CVE-2021-38544

Name of the Vulnerable Software and Affected Versions Sony SRS-XB33 and SRS-XB43 devices through 2021-08-09

Description The issue allows remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, also known as a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, resulting in the intensity of the device's power indicator LED being correlative to the power consumption. The sound played by the speakers affects their power consumption and is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, it is possible to recover the sound played by them.

Recommendations For Sony SRS-XB33 and SRS-XB43 devices through 2021-08-09, consider disabling the power indicator LED to minimize the risk of exploitation, as it is directly connected to the power line and its intensity is correlative to the power consumption. Restrict access to the device's power indicator LED to prevent remote attackers from using an electro-optical sensor to recover speech signals. At the moment, there is no information about a newer version that contains a fix for this vulnerability.