LED Lights: Friend or Foe?

elfdump writes: "In an article (pdf) soon to be published in ACM Transactions on Information and Systems Security, security researchers have discovered that data transmitted through modems and routers can be remotely reconstructed from the equipment's LED status indicators. According to experiments, their light-to-information retrieval method is successful even when the light is captured 'at a considerable distance' from the source. If you want to prevent people from spying on your data, you may want to tape up those blinking LEDs!"

WAPs + Airport

So I should put big, bulky Duck Tape over my beautiful Airport Base Station? No way! Plus, I get poor enough reception in some parts of my own house, never mind my neighbors spying on me. ;-)

Re:I'll take that risk.

At least in this case you know where your data is going. You can see the light coming out of your modem.

If you look around and see someone with some sort of optical device pointed at your modem you can bonk them on the head and tell them to cut it out.

Once it heads out the wire into the rest of the world, you have no clue. If it comes to privacy/security, the modem lights are the least of my concerns.

Re:bullshit

if you read the article, they implemented this at speeds up to 56k and said the physics should hold up until 10mb. look up at the light in your bedroom. you would probably say that its on. but its really flashing on and off faster than you can see. same thing with that led on your modem. when you see one blink it is most likely a lot of blinks faster than your eye can see, but not faster than optical equipment can see.

Re:bullshit

Some newer, energy-efficient fluorescents operate at frequencies >60Hz, and have long-decay phosphor coatings effectively eliminating the "on-off" effect.

(A fluorescent lamp operates by an electric arc which vaporizes and excites mercury in an otherwise near-vacuum; the mercury gas emits light in the ultraviolet spectrum. The ultraviolet light excites a fluorescent coating which in turn emits light in the visible spectrum. Different colors of fluorescent lamps are made by introducing different materials into the fluorescent coating.)

LED's, on the other hand, lacking a fluorescent material, have very steep attack and decay slopes, allowing them to respond (flicker) at very high rates.

P.S. -- "Fluorescent" means to become excited by light in one spectrum and emit it in another spectrum. A more precise word would probably be "photoluminescent." Neon and LED's are types of "electroluminescent" lamps -- light is emitted when the material is excited by electricity. Incandescent is "thermoluminescent" -- light is emitted when the material becomes thermally excited (hot). A fluorescent lamp is a combination of electroluminescent and photoluminescent technologies.

P.P.S. -- I like to make up big words. It makes me sound smart.

Re:bullshit

reconstruct the data from the flashing lights??? whatever. That's so ridiculous it's laughable.

Isn't this how fiber optic cable works? Light pluses traveling down a thin strand of glass to transmit data at high speed over long distances.

I'm not claiming to be an engineer or scientist, but I guess I could see how it might be possible (probably with the same type of fiber-optic reader) to decode some of information from your LED.

If anyone has more techincal info, please post.

Re:bullshit

Not necessarily BS, though it depends on the way the hardware is made. A very simple way (engineering-wise) to implement an indicator LED on a cable modem would be as follows: Whenever the modem is receiving a "1" bit, turn the LED on, otherwise, turn the LED off. Being a type of diode, LEDs are capable of extremely high switching rates (remote controls generally use infrared LEDs pulsed at 56 kHz to transmit data. They can actually switch much faster). Hence, for each packet received, the LED would actually blink dozens of times. To a person, this looks like just a single blink, but a high-speed photodetector would be able to measure the length of each pulse, and use that information to reconstruct the data that was received.

Of course, all this relies on the construction of the modem. Using a slightly less naive algorithm (when a packet arrives, turn the LED on for 1 ms and then shut it off) would defeat this unique kind of sniffing. Still, after staring at my lan hub for a few minutes, I'm wondering if it uses the former technique for flashing the light...

Re:LED Mods

Yeah, but then you get some wag at the manufacturer who programs the LEDs to make it seem as if you spend your entire time looking at porn, downloading strange software and sharing your semi-legal files with other geeks.

(Remembers where he's posting)

Never mind!

Maran

Yikes...

At one time I worked with what I thought was a highly paranoid CIO for a manufacturing company. He had custom-made black plastic covers made for every modem in the modem pool (this was waaaay back) for this very reason.

I tried not to think about it but he was convinced that eventually someone would create technology that would re-construct the data transmission based on those LEDs.

If he's reading this (and he knows who he is), you paranoid sod, damn you for being right. *grin*

Re:Yikes...

"custom-made black plastic covers made for every modem"

You mean electrical tape?

Re:I know how he feels.

That funny. I to sometimes think that if I stare at those blinking lights long enough I would be able to discern a message. I just chalked it up to my familys history of mental illness.

But it turns out I was right all along.

