Schneier on Security

A CdS cell is a photoresistive device, so I'm a bit surprised that it drove the soundcard input without a battery in series. A small silicon solar cell might work better with some amplifiers. The laptop sound input obviously works, but a little microcassette or digital voice recorder would be handier. Professional laser sound pickups use infrared, but that's harder to set up.

I'm surprised a CdS cell has the response frequency to pick up sound worth a damn. There's also the question of where you even find one these days - they're pretty obscure now. What's wrong with a photodiode?

Hmm, I'd always assumed that these things used an interferometer and counted wavefronts, but from the discussion here it sounds like it's a much simpler arrangement.

Most Dusk-to-dawn lights have a CDS cell. Easy to harvest from a broken light.

This is as to an actual laser listener (vibrometer) as two cups w/ a string is to the telco network.

Paul:
Actually, an interferometer is used with a frequency shifted reference and a superhetrodyne style demodulator(in software). See:
http://www.metrolaserinc.com/vibrometLR.htm
nextgen systems have a bit of range as well:
http://www.dodsbir.net/SITIS/...

This is hoax. There's no way to make such device without quality optics, IR laser and amplifier with noise filter.
It's a real shame that Bruce post such bullshit.

Yosi:
It'll work. Just under ridiculously favorable conditions. Essentially the windowpane is a mirror diaphragm, sound causes the beam to be interrupted. line it up correctly and it works, but is very noisy.

@monopole:
It will not.
* The "line it up correctly" is near impossible to do on > 1-2 meter distance.
* "very noisy" means you need amplifier AND filter or noise will be only thing you'll hear
Few words about "ridiculously favorable conditions": in theory there's no difference between practice and theory, in practice - there is.

This was actually my senior project in college. We built a multistage amplifier with a phototransistor (we built our own with a MOSFET and a photodiode). We had several red HeNe lasers so we stuck to the visible spectrum.
We bounced the laser off a pane of glass which created a dual reflection (one off each side of the glass) and a distinct fringe pattern (light and dark stripes). By placing the receiver on the edge of one of the fringes, the vibration of the glass caused a large swing in light intensity. This created a large variance in voltage at the photostransistor.
Overall the sound quality was great. We used it across a large room with a pane of glass about 8 inches by 6 inches and off a 4 foot by 4 foot window. It was able to reproduce both music and speech (I used my DS and played the Mario theme song).
If you want Yosi, I can dig up my senior project report and send it to you. High quality optics are not needed.

@Anonymous:
We tested ours out by bouncing it at an angle off the EE teachers' lounge window at the end of a long hallway, through a doorway into one of our labs, and across that room. Total distance was about 90 feet (we measured to get divergence and such). The sound quality wasn't great (the fringes were dim, but that could be fixed by getting a less divergent laser), but it did work.

Remember this is NOT a toy. Do not listen directly into the sound or you will go deaf...

I think I'm going to build one, just for the fun of it. I would, however, use an IR laser (like, from a CD player or better yet, a CD burner) so it's a little more stealthy than a bright red laser shining into a room. Alignment shouldn't be much more complicated, as even a cellphone camera will clearly show the IR laser dot.
I would think the laser should aligned with the edge of the phototransistor, so the surface of the dot in the transistor changes with the vibration of the window. A variable resistor in series with the normal current limiting resistor of the laser would be usefull as brightness control, to prevent the laser from saturating the phototransistor or even destroying it.

I remember some news coverage a few years ago about how the Sistine Chapel had to be equipped with systems to foil these sorts of laser listening systems when the cardinals were choosing the new Pope.

If you do it with IR, you'll need to use IR optical components. These aren't just your Uncle Jimbob's old rifle sight. Normal glass doesn't have the same behaviour at IR as it does in the visible and anything more than a simple lens (i.e. a telescope) is going to need re-jigging to use it.

(OK, scratch that. Half of you lot probably have Uncle Jimbobs who fill their sight bottle up with LN2 before going out hunting deer / cityfolks in pitch darkness.)

@Milan

I thought heavy curtains in front of of the window is enough to reduce the vibrations on the window to an "indistinguishable from background noise" level.

