CVE-2021-38543

Name of the Vulnerable Software and Affected Versions TP-Link UE330 USB splitter devices through 2021-08-09

Description The issue allows remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, also known as a "Glowworm" attack. This occurs when the device supplies power to audio-output equipment, such as speakers. The power indicator LED of the USB splitter is connected directly to the power line, and its intensity is correlative to the device's power consumption. The sound played by the connected speakers affects the USB splitter's power consumption, which in turn affects the light intensity of the LED. By analyzing measurements from an electro-optical sensor directed at the power indicator LED, it is possible to recover the sound played by the connected speakers.

Recommendations For TP-Link UE330 USB splitter devices through 2021-08-09, consider disabling the power indicator LED or restricting access to the device to minimize the risk of exploitation, until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.