Don't be so sure. We're all commenting on a kernel update story. What are you seeing!?

reminds me of Cryptonomicon

...where the main character, in fear of his computer being Van Eck phreaked, redirects output from a decryption program to turn on-and-off his scroll-lock key in morse-code.

Re:Here.. Look into this live fiber..

The LED's don't indicate the data pattern, just the transmission pattern.. You can't tell a 1 from a 0 by looking at the LEDs..

You didn't actually read the paper, did you? It turns out that the LEDs on modems actually do indicate the data pattern. Most modems have "Class III" LED emanations (i.e. "strongly correlated with the content of data being transmitted"). Most LAN and WAN equipment does not have Class III optical emissions, with the exception of an LED on the back panel of certain CISCO routers (page 11). See the table on page 10 of the paper.

In fact, they reconstruct actual data from actual modems over various distances ranging from 5 metres to 30 metres. They believe that, given the right optics, this could be done over several hundred metres.

They also found that the Paradyne Infolock 2811-11 DES encryptor has an LED on the plaintext data.

And they have a great appendix on using keyboard LEDs as a high-bandwidth covert channel, with the obligatory reference to Cryptonomicon.

arrch!

ibm defaced my slashdot page! :'(

Could be a hoax, but here's a simple solution:

Just put a tiny capacitor on your Tx and Rx LEDs.
It's a hoax anyway... ;)

Das Blinkenlights

I knew I should have heeded this warning:

ACHTUNG! Alles touristen und non-technischen peepers!
Das machine control is nicht fur gerfinger-poken und mittengrabben. Oderwise is easy schnappen der springenwerk, blowen fuse, und poppencorken mit spitzensparken.

Der machine is diggen by experten only. Is nicht fur geverken by das dummkopfen. Das rubbernecken sightseenen keepen das cotten picken hands in das pockets, so relaxen und watchen das blinkenlights.

Re:Das Blinkenlights

Here is the babelfish translation:

NOTE! All tourist and non technical peepers! The machine control is not fur gerfinger poken and mittengrabben. Oderwise is easy snatch that branching factory, blowen fuse, and poppencorken with sharpen-deactivate. The machine is by experts diggen only. Is fur do not geverken by the dummkopfen. Rubbernecken sightseenen keepen the that cotten picken hands in pockets, then relaxen and watchen blinkenlights.

Fixing this issue

I'll just put my modem upside down...that way, everything will transmit backwards...

Tempest

Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions.

To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data.

Bruce

Re:Tempest

It's a question of whether the indicator is what the article terms a "Class II" device (signal based on activity) or a "Class III" indicator (signal based on data). You, and everyone else that failed to read the article before posting hunches, can read go read page 10, which has a list of various devices shows those that have class III indicators that are susceptible to the snooping in question.

The Cisco 4000 and 7000 IP Routers are "Class III" devices, and they're relatively popular.

Re:Tempest

Look around for info on the U.S. government's declassified Tempest program. That shows how you can really do this, by sampling the radio emissions of the equipment. Any rapid switching creates radio waves, if you don't shield them effectively you may indeed leak information off site. There have been demonstrations of reading a CRT by the video monitors radio emissions

Indeed. Here is a program [erikyyy.de] that implements just that. Tempest for Eliza is an interisting program... it actually played classical music on my AM radio using the monitor color intensity! There's a mod for mp3 even. Check it out.

cheers,

fsm

A quick solution

Just hide your hub in a teddy bear, noone will point his eavesdropping device on such an innocent toy, would they?

CRT's can nail you too

Here's a paper [cam.ac.uk] by the amazing Markus Kuhn (who has done many other brilliant security hacks besides this) showing how CRT display contents can be reconstructed from the light given off by the screen, even when the light is reflected diffusely off a wall. It makes me glad I use an LCD monitor.

Re:This is the stupidest thing I've ever heard

Your unwarranted presupposition is why this article is so interesting. My first reaction too was "there's no way."

But then I remembered my Digital Electronics class in college where we ran square waves at high frequencies through LEDs... seeing the light seem to fix itself on "on" past any respectable Hertz, I mentioned to the professor "so its power-on time must be shorter than its power-off." His response was "...well, or your eyes just aren't good enough to see that fast." He was right: LEDs aren't like incandescent lights, they can turn on and off very, very fast.

I had just never thought of the little RD/SD lights as transmitting any information, under the refresh rate of my eye. If you'd asked me I would have assumed the manufacturers would have considered this and put a delay into the power-on/power-off times of their LEDs, even one millisecond would do fine.

But many of them didn't. And nobody thought to check until these guys decided to write their paper.

*Can* tell 1 from 0

I see lots of posts already from people claiming this is a hoax based on the fact that you can't tell a one from a zero. Well if you RTFA (article), they explain how this can be done through the use of decoding the physical encoding done by the hardware. They explain that the encoding scheme used is a NRZ-L (non-return-to-zero level). This means that everything can be assumed to be a one except for when data is being transmitted, in which case the bits are zeros.

