Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Music Security OS X Operating Systems Privacy Software Windows News Hardware Science Technology

Security Researchers Can Turn Headphones Into Microphones (techcrunch.com) 122

As if we don't already have enough devices that can listen in on our conversations, security researchers at Israel's Ben Gurion University have created malware that will turn your headphones into microphones that can slyly record your conversations. TechCrunch reports: The proof-of-concept, called "Speake(a)r," first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially "retasks" the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn't a driver fix, either. The embedded chip does not allow users to properly prevent this hack which means your earbuds or nice cans could start picking up conversations instantly. In fact, even if you disable your microphone, a computer with a RealTek chip could still be hacked and exploited without your knowledge. The sound quality, as shown by this chart, is pretty much the same for a dedicated microphone and headphones. The researchers have published a video on YouTube demonstrating how this malware works.
This discussion has been archived. No new comments can be posted.

Security Researchers Can Turn Headphones Into Microphones

Comments Filter:
  • by campuscodi ( 4234297 ) on Thursday November 24, 2016 @08:05AM (#53353933)
    You don't have to be a security researcher to do that. Electrical engineers can do it as well. The point of the article is the privacy and security implications that come from malware that can switch I/O audio jacks using software toggles found in audio drivers and secretly record you while you have your headphones or simple speakers plugged in.
    • Like most transducers speakers and microphones can convert audio signals to electrical signals and vice-verse. This is nothing new I was using speakers as microphones when I was a teenager back in the 80's (God I feel old)
    • by xtsigs ( 2236840 )

      The authors make a point of the fact that they are presenting nothing new with the idea of using speakers as microphones. It also appears that the switches to reverse any input/output are easily manipulated. It doesn't appear there is anything especially new about the article except to point out how easy it is to snoop and how clear the victim's voice is when recorded through speakers.

      The paper also quotes from a declassified 2000 NSA document:

      In addition to being a possible fortuitous conductor of TEMPEST emanations, the speakers in paging, intercom and public address systems can act as microphones and retransmit classified audio discussions out of the controlled area via the signal line distribution. This microphonic problem could also allow audio from higher classified areas to be heard from speakers in lesser classified areas. Ideally. Such systems should not be used. Where deemed vital, the following precautions should be taken in full or in part to lessen the risk of the system becoming an escape medium for NSA.

      If the NSA's concerned about people being able to listen to them

    • Re:Small tidbit (Score:5, Interesting)

      by Big Hairy Ian ( 1155547 ) on Thursday November 24, 2016 @09:20AM (#53354253)
      What would be more interesting is if they'd managed to do this with a PC's built in speaker
      • Very true, or any external speakers...should be possible in theory. Pretty much every laptop has speakers, and same with PC's - my box has a little speaker for the motherboard..kind of spooky when you think about it. (Note that the record quality worsens with the sound quality of the speaker, so one designed to beep and that's all is going to be able to pick up very little.)

        • ... or any external speakers...should be possible in theory ...

          Not "any" external speakers. Powered speakers, (with their own amplifiers between the transducers and the input), won't send any usable signal back to the jack on the computer.

      • The internal PC speaker is a single-bit i/o line without a DAC (digital audio from it is bitbanged 1-bit pwm. Google: RealSound ). Assuming you could read the port all, the audio quality would be really bad since there's no way to quantize sampled pwm. And having at work at all assumes the i/o's data direction register can be changed.

        Basically, this exploit takes advantage of the audio chip's ability to use any line as an input or output, so you can sample stereo and output mono, or output stereo and sample

    • by guruevi ( 827432 )

      It's even a "feature" not a security bug on some computers (especially tiny laptops) to have the same jacks available as both inputs and outputs. I'm fairly the MacBook Pro's with 1 jack can do it and I've seen it done on a custom computer as well.

      I want to be a 'security researcher' and state the obvious.

      • by dbIII ( 701233 )
        Here is one example of how to do it:
        http://www.omgubuntu.co.uk/201... [omgubuntu.co.uk]
        I think the news here is potential malware doing it instead of it being a deliberate choice by the user.
    • Definitely, as teenagers back in the 80s we pulled that off too. Of course, we just did it for the irony, it's not like it was news worthy or anything, just weird.
    • Still the article and security implications are bullshit. If you can get access to installing your malware on the machine, than the physical domain of eavesdropping is irrelevant. It's not like there is a vendor selling TEMPEST secured equipment with headphone jacks but no mics (and that messing with audio drivers would pass). Switching signal direction on jacks has been a standard feature of audio chipsets since the AC'97 standard, it's just that the auto-detection routines in most CODECs would correctl
  • Would it work with amplifier+speakers ?
    • by arielCo ( 995647 )

      Nope, because you can't "retask" an amplifier to sense the voltage at its output and feed it into its input. It only works with passive devices like nonamplified headphones (desktop speakers usually need an amp).

