Blinkenlights are cool, but blinkenlights that send secret messages that are undetectable to the human eye are even cooler. OpticSpy is an open source hardware module for exploring and experimenting with optical data transmissions. It captures, amplifies, and converts an optical signal into a digital form that can be analyzed or decoded with a computer.
With OpticSpy, electronics hobbyists and hardware hackers can search for covert channels existing on modern devices, add optical data transfer functionality to a project, or capture and decode signals from remote controls and other consumer electronics that intentionally send information through light waves.
OpticSpy’s design is based on Maxim Integrated’s AN1117: Small Photodiode Receiver Handles Fiber-Optic Data Rates to 800kbps application note. We’ve added potentiometers for fine-tuning of a particular target signal, an on-board USB-to-serial interface for easy connection to a host computer, status indicator LEDs, and test points for observing each stage of signal processing. It has been successfully tested with both visible and near infrared light sources. Depending on the implementation of the LED transmission code on the target device, the LED can appear to be continuously on even though it’s blinking faster than the human eye can detect. That’s cool!
I’ve been playing around with optical covert channels for the past couple of years and wanted to create a simple device to look for and decode data hidden in optical signals. I thought providing OpticSpy as a fully assembled product would help others get more easily involved with optoelectronics.
OpticSpy is powered from the host computer’s USB port and uses an FTDI FT231X USB-to-Serial IC to provide the USB connectivity (drivers available directly from FTDI). When connected to a computer, OpticSpy will appear as a Virtual COM port and will have a COM port number automatically assigned to it. You can then use a terminal program (such as HyperTerminal, PuTTY, CoolTerm, minicom, or screen) to communicate with OpticSpy. Communication settings will vary depending on the type of optical transmission and encoding/modulation used. For our demonstrations (see the Demonstrations/Example Code section below), we are transmitting printable ASCII data via the target’s software- or hardware-based UART.
In the event that the device sending optical data is using a different encoding or modulation scheme not supported by a standard terminal program, you can preempt the FT231X interface by connecting a logic analyzer, Arduino, or any other tool capable of processing raw digital signals to the OpticSpy’s TP5 (Comparator Output) test point.
OpticSpy supports signals up to 800 kbps per the application note on which this design is based. I haven’t fully characterized the lower and upper speeds, but my experiments have ranged from 2400 to 115.2 kbps with no loss of data.
We’re using a Vishay Semiconductors BPW21R photodiode for the front end, which has an ideal spectral response from 420 to 675 nm. As opposed to typical photodiodes, which have a peak response for near IR, the BPW21R approximates the human eye making it more suitable for visible light. It is still quite sensitive to IR, allowing us to support a wider range of wavelengths.
OpticSpy is designed for higher bandwidth at the expense of sensitivity. The brighter the transmitting signal, the better the receive range will be. For my visible light transmission experiments, I’ve achieved ~1 inch with Tomu, which has a very bright LED, and directly on the surface with a TP-Link router, which has a not-so-bright LED shining through a lightpipe.
For near IR signals, like those from a TV remote control, distance is greater. With the Parallax Hackable Electronic Badge, which has a 1608-sized IR LED, I’ve gotten to ~3 inches. Depending on the OpticSpy gain settings, you can also use it to filter out the IR carrier/modulation (typically 30-56 kHz), killing two birds (capture and demodulation) with one stone. This is due to the high gain of the amplifiers reducing frequency response of the unit.
The following demonstrations transmit printable ASCII data with NRZ (Non-Return-to-Zero) encoding to emulate a standard UART interface.
All OpticSpy design documentation (including schematics, PCB/Gerber plots, and bill-of-materials) and code for the above examples are available on my Optical Covert Channels project page.
This project isn’t just based on theoretical concepts - optical covert channels and data transmissions via LEDs actually happen in the real world! I was inspired and motivated by many prior works (and a few recent ones), mostly involving methods of secretly exfiltrating data from compromised devices. Some of my favorites are listed here:
Information Leakage from Optical Emanations, Loughry and Umphress, 2002. This is often regarded as the seminal work in the field of optical covert channels.
Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, Michal Zalewski. Chapter 5, "Blinkenlights," covers optical exfiltration in great detail and has a simple optical receiver that plugs into an old PC’s parallel port.
xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs, Guri et al. One of many recent projects from a group at the Cyber-Security Research Center, Ben-Gurion University of the Negev, Israel, looking into all sorts of ways to exfiltrate data from air-gapped computers.
Extended Functionality Attacks on IoT Devices: The Case of Smart Lights, Ronen and Shamir, 2016. A practical attack using consumer IoT light bulbs for covert communication through varying light intensity levels.
There are many ways to convert light into digital signals, most of which consist of a photodetector front-end and some amplification circuitry. OpticSpy is just one option, which I created specifically to make exploring different types of optical data transmissions easier. Here are a few other projects that could supplement your optical receiver toolkit or provide background information on optoelectronics:
Forrest Mims’ Engineer’s Mini Notebook: Optoelectronics Circuits originally published by Radio Shack in 1985 is a classic guide to all things optical.
Craig Heffner’s IRis project is a very sensitive, high gain amplifier designed to receive modulated IR signals from remote controls and proximity sensors on mobile phones.
The Dark Art Lab’s Building a laser microphone shows how to convert a hobbyist audio amplifier kit into a laser microphone that can receive sound modulated by a vibrating surface.
The units will be manufactured by e-Teknet, a PCB fabrication and assembly facility in mainland China. I’ve worked with them for nearly 20 years for many of my prototypes and high volume products. They were instrumental in building the first electronic badges ever created for DEFCON 14, 15, 16, 17 and 18, which contained complex board shapes and very tight deadlines. The production OpticSpy boards will have a black matte soldermask to reduce reflections from ambient light sources.
To have better control of the component supply chain, I will be ordering all components myself from trusted distributors and will perform incoming/quality inspection before sending them to e-Teknet.
I am in the process of creating a system-level test procedure, which will be used by the factory to individually test each unit durung production. This will ensure that all features are properly functioning before units are shipped to backers.
The OpticSpy has gone through several development iterations and is ready for production. The PCB is a simple two-layer design with standard-sized SMT devices and a few through-hole components, so the risk of encountering technical problems during manufacturing is low.
All components are available in ample quantity from major parts distributors, so it is unlikely that we will have delays due to parts shortages.
As with any overseas process, our major risks are Customs issues and delays in shipping materials between China and the US.
The OpticSpy will be shipping from Crowd Supply’s Portland, Oregon warehouse. If you’d like to learn more about where, when and how things ship, please visit the Crowd Supply Guide.
