CVE-2021-38546

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them.

Los dispositivos CREATIVE Pebble hasta 09-08-2021, permiten a atacantes remotos recuperar las señales de voz de un LED del dispositivo, por medio de un telescopio y un sensor electro-óptico, también se conoce como un ataque "Glowworm". El LED indicador de potencia de los altavoces está conectado directamente a la línea de alimentación, por lo que la intensidad del LED indicador de potencia de un dispositivo es correlativa al consumo de energía. El sonido reproducido por los altavoces afecta a su consumo de energía y, en consecuencia, también es correlativo a la intensidad luminosa de los LED. Al analizar las medidas obtenidas por un sensor electro-óptico dirigido a los LEDs indicadores de potencia de los altavoces, podemos recuperar el sonido reproducido por los mismos

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-08-11 CVE Reserved
2021-08-11 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-08-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://www.nassiben.com/glowworm-attack	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Creative Search vendor "Creative"	Pebble V3 Firmware Search vendor "Creative" for product "Pebble V3 Firmware"	<= 2021-08-09 Search vendor "Creative" for product "Pebble V3 Firmware" and version " <= 2021-08-09"	-	Affected	in	Creative Search vendor "Creative"	Pebble V3 Search vendor "Creative" for product "Pebble V3"	-	-	Safe
Creative Search vendor "Creative"	Pebble V2 Firmware Search vendor "Creative" for product "Pebble V2 Firmware"	<= 2021-08-09 Search vendor "Creative" for product "Pebble V2 Firmware" and version " <= 2021-08-09"	-	Affected	in	Creative Search vendor "Creative"	Pebble V2 Search vendor "Creative" for product "Pebble V2"	-	-	Safe
Creative Search vendor "Creative"	Pebble Firmware Search vendor "Creative" for product "Pebble Firmware"	<= 2021-08-09 Search vendor "Creative" for product "Pebble Firmware" and version " <= 2021-08-09"	-	Affected	in	Creative Search vendor "Creative"	Pebble Search vendor "Creative" for product "Pebble"	-	-	Safe
Creative Search vendor "Creative"	Pebble Plus Firmware Search vendor "Creative" for product "Pebble Plus Firmware"	<= 2021-08-09 Search vendor "Creative" for product "Pebble Plus Firmware" and version " <= 2021-08-09"	-	Affected	in	Creative Search vendor "Creative"	Pebble Plus Search vendor "Creative" for product "Pebble Plus"	-	-	Safe