@Andy Dingley: The IR laser operates at a wavelength only just outside of our visible range, meaning, near infrared. Most lenses and such, especially glass ones, act pretty much the same at that wavelength like they do with visible red light. Besides, you probably don't need any optics on the receiving side, just on the sending side to get a nice beam. You would probably need some more advanced optics if you want to get better sound quality or a longer range.

Ofcourse, when adjusting the optics, you have the use the IR beam, you can't just substitute a visual light source and expect the IR to be in focus when you swap it back. In that respect, you are absolutely right.

The CdS photocell works because a computer's mic jack has a power source with several k-ohms of series resistance. See this URL.

http://www.epanorama.net/circuits/...

So when the guy in the video solders both wires to one side of the photocell, he's setting up a voltage divider with the "phantom power" source, where one side is the photocell. When its resistance varies, that impresses an AC voltage on the mic input line, the other wire.

Many mic inputs are sensitive down to microvolts, and are low-noise, so I see nothing here that makes me think it's fake or a hoax.

Sparky: laser diodes are not like LEDs. You cannot use a simple series resistor to control a laser diode the way you would an LED, and if you try, you'll destroy the laser in less than a microsecond.

First of all there's a minimum brightness below which the diode will not operate as a laser at all. Below that threshold you actually could treat it as an LED, but it wouldn't be much use. When the current gets to be enough, the diode suddenly switches on and becomes much brighter. At that point its temperature starts to rise, its effective resistance drops with increasing temperature, its brightness increases *exponentially* with current, and its rate of temperature increase increases with brightness. Very quickly it draws more and more current faster and faster. BLAM! You just destroyed the diode.

To operate a diode laser without destroying it you need to make it part of a feedback loop with a bandwidth of at least a couple megahertz, using the optical-feedback sensor that's normally built into the laser diode package, to automatically adjust the current to keep the optical output at the level you want, while taking precautions against startup transients. That's how laser pointers work. There's a fairly narrow range of levels it can operate at - too low and the diode won't lase at all, too high and it will blow up.

If you want a real brightness control a series resistor won't work; you need to go to pulse-width modulation, but that'll have serious problems too in this application. You'd need to modulate at a significantly higher frequency than the audio, and the diode's capacitance may not permit that.

The issue of having a minimum brightness level is actually general to all lasers because of the way lasers work - something like a HeNe would be harder to destroy than a semiconductor laser diode, but equally impossible to throttle down. Better to run the output through an attenuator instead.

(note: I don't have a whole lot of experience with lasers / laser diodes, so I could very well be wrong here)

@Matthew Skala: You are, technically, correct.

However, if you don't need the full power from the laser (IIRC, the laser from a CD burner has a maximum output of about 5mW), I'd think you can use a fixed series resistor that prevents more than the maximum allowable current to flow, even if the diode would have zero resistance.

As I understand, a laser diode usually doesn't break down because of an over current or over temperature, but because the cavity mirror breaks down. I'd think this also happens when you use a duty cycle (pulse-width modulated) control.

How about a simple FET based current controller?

The point being: if you're building one of these devices to actually use instead of just out of curiosity, you can't really use a red laser pointer because it's far to obvious.

Sparky,

There are chips that do the whole laser driver thing. Tear apart a laser pointer and look. Feed it a variable supply voltage and you'll see it come on dimly, then increase to a max.

If you're hacking, get the chip from the CD burner, or use the whole subassembly. If you're more daring, transplant the diode from a burner to the circuit inside a laser pointer.

Or find the article about the guy who pulled a diode from a DVD burner and put it in a flashlight. He pops balloons with it.

Really, if you're just hacking, there are plenty of others who've done it before and posted articles or videos on it. Google is your friend.

Just limiting the current won't work because the minimum current that works (on a cold diode) is more than the maximum safe current (on a warm diode). You need a feedback loop that will sense how the diode is behaving and adjust the current to suit it. However, as Anonymous says, it's not hard to get that closed loop working. Some laser pointers are pulsed, but a lot aren't, and you can either buy, or rip from an unpulsed laser pointer, a module with the feedback controller built right in that'll produce a nice clean continuous beam.

