CVE-2021-38546 - OpenCVE

CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Creative	Pebble V3 Firmware Pebble Pebble Plus Pebble V2 Firmware Pebble V3 Pebble V2 Pebble Plus Firmware Pebble Firmware

Configuration 1 [-]

AND

cpe:2.3:o:creative:pebble_v3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:creative:pebble_v3:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:creative:pebble_v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:creative:pebble_v2:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:creative:pebble_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:creative:pebble:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:creative:pebble_plus_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:creative:pebble_plus:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.nassiben.com/glowworm-attack	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-11T15:25:14

Updated: 2021-08-11T15:25:14

Reserved: 2021-08-11T00:00:00

Link: CVE-2021-38546

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-08-11T16:15:07.313

Modified: 2021-08-23T17:46:19.620

Link: CVE-2021-38546

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a \"Glowworm\" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-11T15:25:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.nassiben.com/glowworm-attack"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-38546", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a \"Glowworm\" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.nassiben.com/glowworm-attack", "refsource": "MISC", "url": "https://www.nassiben.com/glowworm-attack"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-38546", "datePublished": "2021-08-11T15:25:14", "dateReserved": "2021-08-11T00:00:00", "dateUpdated": "2021-08-11T15:25:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:creative:pebble_v3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E565B3A-3FCB-4D2B-AC37-ABA364D8EF08", "versionEndIncluding": "2021-08-09", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:creative:pebble_v3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8767409-148E-4246-A40B-1BD9D730E561", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:creative:pebble_v2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "119BC769-F03B-4AE0-A094-ABFA1F923018", "versionEndIncluding": "2021-08-09", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:creative:pebble_v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "15F8C419-DAD6-4A16-8280-ADD6B5E88806", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:creative:pebble_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A023C59-8688-4A41-9E0A-D225AF6F1C3B", "versionEndIncluding": "2021-08-09", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:creative:pebble:-:*:*:*:*:*:*:*", "matchCriteriaId": "CC2DE286-D887-43E8-9630-871A820CDC8D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:creative:pebble_plus_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "11F0058A-F8D7-4851-9E8F-7D5A645D27EA", "versionEndIncluding": "2021-08-09", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:creative:pebble_plus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F52F1878-E01A-434B-85A4-5D5A33B03E1D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a \"Glowworm\" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them."}, {"lang": "es", "value": "Los dispositivos CREATIVE Pebble hasta 09-08-2021, permiten a atacantes remotos recuperar las se\u00f1ales de voz de un LED del dispositivo, por medio de un telescopio y un sensor electro-\u00f3ptico, tambi\u00e9n se conoce como un ataque \"Glowworm\". El LED indicador de potencia de los altavoces est\u00e1 conectado directamente a la l\u00ednea de alimentaci\u00f3n, por lo que la intensidad del LED indicador de potencia de un dispositivo es correlativa al consumo de energ\u00eda. El sonido reproducido por los altavoces afecta a su consumo de energ\u00eda y, en consecuencia, tambi\u00e9n es correlativo a la intensidad luminosa de los LED. Al analizar las medidas obtenidas por un sensor electro-\u00f3ptico dirigido a los LEDs indicadores de potencia de los altavoces, podemos recuperar el sonido reproducido por los mismos"}], "id": "CVE-2021-38546", "lastModified": "2021-08-23T17:46:19.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-11T16:15:07.313", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.nassiben.com/glowworm-attack"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}