)

  1. Could be a hoax, but here's a simple solution: by eples · · Score: 3, Informative


    Just put a tiny capacitor on your Tx and Rx LEDs.
    It's a hoax anyway... ;)

    --
    I'm a 2000 man.
  2. Re:bullshit by k2enemy · · Score: 5, Informative

    if you read the article, they implemented this at speeds up to 56k and said the physics should hold up until 10mb. look up at the light in your bedroom. you would probably say that its on. but its really flashing on and off faster than you can see. same thing with that led on your modem. when you see one blink it is most likely a lot of blinks faster than your eye can see, but not faster than optical equipment can see.

  3. Re:ummm...doubtful by swagr · · Score: 4, Informative

    Many LEDs have a response time of around 8 nano seconds, which means they can blink roughly 12.5 million times a second. Enough to transmit 12.5 Mb/s of data. If your on a 10Mb network then that's plenty good for the spy. If your on a 100Mb/s network, the spy is out of luck.

    --

    -... --- .-. . -.. ..--..
  4. Re:Here.. Look into this live fiber.. by delphin42 · · Score: 3, Informative

    if you looked at the article you would know that they claimed the information was subtlely encoded into the light. The light may be on, anytime there is a transmission, but the intensity varies slightly whether there is a 1 or a 0. That's what the article claims anyway, and I'm pretty sure it would depend on the specific hardware.

    --
    -- Adam
  5. Re:ummm...doubtful by CaseyB · · Score: 5, Informative
    I've seen my lights blink, and I don't think that there's any way... I'm throwing in the towell and saying I don't think so....

    "+1, informative"? Heh, mods are on crack again.

    Have a look into a Toslink digital audio connector some time. It's using a plain old LED to transmit information. It looks to the naked eye like it's on solid, there's no flicker whatsoever. What would you "think" if you saw that? Your gut reaction is totally off base here.

  6. CRT's can nail you too by phr2 · · Score: 5, Informative

    Here's a paper by the amazing Markus Kuhn (who has done many other brilliant security hacks besides this) showing how CRT display contents can be reconstructed from the light given off by the screen, even when the light is reflected diffusely off a wall. It makes me glad I use an LCD monitor.

  7. Re:Simple math says no by bluGill · · Score: 3, Informative

    When I first started in networking I was assigned to test some FDDI gear, which used in 1995 LEDs to send data down a fiber at 100 mbs. Now there is a limit to how fast a LED can blink, but we know how to design them for 100Mbs. I don't think we can do 1Gb/s with an led though, at least all the gigabit stuff I work with today is lazers. (much of it was back then too, but an LED is much cheaper than a laser so for short distances we used the leds.

    If we could make LEDs work then, I'm sure today we can too, though having all the light guided to the destination by a fiber makes it much easier than reading the difuse light from a modem led which might or might not acually flash to indicate data. I know know of some routers that appeared to have tied the ethernet activity light to the datastream, and others where it was just on. Some hubs seem to do this too.

  8. *Can* tell 1 from 0 by mclearn · · Score: 5, Informative
    I see lots of posts already from people claiming this is a hoax based on the fact that you can't tell a one from a zero. Well if you RTFA (article), they explain how this can be done through the use of decoding the physical encoding done by the hardware. They explain that the encoding scheme used is a NRZ-L (non-return-to-zero level). This means that everything can be assumed to be a one except for when data is being transmitted, in which case the bits are zeros.

    This is a PHYSICAL encoding, not something cooked up by them. It's used in a variety of devices. Look it up.

    There are other schemes, including non-return-to-zero inverted, and non-return-to-zero space. However these two encoding schemes do not work with absolute values, only transitions from one value to another (ie. from one to zero, or zero to one). There is also Return-to-zero and biphase encoding schemes as well, which attempt to correct problems found in the non-return-to-* schemes. However, NRZ-L is the most simple form of encoding, IIRC.

  9. Re:Here.. Look into this live fiber.. by Nick+Barnes · · Score: 4, Informative
    The LED's don't indicate the data pattern, just the transmission pattern.. You can't tell a 1 from a 0 by looking at the LEDs..

    You didn't actually read the paper, did you? It turns out that the LEDs on modems actually do indicate the data pattern. Most modems have "Class III" LED emanations (i.e. "strongly correlated with the content of data being transmitted"). Most LAN and WAN equipment does not have Class III optical emissions, with the exception of an LED on the back panel of certain CISCO routers (page 11). See the table on page 10 of the paper.

    In fact, they reconstruct actual data from actual modems over various distances ranging from 5 metres to 30 metres. They believe that, given the right optics, this could be done over several hundred metres.

    They also found that the Paradyne Infolock 2811-11 DES encryptor has an LED on the plaintext data.

    And they have a great appendix on using keyboard LEDs as a high-bandwidth covert channel, with the obligatory reference to Cryptonomicon.

  10. Re:Tempest by CaseyB · · Score: 5, Informative
    It's a question of whether the indicator is what the article terms a "Class II" device (signal based on activity) or a "Class III" indicator (signal based on data). You, and everyone else that failed to read the article before posting hunches, can read go read page 10, which has a list of various devices shows those that have class III indicators that are susceptible to the snooping in question.

    The Cisco 4000 and 7000 IP Routers are "Class III" devices, and they're relatively popular.