This is a PHYSICAL encoding, not something cooked up by them. It's used in a variety of devices. Look it up.

There are other schemes, including non-return-to-zero inverted, and non-return-to-zero space. However these two encoding schemes do not work with absolute values, only transitions from one value to another (ie. from one to zero, or zero to one). There is also Return-to-zero and biphase encoding schemes as well, which attempt to correct problems found in the non-return-to-* schemes. However, NRZ-L is the most simple form of encoding, IIRC.

Ok...

I'll get right on that, as soon as I finish my tinfoil hat.

Good lord.

OT:Slashdot readers

Over time, you notice that people that read and post on Slashdot are extremely misinformed, narrow minded, and self centred.

There are at least 50 posts now on this story claiming it is a hoax. It's clear from many of these that few have actually read the synopsis at the top of the paper, never mind the rest of it.

It is not talking about 10Mbps communications. It is talking about lower data rate comms, like modems, serial lines, and the like.

It does work, only on a small amount of devices. It is short range. This doesn't make it a hoax.

TEMPEST is at a stage where it is hard to perform - we're talking government/big company level to manage anything impressive or useful. Take a look at this tempest radio site [erikyyy.de]. Neat, but not very useful.

If you have no idea what you are talking about or don't have anything useful to add, keep quiet. Is it just so you can get your karmas up???

Speed of LEDs

The responses to this article seem to all question the switching speed of LEDs. Even the least expensive LEDs are capable of at least 100kHz operation, with many, many, common LEDs capable of operating at several MHz. Remember, most of the fiber-based transceivers use LEDs, not laser diodes. I've used LED-based 3com equipment over a 2 km 62.5/125 um MM fiber link without trouble. These LEDs (not IR LEDs) were easily able to handle 10 Mbps.

Cheap backup solution!

I can backup the whole network by videotaping the front panel of our switch.

.

Need A New Moderation

of "-1 Didn't Bother To Read The Article". The number of people in this thread who posted and clearly did not read the article is astounding. We need some way of making everybody actually read the article and then start the thread over again. Sheesh.

reminds me of Cryptonomicon. Yeah, that's probably why Cryptonomicon is one of the references in the article!

The LED's don't indicate the data pattern, just the transmission pattern.. It depends on the equipment. Many older serial devices do indicate the data.

I call BS on this one... (Score:2, Informative) Uh, OK. Trying reading the article. And who modded this up?

Tempest (Score:4, Informative) ....To do this with an LED would require that the LED be actually driven by the data signal. Most of them go on at the start of the packet or byte and go off at the end, they don't go on for 1 and off for 0. So, you might be able to do a little traffic analysis, but you would not be able to recover the data. True for some devices but not others. Please read the article. It's quite clear about where this does and does not work.

Yeah Right (Score:3, Interesting) After that, good luck doing the packet reconstruction, parse the IP tunnelling, determine what protocol I'm using, and separating signals from my browser, FTP client, weather ticker, httpd, apt-get and realplayer streaming all running at the same time. OK. Maybe you read the article. But this is just silly. Any good packet analyzer like Ethereal will do all this.

Anyways, this is complete FUD. You cannot pick out binary packet data from transmit/receive status lights. OK. Try reading the article next time.

The light blinks ON when data is going, OFF when it's not. Might make a nice indication of when there is data, but not what that data was. Once again. Read the article. Some things work this way. Some don't.

I would have to agree with you on this one. Even if the router were only serving a 1.5Mbit T1, that's still 1.5 million bits per second. I have a hard time believing that an LED can blink fast enough to reliably recreate that data. Read the article. Your T1 CSU/DSU probably isn't going to drive the LED at 1MHz or more but the LED is quite capable of switching at up to 10MHz.

That's pretty feasable, but even if it would blink for every packet you recieved, or even every byte, you still wouldn't know the contents of the bits, or whether it's a one or a zero. I'm still calling BS. Read the article.

Another vote for "Bullsh*t". I'm pretty certain that the LED doesn't blink for *every* single bit. And what about compression techniques that use phase and so on? You are not actually putting just ones and zeros onto the wire you know. Read the article. The external modems which are vulnerable are transmitting data from the RS-232 side of the modem which has very simple encoding. This is clearly explained in the article.

Wow. We get a nice, well written article with lots of specifics and details about exactly which devices were tested and which leak information, all the way to including comparative graphs of received optical signals, and people call BS on it? I suggest the folks making "tin foil hat" jokes invest in a different type of head gear: reading glasses!

Move over 802.11x

If it can really pick up signals with few enough errors to be usable, then I want to use it for networking! Some posts here claim that it can easily do 10MBit/sec. What's stopping someone from making an array of them, for high speed wireless access?

