Spies and hackers can eavesdrop on conversations from 82 feet (25 metres) away by analysing the vibration patterns in a hanging light bulb, a study has found.
The ‘lamphone’ technique discovered by security experts from Israel needs only a laptop and gear — including a telescope and sensor — costing less than just £1,000.
According to the team, they did not develop the lamphone to eavesdrop on people — but to highlight the potential vulnerability.
For those concerned about the security implications, however, the technique is easy to thwart — one simply needs to pull the curtains, or invest in a big lampshade.
Scroll down for video
Spies and hackers can eavesdrop on conversations from 80 feet (24 metres) away by analysing the vibration patterns in a hanging light bulb, a study has found (stock image)
The ‘lamphone’ technique discovered by security experts from Israel needs only a laptop and gear — including a telescope and sensor — costing less than just £1,000. Pictured, an illustration of how the ‘lamphone’ method can use the vibrations of a light build to reconstruct audio from a distant room
‘Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room,’ paper author and security researcher Ben Nassi of the Ben Gurion University of the Negev in Beersheba, Israel, told WIRED.
‘You just need line of sight to a hanging bulb, and this is it.’
In their study, Mr Nassi and colleagues arranged a series of telescopes around 82 feet (25 metres) outside a third-floor target office on which they wanted to eavesdrop — training the devices on a 12-watt LED light bulb hanging in the room.
They then connected an electro-optical sensor to each telescope, converting the output from the sensor into digital information for analysis on a laptop computer.
The team found that noise in the target room caused the hanging bulb to vibrate — undergoing tiny, micron-sized movements imperceptible to a human viewer of the lamp, but detectable by measuring the impact on the light emitted by the bulb.
In this way, the team could reconstruct both spoken words and music played in the distant office — in high enough fidelity that a snippet of a speech by US President Donald Trump could be reproduced and translated by Google’s Cloud Speech API.
Similarly, the setup was able to reconstuct two songs — ‘Let It Be’ by the Beatles and ‘Clocks’ by Coldplay — so clearly that music-identification app Shazam was able to recognise both of them.
The team noted that the lamphone approach has some limitations — specifically that it is unclear if fixed bulbs would also vibrate enough to work and that the test recordings they used were played louder than the typical human conversation.
However, the researchers noted that their tests employed relatively low-end sensors and analogue-to-digital signal converters — and that more expensive equipment would likely be more than capable of picking up quieter conversations.
Investigation also found that LED bulbs make for better eavesdropping tools — with a signal-to-noise ratio of around 6.3 times that of an incandescent bulb and 70 times that of a fluorescent counterpart.
In their study, Mr Nassi and colleagues arranged a series of telescopes around 82 feet (25 metres) outside a third-floor target office on which they wanted to eavesdrop — training the devices on a 12-watt LED light bulb hanging in the room
They then connected an electro-optical sensor to each telescope, converting the output from the sensor into digital information for analysis on a laptop computer. The team found that noise in the target room caused the hanging bulb to vibrate — undergoing tiny, micron-sized movements imperceptible to a human viewer of the lamp, but detectable by measuring the impact on the light emitted by the bulb
The lamphone approach, according to computer scientist and cryptographer Dan Boneh of Stanford University, is an example of a so-called ‘side channel’ attack — one which exploits unintended information leakage to work
‘It’s a beautiful application of side channels. Even if this requires a hanging bulb and high decibels, it’s still super interesting,’ Professor Boneh told WIRED.
‘Furthermore, he said, ‘it’s still just the first time this has been shown to be possible. Attacks only get better, and future research will only improve this over time.’
The team could reconstruct both spoken words and music played in the distant office — in high enough fidelity that a snippet of a speech by US President Donald Trump (bottom) could be reproduced and translated by Google’s Cloud Speech API. Similarly, the setup was able to reconstuct two songs — ‘Let It Be’ by the Beatles (middle) and ‘Clocks’ by Coldplay (top) — so clearly that a music-identification app could recognise them. Pictured, spectrograms of the original audio (right), the sensor output (left) and the cleaned-up data (middle)
The lamphone is not the first time that security researchers have shown how spies could subvert common household items, turning them into improvised bugs.
Experts have previously shown that lasers bounced off of windows can be used eavesdrop on buildings — while, similar to the lamphone, video recordings of objects like crisp packets or houseplants vibrating can by used to reconstruct sound.
While the video technique might be more versatile — as it does not need a switched-on light bulb to work — it cannot be operated in real time, unlike the lamphone, which therefore would come with certain advantages for espionage.
‘When you [can] actually use it in real time you can respond in real time, rather than losing the opportunity, Mr Nassi told WIRED.
However, he added, the team is not releasing their research with the aim of enabling either spies or law enforcement.
‘We want to raise the awareness of this kind of attack vector,’ he said.
‘We’re not in the game of providing tools.’
The full findings of the study will be presented at the 2020 Black Hat USA security conference, which will take place virtually from August 1–6.
A pre-print of the researchers’ article, which has not yet been peer-reviewed, can be read on the Cryptology ePrint Archive.