My point about pulse width modulation was assuming you wanted an amount of visible light less than the minimum the laser could put out on a continuous basis. It's true that pulsing it wouldn't allow any more power during the peaks, because the diode would run away too fast, but I didn't think that was what we were talking about. You would still need a feedback loop to keep the diode from blowing up. (There were older-style laser diodes that *only* worked in pulses, because the threshold current was on the order of 25 amps and they'd die if they got that for more than a few nanoseconds at a time. Those were a real pain.)

Anyway, I'm not convinced that lowering the power level is all that important anyway. The beam from an ordinary laser pointer isn't visible as it passes through the air; only when you intercept it with an object. In a covert application, I think a laser pointer's beam is going to be about as stealthy as a visible-light laser can be and still work. An infrared laser is probably a better idea.

Knowler Longcloak: you can very easily test your "heavy curtain" theory. Stand outside an open window with no curtains, and have someone inside the room speak at a conversation tone. Draw the curtains and have the speaker talk. Determine if you hear any difference.

(hint: you won't).

I remember reading a how-to article very similar to this one in an electronics hobbyist magazine in the early '90s. Of course, it was a HeNe gas laser then, but otherwise similar.

I think there are a couple of different ways to make a laser listener work. ouphie's scheme, doing interferometry between the front and back reflections from the glass, is one. (Interferometry between two panes in a double-glazed window might be even more effective!) I've read articles that suggest doing interferometry between the glass and a local mirror at the listener, but it seems like that would introduce lots of noise from vibration on the listener's end, air currents between the two, etc. The other major approach is to detect the deflection of the returned beam as the window glass flexes— this is easier to conceptualize but I wonder how well it works.

Matthew Skala: A series resistor will work nicely. Been there, done that, with milliwatt-class red lasers. The diode should not be run at its full nominal power, though, due to thermal instabilities; just a bit beyond the lasing threshold. Probably the newer (or low-power) diodes behave better here so it worked for me. Also a stabilized voltage power is required. There are also simple stabilized current power supplies with a LM317, which will do the job as well. Some possibilities are described in the Sam's Laser FAQ. More complicated circuits use the integrated feedback photodiode, stabilizing the laser output power instead of merely the current.

Regarding failures, the most common failure mode of laser LEDs, according to what I heard, is catastrophical optical damage - melting of the resonator mirrors. Very short time is enough for that, so spikes have to be prevented even on power-on.

@Shad: that's what I understand, too, that they usually fail because of damage to the mirrors.

Countering this thread seems quite
straightforward; a small speaker, in contact with the window, producing some random (unpredictable) noise could completely drown out the signal.

A very sophisticated attacker could still use multiple laser microphone devices to get measurements from several points on the window and use some (non-trivial) sound processing to block the noise. At least the bar is raised a whole lot.

@sparky
you would need a speaker for every glass part of each window. How long will the occupant stand the background noise ?
Closing the blinds/shutters or neutralising the reflectivity of the window is way simpler and less intrusive in my opinion.

Anyway the device shown in the video isn't practical to use but in a few situations : when you are at the same height and almost perpendicular with the window glass. At wider angles you would need to calculate the laser location in function of your (fixed) receiver, and often putting the laser (and hide it) at that location is going to be hard in any urban area.

@1,
I read many years ago that the CIA has installed white noise generators to oscillate the glass in sensitive offices (embassies, etc.) to foil this exact attack.

White noise isn't as offensive to humans as you think (you can purchase "relaxing sounds of surf" generators on line from places like Schnarper Image,) but generating true white noise useful for this application is more difficult than it seems -- it's the random number problem again. If a defender was to simply pump Muzak into the glass, the attacker would only have to subtract the Muzak from his signal and would still have access to the original sounds. To be effective in this application, the noise has to be truly random. Cheap solutions such as playing static from a radio tuned between stations would probably suffice for the average home user attempting to foil local authorities, but can (theoretically) be tuned and reversed by a sufficiently determined attacker.