    • by PIBM ( 588930 )

      Actually, it depends on your amplifier.. But a good rule of thumb is that you would be safe. This 'hack' on PCs date back to when voice chats appeared .. since no one had dedicated pc microphone, everyone I knew was using cheap headphones.. And doing this without the user knowledge has been possible for quite a while --- since the input/ouput could be reaffected, which is also too long ago to remember. News, anyone ?

  • by Anonymous Coward

    Real hackers pull this stunt through wireless headphones.

  • A headphone... (Score:5, Informative)

    by hcs_$reboot ( 1536101 ) on Thursday November 24, 2016 @08:17AM (#53353971)
    is a microphone. Both headphones and microphone share the same mechanism (using a voice coil). The microphone is more sensitive (as it generates small alternative current when the sound makes the diaphragm vibrate) ; and headphones do the opposite, its diaphragm vibrates when the device injects positive or negative current. Even a bigger speaker is sensitive enough to act as a microphone.
    • Re:A headphone... (Score:5, Interesting)

      by Kjella ( 173770 ) on Thursday November 24, 2016 @08:54AM (#53354143) Homepage

      Even if you know that, it is far from obvious that there will be a hardware and software interface that'll let you turn an apparent read-only/write-only device into a read/write device. It could have dedicated ports or use fused circuits to set it in a device, the coupling could have had mode indicators or firmware that forced it into headphone or microphone mode. I've never heard of any malware doing it before, so I'd say this is pretty clever.

      And I just got a scary thought, many laptops have built-in speakers that you can't easily disconnect, can they too be reprogrammed as inputs? Even if it doesn't have much reach if you can hear what the person on the laptop is doing talking on the phone or whatever, that could be huge. I mean many headsets have a mic, so if you're worried about anyone listening in you'd have disconnected it anyway, this only adds the capability to pure headphones/earbuds.

      • I just got a scary thought, many laptops have built-in speakers that you can't easily disconnect, can they too be reprogrammed as inputs?

        That depends on the CODEC and how it is used. If it has repurposeable outputs and they use them just for routing convenience because they have more than they need on the device then it's not impossible.

        Not all codecs even have switching onboard, for those you are safe for sure. For the ones that do, it's going to be a case-by-case basis.

        • Is CODEC the right acronym? Do you mean DAC? I know a codec to be the format in which a signal is encoded by software.

          • Codec isn't an acronym. It's short for compressor/decompresser like modem is to modulator/demodulator

          • CODEC isn't correct, no. An audio/video codec is an *algorithm* which operates in the digital realm, converting digital data from uncompressed to compressed format and vice-versa. A codec can be implemented in hardware but is not the hardware itself.

            Ffmpeg is a codec.

      • Even if you know that, it is far from obvious that there will be a hardware and software interface that'll let you turn an apparent read-only/write-only device into a read/write device.

        I think it's a reasonable assumption that few hardware manufacturers have bothered to create a design where electrical signals can be sent to a speaker/headphone jack, but never received. That sounds like the sort of thing that would require more money to build.

        The software interface could/would be provided by the attacker, of course.

        I've never heard of any malware doing it before, so I'd say this is pretty clever.

        Meh. It's not a new idea at all. I had an electronics kit in the 6th grade that came with a little earpiece that functioned as both a speaker and a microphone. There obvious

      • At least for the cards I have had for the last 10 years you have a color for the plug and you can choose *at the moment* you plug in if it should act as headphone, as microphone, it is not set as "in" or "out" you can even switch them around and it sitll work properly. If the driver can chose, then the driver can be misused to switch around and amde believe headphone/loudpseaker are (poor) microphone
      • it is far from obvious that there will be a hardware and software interface that'll let you turn an apparent read-only/write-only device into a read/write device.

        Have you not used a computer in the past 15 years? The vast majority of desktop computers have come with apps to dynamically assign recording / playback outputs to various ports as you see fit. It stands to reason that the underlying hardware has been capable of this since we first started abandoning the Soundblaster.

      • by jez9999 ( 618189 )

        many laptops have built-in speakers that you can't easily disconnect

        Don't they usually come with a MIC you can't easily disconnect?

      • I'm just guessing here, but I would imagine that the speakers may have a small audio amplifier built into the motherboard, but headphones would be driven directly off of the chip. The amplifier would prevent the audio from the speakers going the other direction.

        Cheers

      • FINALLY! I ve been fighting without sound since 2009!!! ALL laptops come with the same defects and no solution since then. I was starting to (learn how to) record double nintendo ds double sessions when puff! BSOD. First ever in laptops. After some two hours waiting for the system to come finish diagmostics, no more recording AT ALL!!!! And since then the same ISSUE in all laptops from win7 to win10: recording does not work. But sometimes it feels like some videos do have a sound signal over them.... someti
    • by Agripa ( 139780 )

      is a microphone. Both headphones and microphone share the same mechanism (using a voice coil). The microphone is more sensitive (as it generates small alternative current when the sound makes the diaphragm vibrate) ; and headphones do the opposite, its diaphragm vibrates when the device injects positive or negative current. Even a bigger speaker is sensitive enough to act as a microphone.

