CVE-2021-38545

Name of the Vulnerable Software and Affected Versions Raspberry Pi 3 B+ and 4 B devices through 2021-08-09

Description The issue allows remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, in certain specific use cases where the device supplies power to audio-output equipment. The power indicator LED of the Raspberry Pi is connected directly to the power line, and its intensity is correlative to the power consumption. The sound played by the speakers affects the Raspberry Pi's power consumption and is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the Raspberry Pi, it is possible to recover the sound played by the speakers.

Recommendations For Raspberry Pi 3 B+ and 4 B devices through 2021-08-09, consider restricting the use of the power indicator LED or taking measures to prevent the correlation between power consumption and LED intensity, such as using a separate power supply for audio-output equipment, until a fix is available. As a temporary workaround, consider disabling the power supply to audio-output equipment when not in use to minimize the risk of exploitation.