‘Glowworm’ Attack Turns Power Light Flickers into Audio

Researchers have found an entirely new attack vector for eavesdropping on Zoom and other virtual meetings.

Virtual meetings are vulnerable to a new, exotic attack called Glowworm, which measures an audio output device’s LED power light changes and converts them to audio reproductions — allowing cyberattackers to listen to sensitive conversations.

As an increasing amount of business is being conducted over platforms like Microsoft Teams, Zoom, Skype and others, the findings present an entirely new attack vector for such electronic communications.

A team of researchers at Ben-Gurion University have published a paper on the Glowworm vector, which is technically known as a Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST) attack — the U.S. National Security Agency designation for unintentional digital signals which can be picked up and used to compromise data security.

Federal agencies are required to protect classified information from TEMPEST attacks.

In this case, the spurious transmission is a nearly imperceptible flicker on a speaker, USB hub, splitters or microcontroller LED power.

“By exploiting imperceptible changes in the intensity of a device’s power indicator LED, which are caused by the changes in the device’s power consumption, Glwowworm is capable of recovering speech,” the team explained in a video accompanying the release of their paper.

“Our experiments show that many products of various manufacturers are vulnerable to the Glowworm attack,” the team explained.

Glowworm Experiment

The researchers demonstrated how a Glowworm attack might work by pointing a telescope with an electro-optical sensor from 35 meters away at speakers connected to laptop. The sensor was aimed at the speakers’ power-indicator LED and the laptop screen was not visible.

The team was successfully able to capture a statement played on the speakers and translated by Glowworm.

Source: Ben Gurion University.

While most business being conducted over platforms like Skype is far from sensitive enough to attract eavesdroppers armed with telescopes and Glowworm, the finding is a good reminder that manufacturers can’t always be relied upon to consider these types of TEMPEST attacks, despite the government’s best efforts.

“This is a very interesting attack that for the overwhelming number of users has no real risk,” John Bambenek from Netenrich told Threatpost in response to the paper. “That said, for devices and environments where espionage is important, physical security remains key. No visibility from unprotected space should be possible into highly sensitive environments and devices should be designed to be segmented so sensitive information can’t be gleaned because manufacturers were too lazy to put LEDs on a clear line in the box.”

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.



Suggested articles


  • Jen on

    two cent (probably less in bulk) decoupling capacitor, anyone?
  • Dave on

    TEMPEST is NOT an acronym. It does not stand for anything. It is a code word used to designate a program. You you posted is called a "backronym" -- an acronym made up after the fact to fit the letters. Kind of like saying Ford means "Found On Road Dead" or Fiat is "Fix It Again Tony". In fact what you posted is a classic and often cited example of a backronym. See [external link removed].
  • John on

    As mentioned already, TEMPEST is not an abbreviation or acronym.

Leave A Reply to John Cancel Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.