|Digi-Key Part #||Manufacturer||Manufacturer Part #||Reference||Quantity||Description|
|399-1170-1-ND||Kemet||C0805C104K5RACTU||C1, C2, C3, C4, C5, C6, C7, C11, C14||9||Capacitor, 0.1 uF, 50 V, Ceramic, 10%, X7R, 0805|
|399-1158-1-ND||Kemet||C0805C103K5RACTU||C8||1||Capacitor, 0.01 uF, 50 V, Ceramic, 10%, X7R, 0805|
|1276-1156-1-ND||Samsung||CL21C470JBANNNC||C9, C10||2||Capacitor, 47 pF, 50 V, Ceramic, 5%, C0G, 0805|
|718-1956-1-ND||Vishay Sprague||293D106X0016A2TE3||C12, C13||2||Capacitor, 10 uF, 16 V, Tantalum, 20%, Size A|
|311-1124-1-ND||Yageo||CC0805KRX7R9BB471||C15||1||Capacitor, 470 pF, 50 V, Ceramic, 10%, X7R, 0805|
|751-1013-ND||Vishay||Semiconductor BPW21R||D1||1||Photodiode, Silicon PN, 420-675 nm, TO-5|
|754-1134-1-ND||Kingbright||APT2012SYCK||D2, D3||2||LED, yellow clear, 150 mcd, 2.0 Vf, 590 nm, 0805|
|445-1568-1-ND||TDK||MPZ2012S221AT000||L1||1||Inductor, Ferrite Bead, 220 R @ 100 MHz, 3 A, 0805|
|H2960CT-ND||Hirose Electric||UX60-MB-5S8||P1||1||Connector Mini-USB, 5-pin, SMT w/ PCB mount|
|MMBT3904FSCT-ND||ON Semiconductor||MMBT3904||Q1||1||Transistor, NPN, 40 V, 200 mA, SOT23-3|
|P100KACT-ND||Any||Any||R1||1||Resistor, 100k, 5%, 1/8 W, 0805|
|490-2667-1-ND||Bourns||PVG5A203C03R00||R2, R12||2||Resistor, variable trimmer, 20k, 1/8 W, SMD|
|P1.0KACT-ND||Any||Any||R3, R6, R11||3||Resistor, 1k, 5%, 1/8 W, 0805|
|490-2674-1-ND||Bourns||PVG5A504C03R00||R4||1||Resistor, variable trimmer, 500k, 1/8 W, SMD|
|P4.7KACT-ND||Any||Any||R5, R15, R16||3||Resistor, 4.7k, 5%, 1/8 W, 0805|
|P10KACT-ND||Any||Any||R7, R8, R9||3||Resistor, 10k, 5%, 1/8 W, 0805|
|490-2663-1-ND||Bourns||PVG5A105C03R00||R10||1||Resistor, variable trimmer, 1.0M, 1/8 W, SMD|
|P27ACT-ND||Any||Any||R13, R14||2||Resistor, 27 ohm, 5%, 1/8 W, 0805|
|401-2001-ND||C&K Components||JS202011CQN||SW1||1||Switch, DPDT slide, 300 mA @ 6 VDC, PCB mount|
|MAX4124EUK+TCT-ND||Maxim Integrated||MAX4124EUK+T||U1, U2||2||IC, Operational Amplifier, Rail-to-Rail, SOT23-5|
|MAX985EUK+TCT-ND||Maxim Integrated||MAX985EUK+T||U3||1||IC, comparator, push-pull, rail-to-rail, SOT23-5|
|768-1129-1-ND||FTDI||FT231XS-R||U4||1||IC, USB-to-UART bridge, SSOP20|
|576-1259-1-ND||Microchip||MIC5205-3.3YM5||U5||1||Linear regulator, LDO, 3.3 V, 150 mA, SOT23-5|
"...with consumer Li-Fi looking promising, many of us are developing a growing interest in the technology, and OpticSpy is here just in time to help."
"The interesting aspect is that the light can pulsate at a frequency that's imperceptible to humans. An entire wall of LEDs could be displaying an ad or art and a single LED could be used to transmit a covert missive."
Produced by Grand Idea Studio in Portland, OR.
Sold and shipped by Crowd Supply.
Get your hands on a single OpticSpy unit and dive into the world of optical communications interfaces.
This bundle gives you an OpticSpy and Tomu, a tiny ARM microprocessor which fits in your USB port. With this combination of receiver and transmitter, you can easily set up your own optical interface between two computers.
Have a team interested in learning more about optical covert channels and the details behind the OpticSpy? This OpticSpy 10-pack includes a two-hour online or local workshop (within the Portland, OR metro area) with creator Joe Grand. Joe will run through the design, functionality, tuning, and demonstrations of the OpticSpy and answer any questions regarding this or any of his other projects. The workshop will be scheduled for a mutually agreed upon date.
From the Tomu project.
Perfect as an optical transmitter for your OpticSpy to decode. Example code available.
A computer in your USB port! One Tomu board with two buttons, two LEDs, and a 25 MHz CPU, all fully assembled and tested.