THE flashing lights on computers, modems, network switches and even keyboards could be broadcasting your personal data around your office or home—or even out of the window.
After testing a number of computer systems and pieces of peripheral equipment such as modems for “optical leakage”, two American engineers have found that blinking LEDs can flash out sensitive data in the computer equivalent of Morse code.
In a project undertaken in their spare time, Joe Loughry of Lockheed Martin Space Systems in Denver, Colorado, and David Umphress of Auburn University in Alabama have tested various computer systems over the past eight years. They have identified 14 different electronic devices that are used in hundreds of thousands of homes and offices that are vulnerable to “optical snooping”. These include Internet routers—exchanges for Internet messages—and various modems made by the big names in the field. But their list is by no means comprehensive, and hundreds of devices could be vulnerable.
Advertisement
The pair found that the LEDs on some equipment transmit information in uncoded “plain text” format. The flashing LEDs often indicate that the device is active and is transmitting or receiving data—allowing technicians to diagnose problems.
In most cases, encrypting the data before it passes through the vulnerable device would prevent anyone gleaning data from this optical signal. However, one encryption device was found to flash the signals in plain text from its fascia LEDs. This machine was once used to encrypt information transmitted to and from high street cash machines.
“That particular device is no longer in use anywhere, as far as I know,” Loughry told New Scientist. “We wouldn’t have mentioned it otherwise, as it would be irresponsible to do so.” They didn’t have the money to buy any more recent equipment, he added.
So how might hackers get at these signals? The tiny LEDs on modems aren’t particularly bright, so Loughry’s detection device uses a telescope to focus the signals onto a photodiode, which is connected in turn to an oscilloscope. The oscilloscope records the varying waveform of the light signal, so the data can be analysed later.
The cheap receiver successfully retrieved information from vulnerable devices at a range of about 20 metres. But Loughry reckons serious snoopers might build bigger versions using 30 to 40-centimetre astronomical telescopes. “These would be no bigger than man-sized, and would work reliably out to a distance of a mile or so,” he predicts.
To underline the risk posed by LEDs, Loughry and Umphress have developed a computer virus which uses a keyboard’s “caps lock” LED to surreptitiously transmit data. “This method may provide enough information to compromise identity verification systems based on the way you type, or on the generation of cryptographic keys,” Loughry says. “It potentially affects hundreds of millions of devices.”
- More at: