A scientific team from Ben Gurion University in Israel and the Weizmann Institute for Scientific Research recently demonstrated a magical eavesdropping technique that can be done with just one light bulb, a laptop and equipment worth less than $1,000. The technique, known as the “lamphone” side channel attack, uses photoelectric sensors to analyze the frequency response of the bulb to sound. The “lamphone” measures the tiny light fluctuations that sound waves produce when they hit the bulb and causes it to vibrate slightly. The electro-optical sensor isolates the audio signal from the optical signal in four stages.
Unlike similar attacks that analyze the effects of sound waves on nearby objects, this version is passive, external, and, most critically, in real time. To prove the effectiveness of the attack, the team targeted an office on the third floor of an office building. Curtain walls reduce the amount of light emitted by the office and cover the entire building. The target office contains a suspended E27 LED bulb (12 watts).
The eavesdropper was located on a footbridge, located 25 metres above the target’s office. The experimentdescribed in this section was carried out using three different lens diameters (10,20, 35 cm) of telescopes.
The team installed a photoelectric sensor (Thorlabs PDA100A2) on one telescope at a time, a large, switchable gain light sensor consisting of photodiodes used to convert light into voltage. The voltage is obtained from the photoelectric sensor via a 16-bit ADC NI-9223 card and processed in the LabVIEW script we wrote. The sound played in the office during the experiment is not heard in the location of the eavesdropper.
This technology enables high-quality capture and conversion into audio, even being recognized by the music recognition application Shazam. At the same time, this voice was successfully transcribed by Google’s text-to-speech API. Ben-Gurion, a security researcher at Ben-Gurion University who co-developed the technology, said they wanted to raise awareness of the attack vector and let both monitoring sides know what’s possible.