LED Lights: Friend or Foe?

elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"

Re:bullshit

[k2enemy]

if you read the article, they implemented this at speeds up to 56k and said the physics should hold up until 10mb. look up at the light in your bedroom. you would probably say that its on. but its really flashing on and off faster than you can see. same thing with that led on your modem. when you see one blink it is most likely a lot of blinks faster than your eye can see, but not faster than optical equipment can see.

Re:ummm...doubtful

[swagr]

Many LEDs have a response time of around 8 nano seconds, which means they can blink roughly 12.5 million times a second. Enough to transmit 12.5 Mb/s of data. If your on a 10Mb network then that's plenty good for the spy. If your on a 100Mb/s network, the spy is out of luck.

Re:ummm...doubtful

[CaseyB]

I've seen my lights blink, and I don't think that there's any way... I'm throwing in the towell and saying I don't think so....

"+1, informative"? Heh, mods are on crack again.

Have a look into a Toslink digital audio connector some time. It's using a plain old LED to transmit information. It looks to the naked eye like it's on solid, there's no flicker whatsoever. What would you "think" if you saw that? Your gut reaction is totally off base here.

CRT's can nail you too

[phr2]

Here's a paper by the amazing Markus Kuhn (who has done many other brilliant security hacks besides this) showing how CRT display contents can be reconstructed from the light given off by the screen, even when the light is reflected diffusely off a wall. It makes me glad I use an LCD monitor.

*Can* tell 1 from 0

[mclearn]

I see lots of posts already from people claiming this is a hoax based on the fact that you can't tell a one from a zero. Well if you RTFA (article), they explain how this can be done through the use of decoding the physical encoding done by the hardware. They explain that the encoding scheme used is a NRZ-L (non-return-to-zero level). This means that everything can be assumed to be a one except for when data is being transmitted, in which case the bits are zeros.

This is a PHYSICAL encoding, not something cooked up by them. It's used in a variety of devices. Look it up.

There are other schemes, including non-return-to-zero inverted, and non-return-to-zero space. However these two encoding schemes do not work with absolute values, only transitions from one value to another (ie. from one to zero, or zero to one). There is also Return-to-zero and biphase encoding schemes as well, which attempt to correct problems found in the non-return-to-* schemes. However, NRZ-L is the most simple form of encoding, IIRC.

Re:Here.. Look into this live fiber..

[Nick+Barnes]

The LED's don't indicate the data pattern, just the transmission pattern.. You can't tell a 1 from a 0 by looking at the LEDs..

You didn't actually read the paper, did you? It turns out that the LEDs on modems actually do indicate the data pattern. Most modems have "Class III" LED emanations (i.e. "strongly correlated with the content of data being transmitted"). Most LAN and WAN equipment does not have Class III optical emissions, with the exception of an LED on the back panel of certain CISCO routers (page 11). See the table on page 10 of the paper.

In fact, they reconstruct actual data from actual modems over various distances ranging from 5 metres to 30 metres. They believe that, given the right optics, this could be done over several hundred metres.

They also found that the Paradyne Infolock 2811-11 DES encryptor has an LED on the plaintext data.

And they have a great appendix on using keyboard LEDs as a high-bandwidth covert channel, with the obligatory reference to Cryptonomicon.

Re:Tempest

[CaseyB]

It's a question of whether the indicator is what the article terms a "Class II" device (signal based on activity) or a "Class III" indicator (signal based on data). You, and everyone else that failed to read the article before posting hunches, can read go read page 10, which has a list of various devices shows those that have class III indicators that are susceptible to the snooping in question.

The Cisco 4000 and 7000 IP Routers are "Class III" devices, and they're relatively popular.

Physical access...

[markmoss]

There are two ways to put in an LED to show when a device is transmitting or receiving. One is to tie it to the transmit or receive enable/detect signal, IF there is any. The other is to tie it to the data line. In that case, the LED may be blinking right along with the data, although too fast for the human eye to see. It looks like it is on continually, but the signal could be recovered with a fast enough detector. This depends on the LED turn-on/turn-off time; if it's 8 nS (pretty common), a 56K modem would be easy to pick up. ADSL or cable modems at a few MHZ would be sending out a clear signal; I'm not sure if there are cheap optical detectors that will work at those speeds, but there are expensive ones that go into the gigahertz. 10MHz ethernet signals would be "blurry" but with a good detector, a fast ADC, and some signal processing you could recover them. With 100MHZ ethernet, no data could be recovered.

But before you can do any of that, you have to be able to _see_ the blinking lights. If someone can get into your wiring closet and focus an optical detector on your hub, it would be a heck of a lot simpler to just connect the network sniffer by cable. The real hazard is if the blinking lights are pointed out the window -- that's an unusual location for a network hub, switch, router. or server, but it's quite likely your business has some desktop computers with the back towards a window and the LED's for the NIC and modem cards visible from outside, so a telescope in a van parked across the street could, in theory, extract the data. For instance the receptionist's computer is probably oriented this way; it probably isn't worthwhile for someone to go to this much trouble to find out what a receptionist is up to, but if the NIC is showing data flowing to and from other machines on a shared network cable, better stick on a bit of electrical tape...

Re:bullshit

[Webmoth]

Some newer, energy-efficient fluorescents operate at frequencies >60Hz, and have long-decay phosphor coatings effectively eliminating the "on-off" effect.

(A fluorescent lamp operates by an electric arc which vaporizes and excites mercury in an otherwise near-vacuum; the mercury gas emits light in the ultraviolet spectrum. The ultraviolet light excites a fluorescent coating which in turn emits light in the visible spectrum. Different colors of fluorescent lamps are made by introducing different materials into the fluorescent coating.)

LED's, on the other hand, lacking a fluorescent material, have very steep attack and decay slopes, allowing them to respond (flicker) at very high rates.

P.S. -- "Fluorescent" means to become excited by light in one spectrum and emit it in another spectrum. A more precise word would probably be "photoluminescent." Neon and LED's are types of "electroluminescent" lamps -- light is emitted when the material is excited by electricity. Incandescent is "thermoluminescent" -- light is emitted when the material becomes thermally excited (hot). A fluorescent lamp is a combination of electroluminescent and photoluminescent technologies.

P.P.S. -- I like to make up big words. It makes me sound smart.