How the Government Hacks You, Chapter 9: Laser Listening Systems

What Are Laser Listening Systems?

A laser listening system is anything that uses one or more concentrated beams of light to make the vibration of an object more visible. The vibration they’re interested in, in most cases, is related to sound. Older versions of this technology used low-intensity light beams, but modern systems use lasers. The various subsystems based on modern hardware have been called ‘laser microphones’, ‘laser listening devices’, and ‘sound interferometers’.

It all started with a post-World War 2 invention called the Buran Eavesdropping System. Instead of using lasers (which wouldn’t be invented for a couple more decades), this system used a low-power IR beam to detect the vibrations in a pane of glass. Those vibrations were then translated into sounds. It was primitive but still effective.

Though the accuracy was ramped up by the addition of lasers in the 1960s, as well as more sophisticated sensors, the design for flat surface laser listening systems hasn’t changed all that much through the years. The biggest evolution was an open-air version that could use mist, fog, or smoke to capture sound from a distance without a hard surface being involved. Non-flat surfaces can also be used now, such as a plant pot or a glass of water.

This is a line-of-sight technology and is best utilized at a 90-degree angle to the target surface. But sometimes, that’s just not possible. Like reflecting light off of a mirror, if the laser were to hit the target surface at an angle, then the data containing the sound information would be fired off in another direction. In such cases, receptors would need to be in a different location to analyze the vibrations. But that’s certainly not impossible. One could be sitting at ground level, firing the laser up at a second-story window, while a van sitting on the bridge above collects the reflected results.

There are a dozen variations on the theme of using light to detect and then rebroadcast sound waves at a great distance, which is why we’ve grouped them all together as ‘laser listening systems’. The terminology is all over the place, even if the technology is ridiculously common these days… you can pick up functional kits in any ‘spy store’ on the Internet.

How the Governments Use Laser Listening Systems

Amusingly, it wasn’t Snowden who confirmed that laser listening devices were in the spycraft toolbox of modern countries… it was GCHQ who was worried about leaks of the Snowden data! They said that the data wasn’t safe at the press offices that held it, because laser microphones could be used to eavesdrop on conversations about the leaks.

It’s not shocking that a technique that has been used since the 40s is still in use today, particularly when it continues to work just fine. The main defense against the use of a laser microphone on a pane of glass is pulling the curtains to deaden sound in the room before it hits the glass. But who doesn’t like a bit of sunlight? Particularly when we’re encouraged to keep the lights off in a building when there’s perfectly good natural illumination available.

Another mitigation method is to build your offices as a two-surface system: An external shell, and then the real offices inside. Who would be paranoid enough to do that? Well, the CIA for one. They’ve air-gapped the outer walls of their facilities to keep laser listening systems from being able to detect vibrations from the inside.

But most people don’t bother with mitigations. After all, it’s horribly inefficient to use a laser listening system when you could just plant a bug instead. What they don’t realize is that sometimes a physical infiltration just isn’t possible or practical. If you want to leave no trace and never come within 500 meters of a place, the laser just might get you there when no other method could manage the task.

For example, let’s say the CIA wanted to find out who was in a closed compound while remaining at least a quarter mile away at all times. This is the scenario that John Pike, the director of GlobalSecurity.org, put forth as the method of target confirmation before the final attack on Osama Bin Laden. The strike force confirmed that they never saw their target before the attack, but categorically knew he was inside because of CIA intel. That meant they either had an insider or that they used remote audio surveillance capable of hearing around corners: A laser listening system.

The most high-profile case involving these devices, at least in recent times, was the 2016 NSA operation that spied on Israel. They set up a full suite of laser listening devices, to determine the intentions of Prime Minister Netanyahu and his advisors. The Obama administration kept Netanyahu’s government on a watch list, even when spying on other ‘friendly’ governments was abolished. Later, the Israeli PM’s forces would be responsible for the killing of reporters in 2018 and the assassination of a medic in 2019. So perhaps the intensified spying was warranted.

How often do governments and police organizations use laser listening devices? Often enough to have dedicated suppliers. Multiple dedicated suppliers. Depending on the country of origin, laser listening systems may be restricted to government entities, extended to licensed individuals such as private investigators, or simply offered to the public. But the number of sites that actively supply to police organizations, even when their country has no other legal buyers for their goods, is disturbing, to say the least.

It isn’t just governments implementing laser listening systems, of course. Private investigators and major organizations use the same technology as well. In 2020, a bank was caught spying on the Financial Times press room in London, for example. However, the scope of these articles needs to focus on government activity if brevity and sanity are to be retained.

Emerging Techniques

Getting sound by bouncing a laser off of a flat surface, or even a curved piece of glass or ceramic, is just the tip of the iceberg. Developments in this field over the past two years have been quite impressive.

It’s unknown if governments have already adopted these new attack vectors. Normally it takes a couple of years before there is a leak, a court case, or one of the larger national governments openly brags about their capabilities. But until then, you should be aware of the things that are possible right now, with current technology and a reasonable budget.

In 2020, the lamphone was discovered. Using around $500 worth of equipment, Ben Nassi and his team turned a lightbulb, hanging in an office building 25m away, into a microphone. The single, 12-watt LED bulb was under observation by three telescopes with different lens diameters: 10cm, 20cm, and 35 cm. They used the difference in the observations to create an equalizer and then ran the recorded signals through their electro-optical sensor. The playback resulted in voices that could be understood by Google Cloud Speech, and singing that could be identified by both Shazam and SoundHound.

The applications for picking up discernable sound simply by observing an LED light bulb are astounding. Particularly when the budget for the entire hardware setup, transport, and communications is well under $1,000. Unlike a laser microphone, which is ‘active’ and therefore can potentially be detected by the victim, the lamphone is passive. If you have a line of sight, you can make the hack and record the results. The downside, from the attacker’s perspective, is that hours of computational time are required to analyze the recorded data. Nassi’s Black Hat presentation explains all of this in detail.

Impressive, but they had an entire lightbulb to play with! What about a single-power LED? In 2021, another Nassi-led research team made a breakthrough. In this case, a USB hub’s power LED was used to eavesdrop on conversations in the room.

The attack called ‘Glowworm’, was made from 30m away. The USB speaker attached to the hub caused microscopic flickering in the LED every time it drew power. Using a similar technique to that used in lamphone, an electro-optical sensor attached to a telescope, the research team was able to analyze the voltage drawn from the audio device. Although a far more specific situation needs to be in place, the results are nonetheless impressive.

Lamphone will undoubtedly find a place in the spycraft tool kit much more quickly than Glowworm, but both of them are proofs of concept that can be enhanced by more sensitive equipment and bigger research teams. It’s just a matter of time.

Conclusion

Laser listening systems are in a magical space for government and law enforcement organizations. The privacy issues presented are ‘murky’. Because no physical entry has been made into the home, the eavesdroppers can draw parallels to the use of a shotgun microphone, even though the surveillance ‘reaches’ inside of an office or a home. There is little to no evidence left behind, so the snoopers need to be caught in the act before any kind of prosecution or lawsuit can be enacted. In other words: Laser listening systems provide a ton of spying opportunities, with almost no attached responsibility.

Catch up on the previous chapter here.