// For flags

CVE-2021-38544

 

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Sony SRS-XB33 and SRS-XB43 devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them.

Los dispositivos Sony SRS-XB33 y SRS-XB43 hasta 09-08-2021 permiten a atacantes remotos recuperar las señales de voz de un LED del dispositivo, por medio de un telescopio y un sensor electro-óptico, también se conoce como un ataque "Glowworm". El LED indicador de potencia de los altavoces está conectado directamente a la línea de alimentación, por lo que la intensidad del LED indicador de potencia de un dispositivo es correlativa al consumo de energía. El sonido reproducido por los altavoces afecta a su consumo de energía y, en consecuencia, también es correlativo a la intensidad luminosa de los LED. Al analizar las medidas obtenidas por un sensor electro-óptico dirigido a los LEDs indicadores de potencia de los altavoces, podemos recuperar el sonido reproducido por los mismos

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-11 CVE Reserved
  • 2021-08-11 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-08-14 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://www.nassiben.com/glowworm-attack 2024-08-04
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sony
Search vendor "Sony"
 Srs-xb33 Firmware
Search vendor "Sony" for product "Srs-xb33 Firmware"
 <= 2021-08-09
Search vendor "Sony" for product "Srs-xb33 Firmware" and version " <= 2021-08-09"
-
Affected
in Sony
Search vendor "Sony"
 Srs-xb33
Search vendor "Sony" for product "Srs-xb33"
--
Safe
Sony
Search vendor "Sony"
 Srs-xb43 Firmware
Search vendor "Sony" for product "Srs-xb43 Firmware"
 <= 2021-08-09
Search vendor "Sony" for product "Srs-xb43 Firmware" and version " <= 2021-08-09"
-
Affected
in Sony
Search vendor "Sony"
 Srs-xb43
Search vendor "Sony" for product "Srs-xb43"
--
Safe