How to turn a coke can into a eavesdropping device

ASIAN BLACK HAT — According to a team of researchers from Ben-Gurion University of the Negev, a soda can, smartphone stand, or any shiny, light desk decoration could pose a eavesdropping threat, even in a soundproof room, if an attacker can see the object. .

At the Black Hat Asia security conference on Thursday, and in an effort to expand on previous research on optical voice eavesdropping, the research team showed that audio conversations at the volume of a meeting or a typical conference call could be captured up to 35 meters, or about 114 feet, away. The researchers used a telescope to collect light reflected from an object near the speaker and a light sensor – a photodiode – to sample changes in light as the object vibrated.

A lightweight object with a shiny surface reflects the signal with enough fidelity to pick up the audio, said Ben Nassi, an information security researcher at the university.

“Many bright, light objects can serve as optical implants that can be exploited to recover speech,” he said. “In some cases they are completely innocent objects, like a smartphone holder or an empty drink can, but all of these devices – because they share the same two characteristics, they are light and shiny – can be used to listen when there is enough light.

The listening experiment isn’t the first time researchers have attempted side-channel attacks that pick up sound from surrounding objects.

Improve past optical eavesdropping
In 2016, for example, researchers demonstrated ways to reconfigure a computer’s audio out jack to an audio in jack and thus use speakers as microphones. In 2014, a group of MIT researchers found a way to use a bag of chips to capture sound waves. And in 2008, a group of researchers created a process to capture keys typed on a keyboard by their sounds and the time between keystrokes.

The MIT research is similar to the technique pursued by researchers at Ben-Gurion University, except that mining required more restrictive placement of the reflective object and substantial processing power to retrieve the audio, Raz said. Swissa, researcher at Ben Gurion University of the Negev.

“This [older] The method cannot be applied in real time because it requires a lot of computing resources to retrieve just a few seconds of sound,” he said. And other well-known techniques, like a laser microphone, require a detectable light signal to work.

The researchers therefore focused on creating a process that could be accomplished with everyday objects already in the targeted area and using readily available instruments. Using objects 25 centimeters – about 10 inches – from the speaker, the researchers were able to capture fluctuations in the light reflected from them up to 35 meters away. Recovered speech was quite clear at 15 meters and quite understandable at 35 meters.

Overall, the experimental setup, which the researchers call the Little Seal Bug, could be used to capture audio with everyday objects. The attacker can be external to the target, therefore less detectable, while the low computational requirements make capture available in real time.

Great Seal, Lesser Seal and Beyond
The Little Seal Bug is a nod to a well-known old spy incident known as The Great Seal Bug. In 1945, the Soviet Union presented the American ambassador with an embossed crimson eagle apparently celebrating American-Soviet collaboration in defeating Nazi Germany. Yet the Great Seal also had a hidden audio recorder that allowed Soviet spies to listen in on high-level conversations at the embassy.

Similarly, the Little Seal Bug could use common items around a desk to capture audio via reflected light. In addition, most mobile devices are equipped with a photo sensor that does not require special permission to access it. If the researchers did not imagine an attack chain using the sensor, such a resource could very well be used by future attackers.

However, there are many more likely threats of spy attacks, Nassi said. Whether compromising systems with malware and capturing audio that way, or using microphones already built into IoT devices, such as AI assistants and cameras video, our world is rapidly filling with potential listening devices.

“A smartphone, a laptop, an IP camera and a smart watch are probably more risky in terms of privacy than these devices or objects,” he said.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button