Actually, now that I think of it, that must have been what all those big clunky lights were on ST:TOS. Networking of the future!

Physical access...

There are two ways to put in an LED to show when a device is transmitting or receiving. One is to tie it to the transmit or receive enable/detect signal, IF there is any. The other is to tie it to the data line. In that case, the LED may be blinking right along with the data, although too fast for the human eye to see. It looks like it is on continually, but the signal could be recovered with a fast enough detector. This depends on the LED turn-on/turn-off time; if it's 8 nS (pretty common), a 56K modem would be easy to pick up. ADSL or cable modems at a few MHZ would be sending out a clear signal; I'm not sure if there are cheap optical detectors that will work at those speeds, but there are expensive ones that go into the gigahertz. 10MHz ethernet signals would be "blurry" but with a good detector, a fast ADC, and some signal processing you could recover them. With 100MHZ ethernet, no data could be recovered.

But before you can do any of that, you have to be able to _see_ the blinking lights. If someone can get into your wiring closet and focus an optical detector on your hub, it would be a heck of a lot simpler to just connect the network sniffer by cable. The real hazard is if the blinking lights are pointed out the window -- that's an unusual location for a network hub, switch, router. or server, but it's quite likely your business has some desktop computers with the back towards a window and the LED's for the NIC and modem cards visible from outside, so a telescope in a van parked across the street could, in theory, extract the data. For instance the receptionist's computer is probably oriented this way; it probably isn't worthwhile for someone to go to this much trouble to find out what a receptionist is up to, but if the NIC is showing data flowing to and from other machines on a shared network cable, better stick on a bit of electrical tape...

I do this already

Yeah, that's right. I just head into the server room, turn all the lights out, and stare at the routers.

Sure, it takes awhile to learn how to read it...

But after awhile, I just see Blonde here, Brunette there, Redhead over there...

They may mean more than you think

I remember when I was in the office at Acorn Computers chatting to a guy called Dave Walker. Someone walked up to his desk, plonked down an Acorn PC and said it wasn't working. He plugged it in and watched it for a moment (just the box, no monitor was plugged in). After a few seconds he pulled the top off, pushed in a certain chip (loose memory or something), put the lid on and booted... this time the PC whirred into life properly. When I asked him how he did that magic trick, he told me that when there is an error the floppy drive light blinks it out in morse code. I'd had one of these machines for years and had never known that was staring me in the face!

Phillip.

Re:ummm...doubtful

Many LEDs have a response time of around 8 nano seconds, which means they can blink roughly 12.5 million times a second. Enough to transmit 12.5 Mb/s of data. If your on a 10Mb network then that's plenty good for the spy. If your on a 100Mb/s network, the spy is out of luck.

Re:ummm...doubtful

It really can be done.

For example, in high school, I attached an LED to the output of a radio or microphone (can't remember which) and then aimed it at a solar cell attached to the input of a speaker. And it worked! I'm not sure if the quality was good enough to capture a modem signal, but it was certainly a poor-man's wireless speaker.

If the spy has more sensitive equipment, and if the LED on a modem really is tied to the phone line, then there should be nothing stopping the spy from capturing the transmission and decoding it later.

Re:ummm...doubtful

I've seen my lights blink, and I don't think that there's any way... I'm throwing in the towell and saying I don't think so....

"+1, informative"? Heh, mods are on crack again.

Have a look into a Toslink digital audio connector some time. It's using a plain old LED to transmit information. It looks to the naked eye like it's on solid, there's no flicker whatsoever. What would you "think" if you saw that? Your gut reaction is totally off base here.

Thanks slashdot moderators

For modifying someone's unsubstantiated "hunch" as informative.

I've seen my lights blink, and I don't think that there's any way
Yes, and I've looked on a CD and I just don't see any data on it.

Re:Simple math says no

When I first started in networking I was assigned to test some FDDI gear, which used in 1995 LEDs to send data down a fiber at 100 mbs. Now there is a limit to how fast a LED can blink, but we know how to design them for 100Mbs. I don't think we can do 1Gb/s with an led though, at least all the gigabit stuff I work with today is lazers. (much of it was back then too, but an LED is much cheaper than a laser so for short distances we used the leds.

If we could make LEDs work then, I'm sure today we can too, though having all the light guided to the destination by a fiber makes it much easier than reading the difuse light from a modem led which might or might not acually flash to indicate data. I know know of some routers that appeared to have tied the ethernet activity light to the datastream, and others where it was just on. Some hubs seem to do this too.

Re:Perhaps covered in article?

This poster asked a serious question, and gets a "troll" metamod.

He asked no question. He merely called the paper a hoax and the authors frauds, with no proof.

Troll.