Turning LED Output to Audio: Glowworm Attack Sheds Light on Hardware Security

August 11, 2021 by Jake Hertz

As the world becomes more and more connected, hardware security is essential. Recently, the "Glowworm" attack shows a new and simple crack in security.

As the world becomes more technologically connected, the field of hardware security has become a hot research topic. The exploitation of hardware-level security flaws, specifically through side-channel leakages, has been at the heart of many major security breaches, including Meltdown and Spectre


An example of a side-channel leak model.

An example of a side-channel leak model. Image used courtesy of Moradi et al


Recently, researchers from the Ben-Gurion University of the Negev have announced a new hardware-level exploit that may have big implications. This article will cover the new attack, dubbed "Glowworm," how it works, and what its discovery could mean. 


Behind the Glowworm Attack 

The Glowworm attack is relatively simple and elegant, which often means that its impact is broad. 

The impact is especially true when you consider how most electronic devices include power indicator LEDs on a device's power rails to notify the user when power is available. Ideally, this LED will glow at a constant, expected intensity based on the voltage level of the rail. However, while a 5V rail will typically hold at 5V, in practice, that value fluctuates as the main load draws current. 


Example of a power indicator LED circuit.

Example of a power indicator LED circuit. Image from Nassi et al


Take a speaker, for example; when the sound gets played, the current gets drawn from the rail, which causes the rail's voltage to fluctuate ever so slightly. As a sound plays and the voltage rail fluctuates, the intensity of the power indicator LED will fluctuate linearly with the voltage rail.


Glowworm's attack model.

Glowworm's attack model. Image from Nassi et al


While this fluctuation may not be visible to the naked eye, the Glowworm attack seeks to exploit these fluctuations. 

The researchers have found that, by using an electro-optical sensor pointed directly at the power LED of an audio device or its power supply, they can successfully recover the sound being played by the device through an ADC and some DSP based on the LED's fluctuations. 

Now that the general concept of this attack is understood, let's take a look at its strengths. 


Glowworm Strengths and Weaknesses

Fundamentally, this attack can be considered power just for its simplicity. 

First off, most devices, especially consumer-facing devices like speakers, employ this simple power LED architecture as it's an easy, cheap, and well-understood solution for power indication. 

This ubiquity means that many devices are at risk of this attack. The researchers have identified devices including Google Home Mini, Logitech S120 speakers, JBL Go 2 speakers, Raspberry Pi 3, and many other vulnerable devices to this attack. 


Glowworm sound recovery from multiple distances.

Glowworm sound recovery from multiple distances. Image from Nassi et al


Secondly, the attack is passive and non-invasive. The attacker doesn't physically interfere with the device at all. In fact, the researchers have shown the efficacy of this attack as far as 35 m away from the victim. This type of attack can make it extremely hard, from an electrical standpoint, to prevent these attacks on devices that are already compromised. 

Despite the simple strengths that this attack may have, there are still weaknesses to be considered.

Of course, the attack has its weaknesses. The attacker needs a clear line of sight of the device's power LED; otherwise, the attack won't work. On top of this, the attacker needs costly equipment to make this attack work which could be a limiting factor. 

From a design standpoint, a simple solution could be adding a capacitor parallel to the LED to dampen its fluctuations. From a user standpoint, one can also cover the indicator LED with a piece of tape (similar to what many do with laptop web cameras), a dumb but reasonable solution. 



In a world where a significant amount of business is conducted via online conferencing, the ramifications of this attack prove more serious than ever. While Glowworm attacks are preventable, they can still pose a considerable risk given the attack's simplicity, passivity, and ubiquity. 

Moving forward, it may be worth considering if your device has these vulnerabilities and taking simple action, like covering the LED with a piece of tape, to prevent any unwanted eavesdropping. 

Though this attack is simple and yet easy to prevent if you're aware of the vulnerability, it is always good to stay informed and understand how information can be compromised, especially in today's extremely connected world.



Interested in other news on hardware security? Read more in the articles down below.

Embedded Security Update: Semiconductor Suppliers Fortify Subsystems

FPGAs and Firmware: An Ironclad Security Duo at Every Stage of Design and Manufacture

The Most Significant Cyberattack in History Prompts Questions About Supply Chain Security