Grand Idea Studio
Test Equipment
Security & Privacy
Blinkenlights are cool, but blinkenlights that send secret messages that are undetectable to the human eye are even cooler. OpticSpy is an open source hardware module for exploring and experimenting with optical data transmissions. It captures, amplifies, and converts an optical signal into a digital form that can be analyzed or decoded with a computer.
With OpticSpy, electronics hobbyists and hardware hackers can search for covert channels existing on modern devices, add optical data transfer functionality to a project, or capture and decode signals from remote controls and other consumer electronics that intentionally send information through light waves.
OpticSpy’s design is based on Maxim Integrated’s AN1117: Small Photodiode Receiver Handles Fiber-Optic Data Rates to 800kbps application note. We’ve added potentiometers for fine-tuning of a particular target signal, an on-board USB-to-serial interface for easy connection to a host computer, status indicator LEDs, and test points for observing each stage of signal processing. It has been successfully tested with both visible and near infrared light sources. Depending on the implementation of the LED transmission code on the target device, the LED can appear to be continuously on even though it’s blinking faster than the human eye can detect. That’s cool!
I’ve been playing around with optical covert channels for the past couple of years and wanted to create a simple device to look for and decode data hidden in optical signals. I thought providing OpticSpy as a fully assembled product would help others get more easily involved with optoelectronics.
OpticSpy is powered from the host computer’s USB port and uses an FTDI FT231X USB-to-Serial IC to provide the USB connectivity (drivers available directly from FTDI). When connected to a computer, OpticSpy will appear as a Virtual COM port and will have a COM port number automatically assigned to it. You can then use a terminal program (such as HyperTerminal, PuTTY, CoolTerm, minicom, or screen) to communicate with OpticSpy. Communication settings will vary depending on the type of optical transmission and encoding/modulation used. For our demonstrations (see the Demonstrations/Example Code section below), we are transmitting printable ASCII data via the target’s software- or hardware-based UART.
In the event that the device sending optical data is using a different encoding or modulation scheme not supported by a standard terminal program, you can preempt the FT231X interface by connecting a logic analyzer, Arduino, or any other tool capable of processing raw digital signals to the OpticSpy’s TP5 (Comparator Output) test point.
OpticSpy supports signals up to 800 kbps per the application note on which this design is based. I haven’t fully characterized the lower and upper speeds, but my experiments have ranged from 2400 to 115.2 kbps with no loss of data.
We’re using a Vishay Semiconductors BPW21R photodiode for the front end, which has an ideal spectral response from 420 to 675 nm. As opposed to typical photodiodes, which have a peak response for near IR, the BPW21R approximates the human eye making it more suitable for visible light. It is still quite sensitive to IR, allowing us to support a wider range of wavelengths.
OpticSpy is designed for higher bandwidth at the expense of sensitivity. The brighter the transmitting signal, the better the receive range will be. For my visible light transmission experiments, I’ve achieved ~1 inch with Tomu, which has a very bright LED, and directly on the surface with a TP-Link router, which has a not-so-bright LED shining through a lightpipe.
For near IR signals, like those from a TV remote control, distance is greater. With the Parallax Hackable Electronic Badge, which has a 1608-sized IR LED, I’ve gotten to ~3 inches. Depending on the OpticSpy gain settings, you can also use it to filter out the IR carrier/modulation (typically 30-56 kHz), killing two birds (capture and demodulation) with one stone. This is due to the high gain of the amplifiers reducing frequency response of the unit.
The following demonstrations transmit printable ASCII data with NRZ (Non-Return-to-Zero) encoding to emulate a standard UART interface.
All OpticSpy design documentation (including schematics, PCB/Gerber plots, and bill-of-materials) and code for the above examples are available on my Optical Covert Channels project page.
