CVE-2021-38546

Name of the Vulnerable Software and Affected Versions CREATIVE Pebble devices through 2021-08-09

Description The issue allows remote attackers to recover speech signals from an LED on the device via a telescope and an electro-optical sensor, known as a "Glowworm" attack. This is possible because the power indicator LED of the speakers is connected directly to the power line, making the intensity of the device's power indicator LED correlative to the power consumption. The sound played by the speakers affects their power consumption, which is also correlative to the light intensity of the LEDs. By analyzing measurements from an electro-optical sensor directed at the power indicator LEDs, it is possible to recover the sound played by the speakers.

Recommendations For CREATIVE Pebble devices through 2021-08-09, consider disabling the power indicator LED to minimize the risk of exploitation until a patch is available. Restrict access to the device to prevent potential attackers from using a telescope and an electro-optical sensor to capture the LED signals. At the moment, there is no information about a newer version that contains a fix for this vulnerability.