BLACK HAT ASIA — A soda can, a smartphone stand, or any shiny, lightweight desk decoration could pose a threat of eavesdropping, even in a soundproof room, if an attacker can see the object, according to a team of researchers from Ben-Gurion University of the Negev.
At the Black Hat Asia security conference on Thursday, and aiming to expand on previous research into optical speech eavesdropping, the research team showed that audio conversations at the volume of a typical meeting or conference call could be captured from up to 35 meters, or about 114 feet, away. The researchers used a telescope to collect the light reflected from an object near the speaker and a light sensor — a photodiode — to sample the changes in the light as the object vibrated.
A lightweight object with a shiny surface reflects the signal with enough fidelity to recover the audio, said Ben Nassi, an information security researcher at the university.
"Many shiny, lightweight objects can serve as optical implants that can be exploited to recover speech," he said. "In some cases, they are completely innocent objects, such as a smartphone stand or an empty beverage can, but all of these devices — because they share the same two characteristics, they are lightweight and shiny — can be used to eavesdrop when there is enough light."
The eavesdropping experiment is not the first time that researchers have attempted side-channel attacks that pick up audio from surrounding objects.
Improving on Past Optical Eavesdropping
In 2016, for example, researchers demonstrated ways to reconfigure the audio-out jack on a computer to an audio-in jack and thereby use speakers as microphones. In 2014, a group of MIT researchers found a way to use a potato chip bag to capture sound waves. And in 2008, a group of researchers created a process to capture the keys typed on a keyboard by their sounds and the time between keystrokes.
The MIT research is similar to the technique pursued by the Ben-Gurion University researchers, except that exploitation required more restrictive placement of the reflective object and required substantial processing power to recover the audio, said Raz Swissa, a researcher with Ben-Gurion University of the Negev.
"This [older] method cannot be applied in real time because it requires a lot of computational resources to recover just a few seconds of sound," he said. And other well-known techniques, such as a laser microphone, require a detectable light signal to work.
The researchers thus focused on creating a process that could be accomplished with everyday objects already in the targeted area and using instruments that are readily available. Using objects 25 centimeters — about 10 inches — away from the speaker, the researchers could capture fluctuations in the light reflected off of them up to 35 meters away. The recovered speech was quite clear at 15 meters and somewhat understandable at 35 meters.
Overall, the experimental setup, which the researchers call the Little Seal Bug, could be used to capture audio with everyday objects The attacker can be external to the target, thus less detectable, while the low computational requirements make capture available in real time.
Great Seal, Little Seal and Beyond
The Little Seal Bug is a nod to a well-known early espionage incident, known as the Great Seal Bug. In 1945, the Soviet Union gifted the US ambassador a crimson, embossed eagle seemingly celebrating the US-Soviet collaboration to defeat Nazi Germany. Yet the Great Seal also had a hidden audio recorder that allowed Soviet spies to eavesdrop on high-level conversations in the embassy.
Similarly, the Little Seal Bug could use common items around an office to capture audio via reflected light. In addition, most mobile devices come with a photosensor that does not require special permission to access. While the researchers have not come up with an attack chain using the sensor, such a resource could very well be used by future attackers.
However, there are many more likely threats for espionage attacks, Nassi said. From compromising systems with malware and capturing the audio that way, to using microphones already embedded in Internet of Things devices, such as AI assistants and video cameras, our world is quickly becoming filled with potential eavesdropping devices.
"A smartphone, a laptop, an IP camera, and a smart watch are probably more risky in terms of privacy than these devices or objects," he said.