OpticSpy’s design is based on Maxim Integrated’s AN1117: Small Photodiode Receiver Handles Fiber-Optic Data Rates to 800kbps application note with the addition of potentiometers for fine-tuning of a particular target signal, an on-board USB-to-serial interface for easy connection to a host computer, status indicator LEDs, and test points for observing each stage of signal processing. It has been successfully tested with both visible and near infrared light sources. Depending on the implementation of the LED transmission code on the target device, the LED can appear to be continuously on even though it’s blinking faster than the human eye can detect.
The OpticSpy was created to be a simple device to look for and decode data hidden in optical signals. The OpticSpy as a fully assembled product can help others get more easily involved with optoelectronics.
- Easily converts light transmissions into digital signals
- Gain and threshold adjustment via potentiometers for fine-tuning of a particular target
- Supports both visible and near IR light emissions
- On-board switch to select normal or inverted polarity data streams
- USB interface for direct connection to host computer
OpticSpy is powered from the host computer’s USB port and uses an FTDI FT231X USB-to-Serial IC to provide the USB connectivity (drivers available directly from FTDI). When connected to a computer, OpticSpy will appear as a Virtual COM port and will have a COM port number automatically assigned to it. You can then use a terminal program (such as HyperTerminal, PuTTY, CoolTerm, minicom, or screen) to communicate with OpticSpy. Communication settings will vary depending on the type of optical transmission and encoding/modulation used. For our demonstrations (see the Demonstrations/Example Code section below), we are transmitting printable ASCII data via the target’s software- or hardware-based UART.
In the event that the device sending optical data is using a different encoding or modulation scheme not supported by a standard terminal program, you can preempt the FT231X interface by connecting a logic analyzer, Arduino, or any other tool capable of processing raw digital signals to the OpticSpy’s TP5 (Comparator Output) test point.
OpticSpy supports signals up to 800 kbps per the application note on which this design is based. The OpticSpy lower and upper speeds haven't been fully characterized, but experiments have ranged from 2400 to 115.2 kbps with no loss of data.
Using a Vishay Semiconductors BPW21R photodiode for the front end, which has an ideal spectral response from 420 to 675 nm. As opposed to typical photodiodes, which have a peak response for near IR, the BPW21R approximates the human eye making it more suitable for visible light. It is still quite sensitive to IR, allowing the support of a wider range of wavelengths.
OpticSpy is designed for higher bandwidth at the expense of sensitivity. The brighter the transmitting signal, the better the receive range will be. For visible light transmission experiments, a ~1 inch range with Tomu was achieved, which has a very bright LED, and directly on the surface with a TP-Link router, which has a not-so-bright LED shining through a lightpipe.
For near IR signals, like those from a TV remote control, distance is greater. With the Parallax Hackable Electronic Badge, which has a 1608-sized IR LED, a ~3 inch range was achieved. Depending on the OpticSpy gain settings, you can also use it to filter out the IR carrier/modulation (typically 30-56 kHz), killing two birds (capture and demodulation) with one stone. This is due to the high gain of the amplifiers reducing frequency response of the unit.
The following demonstrations transmit printable ASCII data with NRZ (Non-Return-to-Zero) encoding to emulate a standard UART interface.
- Arduino w/ external LED
All OpticSpy design documentation (including schematics, PCB/Gerber plots, and bill-of-materials) and code for the above examples are available on Grand Idea Studio's OpticSpy project page.
This project isn’t just based on theoretical concepts - optical covert channels and data transmissions via LEDs actually happen in the real world! Joe was inspired and motivated by many prior works (and a few recent ones), mostly involving methods of secretly exfiltrating data from compromised devices. Some of his favorites are listed here:
Information Leakage from Optical Emanations, Loughry and Umphress, 2002. This is often regarded as the seminal work in the field of optical covert channels.
Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, Michal Zalewski. Chapter 5, “Blinkenlights,” covers optical exfiltration in great detail and has a simple optical receiver that plugs into an old PC’s parallel port.
xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs, Guri et al. One of many recent projects from a group at the Cyber-Security Research Center, Ben-Gurion University of the Negev, Israel, looking into all sorts of ways to exfiltrate data from air-gapped computers.
Extended Functionality Attacks on IoT Devices: The Case of Smart Lights, Ronen and Shamir, 2016. A practical attack using consumer IoT light bulbs for covert communication through varying light intensity levels.