  11. Speed of LEDs by Muad'Dave · · Score: 3, Informative

    The responses to this article seem to all question the switching speed of LEDs. Even the least expensive LEDs are capable of at least 100kHz operation, with many, many, common LEDs capable of operating at several MHz. Remember, most of the fiber-based transceivers use LEDs, not laser diodes. I've used LED-based 3com equipment over a 2 km 62.5/125 um MM fiber link without trouble. These LEDs (not IR LEDs) were easily able to handle 10 Mbps.

    --
    Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
  12. Pffft. by phillymjs · · Score: 3, Informative

    Kuhn did not invent this technique, I read about this being doable in Popular Science in the mid-to-late 80's. It's called 'van Eck phreaking' after Wim van Eck, its discoverer. As I recall from that long-ago article, he sat in an equipped van parked outside a building, tuned in on a CRT that was inside the building, and read the contents of that screen right off his. I think I was about 12 or 13 at the time, and this was the coolest thing I had ever heard of-- in fact, it made such an impression on me that "kinda like van Eck" was the first thought that crossed my mind when I read the posting on here.

    Here's some info about the van Eck phreaking method.

    ~Philly

  13. Re:Agreed by monkeydo · · Score: 3, Informative

    You didn't read the article. If you had read the article you would know that you are describing what the authors call a Class II device.

    The authors also describe Class III devices which do blink along with the data stream (if you RTA you'll even know why) these include TD and RD lights on modems and routers.

    They also point out the the information given off by Class II devices can be useful for traffic analysis and covert channels.

    But you knew that, right?

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  14. Physical access... by markmoss · · Score: 4, Informative

    There are two ways to put in an LED to show when a device is transmitting or receiving. One is to tie it to the transmit or receive enable/detect signal, IF there is any. The other is to tie it to the data line. In that case, the LED may be blinking right along with the data, although too fast for the human eye to see. It looks like it is on continually, but the signal could be recovered with a fast enough detector. This depends on the LED turn-on/turn-off time; if it's 8 nS (pretty common), a 56K modem would be easy to pick up. ADSL or cable modems at a few MHZ would be sending out a clear signal; I'm not sure if there are cheap optical detectors that will work at those speeds, but there are expensive ones that go into the gigahertz. 10MHz ethernet signals would be "blurry" but with a good detector, a fast ADC, and some signal processing you could recover them. With 100MHZ ethernet, no data could be recovered.

    But before you can do any of that, you have to be able to _see_ the blinking lights. If someone can get into your wiring closet and focus an optical detector on your hub, it would be a heck of a lot simpler to just connect the network sniffer by cable. The real hazard is if the blinking lights are pointed out the window -- that's an unusual location for a network hub, switch, router. or server, but it's quite likely your business has some desktop computers with the back towards a window and the LED's for the NIC and modem cards visible from outside, so a telescope in a van parked across the street could, in theory, extract the data. For instance the receptionist's computer is probably oriented this way; it probably isn't worthwhile for someone to go to this much trouble to find out what a receptionist is up to, but if the NIC is showing data flowing to and from other machines on a shared network cable, better stick on a bit of electrical tape...

  15. Re:bullshit by Webmoth · · Score: 4, Informative

    Some newer, energy-efficient fluorescents operate at frequencies >60Hz, and have long-decay phosphor coatings effectively eliminating the "on-off" effect.

    (A fluorescent lamp operates by an electric arc which vaporizes and excites mercury in an otherwise near-vacuum; the mercury gas emits light in the ultraviolet spectrum. The ultraviolet light excites a fluorescent coating which in turn emits light in the visible spectrum. Different colors of fluorescent lamps are made by introducing different materials into the fluorescent coating.)

    LED's, on the other hand, lacking a fluorescent material, have very steep attack and decay slopes, allowing them to respond (flicker) at very high rates.

    P.S. -- "Fluorescent" means to become excited by light in one spectrum and emit it in another spectrum. A more precise word would probably be "photoluminescent." Neon and LED's are types of "electroluminescent" lamps -- light is emitted when the material is excited by electricity. Incandescent is "thermoluminescent" -- light is emitted when the material becomes thermally excited (hot). A fluorescent lamp is a combination of electroluminescent and photoluminescent technologies.

    P.P.S. -- I like to make up big words. It makes me sound smart.

    --
    Give me my freedom, and I'll take care of my own security, thank you.
  16. Re:Translation of Parent Post by Ctrl-Z · · Score: 3, Informative

    Uh, try the Jargon File entry for blinkenlights.

    --
    www.timcoleman.com is a total waste of your time. Never go there.
  17. Re:bullshit by Kymermosst · · Score: 3, Informative

    And today, we are going to learn about math and electricity:

    AC current flows in a sine wave. Now, I will assume you know what a sine curve looks like.

    At a sine curve's peaks, at pi/2 radians from zero in either direction on the unit circle, the absolute unit is 1. Its zero is at zero.

    Now, it is only zero at zero degrees. At all other times it is NOT zero, and thus, current is flowing. On a cycle of pi radians, there are an infinite number of points where current is flowing, and only THREE where it is zero, and "stopped" as you say. Since an incandescent bulb is resistant no matter the volage, and has a slow cooling time, the bulb is infinitely "on" for the complete cycle, because it does not turn "off" during the infinitely small zero points of the curve.

    Now, the reason LEDs pulse is because their switching speed is near-instantaneous, and they only flow current in one direction.

    Flourescents are similar, but generally more apparent in their flickering because of "threshold voltage", which basically, increases the size of the zero points on the curve, because light output is effectively zero for input voltages less than a certain amount. LEDs have a threshold voltage too, but it's a lot smaller percentage generally, for zero light output.

    --
    "Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.