      This is only true for *dynamic microphones* which are tiny voice coil speakers. Most microphones are electret microphones which are a variation of the condender microphone and nothing like speakers but in consumer gear they are increasingly being replaced by MEMS microphones.

  • by tomxor ( 2379126 ) on Thursday November 24, 2016 @08:31AM (#53354025)
    I've noticed it's been possible to retask ports for input output on most sound cards or both for a long time... The smaller the headphone the better it would work as a passive microphone, I thought this was always obvious. This is hardly something that no one ever though of before like air gap hacks.
  • I figured that out when I was 8!

    Slow researchers!

    (In seriousness, its a nice hack. Now excuse me while I put black electrical tape over all my microphones... oh wait...)

  • Does it work on that too if you dont have any other audio?

    • Does it work on that too if you dont have any other audio?

      The short answer is no

      A longer answer is, only if your motherboard speaker is tied not just to the buzzer output, but also to the audio codec, which is outstandingly rare in a PC but not actually unheard of.

      • by swb ( 14022 )

        It may be rare in build your own motherboards, but it's not uncommon in low-end Dell desktops. I see a fair amount of desktops with what sounds like a typical crap beep speaker wired to the sound chip output. The sound quality and volume is poor, but you hear Windows audio out of it.

        I doubt it would make a useful microphone as the audio output quality is poor and its buried inside the noisy PC case, which may be made worse by being a SFF case where its closer to fans or drives.

        • I see a fair amount of desktops with what sounds like a typical crap beep speaker wired to the sound chip output. The sound quality and volume is poor, but you hear Windows audio out of it.

          Yes, in such hardware, I would definitely be concerned about the risk of such an attack.

          I doubt it would make a useful microphone as the audio output quality is poor and its buried inside the noisy PC case, which may be made worse by being a SFF case where its closer to fans or drives.

          Yes, only in the case where the speaker is front-mounted does it seem like it would be possible to get high-quality audio. Then again, with sufficient processing, you might be able to get usable audio, and there's a processor right there.

          I've also recently become aware that the original PC speaker hardware could be used in reverse. How much useful audio you could get through a crap speaker inside a noisy steel box full o

  • Not only do they make bad networking chipsets, their audio chipsets are even worse.

    • Not only do they make bad networking chipsets, their audio chipsets are even worse.

      I'm with you on the rtl eth, but being able to switch inputs in the codec is a feature, not a bug. It enables you to do stuff like plug in a device, answer a question about what it is, and not have to worry about which port is which. It also lets you have multiple inputs or multiple outputs with just two jacks, which would often be useful on a laptop.

      The problem isn't in the hardware, it's in the software.

    • Not only do they make bad networking chipsets, their audio chipsets are even worse.

      What about this is bad design? I see a bug, but I see it in a good design that allows you to dynamically assign I/O where needed be it the back or the front or the riser card or the whatever. Computers have done this for 15 years. Researchers have demonstrated it on one device but I'll bet you a Mars bar that this feature is exploitable across a wide range of vendors, even dedicated Soundcard vendors.

  • This hack won't work on your iPhone 7. Now they can never turn it into a device that can pick up sounds at any time... Oh...

  • Good grief! We were doing this in the early 60s when the carbon microphones in our headsets crapped out. Switching earpeice between ear & mouth gave us half vs full duplex comms too... :)
  • The new iPhone 7 - even more courageous and secure.....

    • The iPhone (yes, even the iPhone 7) already has a built-in microphone. It would be easier to just turn that on and listen, rather than try to do this headphone thing.

      In fact, this whole exploit is becoming increasingly pointless, since all cell phones have a built-in microphone, and so do almost all laptops.
      • by q4Fry ( 1322209 )

        There are some companies [puri.sm] who provide a hardware kill switch to the microphone (grep for "HKS"), but this exploit means that the speakers are also vulnerable.

  • Who needs to hack into anything when we are installing home automation devices like Amazon Alexa Echo and Google Home that stream audio to the cloud. In the case of the Echo its 16bit, 16KHz audio with a sophisticated microphone array that can determine the direction of the conversation. Both Google and Amazon are proud of their voice recognition capabilities.

    How do you know it is only sending audio when you talk to it? Blinking LEDs? See discussion about software control of indicator LEDs.

  • I wonder how soon until they can subvert tin foil hats?
  • put an amplifier or isolator between the jack and the speaker. Security problem gone.
  • Would a diode put a stop to this?
    • by Agripa ( 139780 )

      Would a diode put a stop to this?

      Yes sort of but that is not the way to go about it. Adding a headphone amplifier would neatly solve the problem.

  • So... how can I invoke this deliberately? I would *love* to swap my laptop's line-in/out in software, because one port's never been used and the other is damaged beyond repair.

Chemistry is applied theology. -- Augustus Stanley Owsley III

Working...