"Cheap solutions such as playing static from a radio tuned between stations would probably suffice for the average home user attempting to foil local authorities, but can (theoretically) be tuned and reversed by a sufficiently determined attacker."

Or the attacker can just set up his own radio transmitter broadcasting his own special brand of "white noise" on the "empty" frequency, then subtract that known pseudo-random value from the observed audio signal.

"Anyway the device shown in the video isn't practical to use but in a few situations : when you are at the same height and almost perpendicular with the window glass. At wider angles you would need to calculate the laser location in function of your (fixed) receiver, and often putting the laser (and hide it) at that location is going to be hard in any urban area."

Easier to surreptitiously attach a microscopic corner reflector to the window, target that with the laser.

Sparky: Piezoelectric transducers glued to the windowpanes and fed from a noise generator are a fairly standard thing these days.

I'm an old engineer, electronic type. Inspired by the balloon popping guy, I took the big red laser diode out of an old DVD burner and hooked it up to a bench supply. I did NOT see the flakey behavior mentioned above -- no fast runaway at all. I used an 8 ohm 2W series resistor (and set the current limit on the supply, which was never reached). Below a certain voltage, it didn't lase. Above that voltage, it did. As it heated up it SLOWLY started drawing more current, just like say, a 1n4007 (or any other semiconductor junction) forward biased would, as it heated up.

Maybe I got lucky? Maybe someone else is just misinformed.

Why guess when you can KNOW? ( a mantra for a company I own ) Here's the test results, which I just now took for y'all:

Glow threshold: 1.7v into the series R, 1.654v measured across the diode. PS current meter doesn't read below 10 ma, so said zero.

Lase threshold:
2.8v into the series R, 2.193 at diode, 60 or 70 ma. Threshold is there, but is "soft". Brightness goes up very fast from here on.
No change in current or volts in 5 minutes.
4 digit meter on volts.

Top power (actually, I don't know what the top power is, but this is VERY bright).
3.8v into the series R, 2.521 at diode, 150ma. This warms things, and after 30 seconds (no heatsinks at all) the diode forward volts have dropped to 2.516 -- miniscule, and about in proportion to what a normal diode would do under the circumstances.

All that stuff about needing super fast feedback and such is perhaps intended to sell you things you may not need for your application by people who only care about money or are simply misinformed.

I doubt the guy is getting away with hooking diodes directly across large batteries for long, though -- the IV curve on these is as steep as any semiconductor junction. But no steeper.

Optics on the reciever may help...depends on if you're looking at fringes (which would only change with glass thickness???) or simple deflection. In the later case, more light gathering is surely helpful.

The difference between focus at 680nm and 1060 (1.06 micron) is something I'm dealing with here with an ND:YAG laser. It is very significant for some types of lens glasses, reflecting the almost an octave difference in those frequencies (sorry about the pun). The whole visual range is only a little bigger than that, and it is no small trick to make an achromat across that range. Focus will change quite a lot in all but the most purpose designed lenses for this. Again, I tested -- why guess? Focal length needed to bring laser pointer (fired through the ND:YAG rod) to a dot is definately nowhere near equal to that for the big laser (measured by the hole it makes in the target -- @60joules -- output -- in 1ms or so, fun! 1500 j in to get the 60 out). So my jig that aims with the visible laser needs a calibrated focus offset to put in before the big shot.

why do you need the modulate?

@Ouphie : I'd be very interested in seeing your project report, would you mind sending it to me ?

I that's not too much trouble that would really help me with my research!

Thanks

Wouldn't a cheap radar detector that sports "Laser" detection Foil any attempt?

I for one.. would rather LIKE TO KNOW if somebody is firing a laser at my window.

Instead of Jamming.. why not Detect?

The technique that is far superior is laser Doppler Vibrometry. See www.polytec.com
This is extremely sensitive and can pick up sub-nanometer vibrations from long distances (over 10 meters)....

....I suggest contacting the people at Polytec if you are serious about doing this.

Otherwise, have fun hacking apart laser diodes