NY Times – Eight years ago, while working late in a darkened computer lab at the University of Seattle, Joe Loughry became fascinated with the lights blinking on the face of his modem. They seemed to be relaying information about the long file transfer he had started, and he wondered exactly how much information the tiny light-emitting diodes were transmitting.
Quite a lot, it turns out.
Using a process called optical emanations detection, similar to the technology used in fiber optic networking, Mr. Loughry, then a graduate student in software engineering, and his thesis adviser, David Umphress, tested 39 different communications devices, like modems and the routers that shuttle data across networks. They wanted to see if they could recreate some or all of the data passed through them just by detecting variations in their light-emitting diodes, or L.E.D.’s.
Ultimately, 14 of the common devices they tested blinked their secrets in a kind of high-speed Morse code, and with light detectors the two researchers could capture data up to 100 feet away. The information intercepted included passwords, Web addresses and text files.
Because most home computers now have internal modems without visible lights, consumers will be largely unaffected by the discovery. But those with complex home or office networks, and businesses like Internet service providers, may have to rethink the locations of their computer hardware.
“We discovered that anywhere you have a modem and it’s close to a window, somebody can see potentially what you’re transferring,??? Mr. Umphress said.
Mr. Loughry estimated that there were several million devices “in the wild,??? from network routers to airport currency dispensers, that might be broadcasting sensitive data through their blinking lights. A diligent hacker with a video camera could theoretically record the patterns and reconstruct e-mail or credit card information, he said.
Although the lights provide some valuable troubleshooting information to experts, in most cases they are just for show. Some companies actually place their racks of blinking machines near a window for effect, Mr. Umphress said, a practice he now discourages. One of the best ways to prevent information leakage, he said, is simply to cover the L.E.D.’s with duct tape.
Mr. Loughry, 37, who now works at Lockheed Martin in Denver, was surprised that no one else had stumbled on the idea, even in the eight years it took for the team to complete their paper on the subject.
Mr. Umphress, 46, who is now an associate professor at Auburn University, said: “We discovered that no one really had done this kind of research. The reaction that we received from the security community was one of surprise.???
The paper will appear in the August issue of ACM Transactions on Information and System Security.
“We did all of this on a shoestring,??? Mr. Umphress said. He emphasized that the project was not underwritten by any “cloak-and-dagger-type organization.???
“No spy stuff,??? he said. “We did have to clear the paper with the National Security Agency, however. That took six months.???