This project isn’t just based on theoretical concepts - optical covert channels and data transmissions via LEDs actually happen in the real world! I was inspired and motivated by many prior works (and a few recent ones), mostly involving methods of secretly exfiltrating data from compromised devices. Some of my favorites are listed here:
There are many ways to convert light into digital signals, most of which consist of a photodetector front-end and some amplification circuitry. OpticSpy is just one option, which I created specifically to make exploring different types of optical data transmissions easier. Here are a few other projects that could supplement your optical receiver toolkit or provide background information on optoelectronics:
Manufacturer | Manufacturer Part # | Reference | Quantity | Description | |
---|---|---|---|---|---|
Kemet | C0805C104K5RACTU | C1, C2, C3, C4, C5, C6, C7, C11, C14 | 9 | Capacitor, 0.1 uF, 50 V, Ceramic, 10%, X7R, 0805 | |
Kemet | C0805C103K5RACTU | C8 | 1 | Capacitor, 0.01 uF, 50 V, Ceramic, 10%, X7R, 0805 | |
Samsung | CL21C470JBANNNC | C9, C10 | 2 | Capacitor, 47 pF, 50 V, Ceramic, 5%, C0G, 0805 | |
Vishay Sprague | 293D106X0016A2TE3 | C12, C13 | 2 | Capacitor, 10 uF, 16 V, Tantalum, 20%, Size A | |
Yageo | CC0805KRX7R9BB471 | C15 | 1 | Capacitor, 470 pF, 50 V, Ceramic, 10%, X7R, 0805 | |
Vishay | Semiconductor BPW21R | D1 | 1 | Photodiode, Silicon PN, 420-675 nm, TO-5 | |
Kingbright | APT2012SYCK | D2, D3 | 2 | LED, yellow clear, 150 mcd, 2.0 Vf, 590 nm, 0805 | |
TDK | MPZ2012S221AT000 | L1 | 1 | Inductor, Ferrite Bead, 220 R @ 100 MHz, 3 A, 0805 | |
Hirose Electric | UX60-MB-5S8 | P1 | 1 | Connector Mini-USB, 5-pin, SMT w/ PCB mount | |
ON Semiconductor | MMBT3904 | Q1 | 1 | Transistor, NPN, 40 V, 200 mA, SOT23-3 | |
Any | Any | R1 | 1 | Resistor, 100k, 5%, 1/8 W, 0805 | |
Bourns | PVG5A203C03R00 | R2, R12 | 2 | Resistor, variable trimmer, 20k, 1/8 W, SMD | |
Any | Any | R3, R6, R11 | 3 | Resistor, 1k, 5%, 1/8 W, 0805 | |
Bourns | PVG5A504C03R00 | R4 | 1 | Resistor, variable trimmer, 500k, 1/8 W, SMD | |
Any | Any | R5, R15, R16 | 3 | Resistor, 4.7k, 5%, 1/8 W, 0805 | |
Any | Any | R7, R8, R9 | 3 | Resistor, 10k, 5%, 1/8 W, 0805 | |
Bourns | PVG5A105C03R00 | R10 | 1 | Resistor, variable trimmer, 1.0M, 1/8 W, SMD | |
Any | Any | R13, R14 | 2 | Resistor, 27 ohm, 5%, 1/8 W, 0805 | |
C&K Components | JS202011CQN | SW1 | 1 | Switch, DPDT slide, 300 mA @ 6 VDC, PCB mount | |
Maxim Integrated | MAX4124EUK+T | U1, U2 | 2 | IC, Operational Amplifier, Rail-to-Rail, SOT23-5 | |
Maxim Integrated | MAX985EUK+T | U3 | 1 | IC, comparator, push-pull, rail-to-rail, SOT23-5 | |
FTDI | FT231XS-R | U4 | 1 | IC, USB-to-UART bridge, SSOP20 | |
Microchip | MIC5205-3.3YM5 | U5 | 1 | Linear regulator, LDO, 3.3 V, 150 mA, SOT23-5 |
"...with consumer Li-Fi looking promising, many of us are developing a growing interest in the technology, and OpticSpy is here just in time to help."
"The demos of OpticSpy pulling data out of a seemingly solid red LED were a blast to see."
"The interesting aspect is that the light can pulsate at a frequency that's imperceptible to humans. An entire wall of LEDs could be displaying an ad or art and a single LED could be used to transmit a covert missive."
Produced by Grand Idea Studio in Portland, OR.
Sold and shipped by Crowd Supply.
Get your hands on a single OpticSpy unit and dive into the world of optical communications interfaces.
From the Tomu project.
Perfect as an optical transmitter for your OpticSpy to decode. Example code available.
A computer in your USB port! One Tomu board with two buttons, two LEDs, and a 25 MHz CPU, all fully assembled and tested.
Grand Idea Studio is a product design, development, and licensing firm with a focus on consumer devices and open source modules for electronics hobbyists. It is run by computer engineer and hardware hacker Joe Grand.
Stealthy, modern, wireless keystroke-injection tool in a universal, four-layer, double-sided flash-drive PCB form factor with 64 GB of storage
Versatile, easy-to-use, Wi-Fi-enabled 6" e-paper display with a touchscreen and frontlighting
The ultimate playground for hardware programming in Swift