Security Researchers Can Turn Headphones Into Microphones (techcrunch.com) 122
As if we don't already have enough devices that can listen in on our conversations, security researchers at Israel's Ben Gurion University have created malware that will turn your headphones into microphones that can slyly record your conversations. TechCrunch reports: The proof-of-concept, called "Speake(a)r," first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially "retasks" the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn't a driver fix, either. The embedded chip does not allow users to properly prevent this hack which means your earbuds or nice cans could start picking up conversations instantly. In fact, even if you disable your microphone, a computer with a RealTek chip could still be hacked and exploited without your knowledge. The sound quality, as shown by this chart, is pretty much the same for a dedicated microphone and headphones. The researchers have published a video on YouTube demonstrating how this malware works.
Small tidbit (Score:3)
Re: (Score:2)
Re: (Score:3)
his is nothing new I was using speakers as microphones when I was a teenager back in the 80's (God I feel old)
The first time I did this and heard it work, I was so surprised I fell off my dinosaur.
Re: (Score:2)
Which dino(saur)? T-Rex?
Re: (Score:2)
Which dino(saur)? T-Rex?
I think it may have been a Speakersaurus [amoeba.com].
Re: (Score:1)
The news is that this was done with the headphones plugged into the headphone jack, not the microphone jack.
Re: (Score:2)
The authors make a point of the fact that they are presenting nothing new with the idea of using speakers as microphones. It also appears that the switches to reverse any input/output are easily manipulated. It doesn't appear there is anything especially new about the article except to point out how easy it is to snoop and how clear the victim's voice is when recorded through speakers.
The paper also quotes from a declassified 2000 NSA document:
In addition to being a possible fortuitous conductor of TEMPEST emanations, the speakers in paging, intercom and public address systems can act as microphones and retransmit classified audio discussions out of the controlled area via the signal line distribution. This microphonic problem could also allow audio from higher classified areas to be heard from speakers in lesser classified areas. Ideally. Such systems should not be used. Where deemed vital, the following precautions should be taken in full or in part to lessen the risk of the system becoming an escape medium for NSA.
If the NSA's concerned about people being able to listen to them
Re:Small tidbit (Score:5, Interesting)
Re: (Score:2)
Very true, or any external speakers...should be possible in theory. Pretty much every laptop has speakers, and same with PC's - my box has a little speaker for the motherboard..kind of spooky when you think about it. (Note that the record quality worsens with the sound quality of the speaker, so one designed to beep and that's all is going to be able to pick up very little.)
Re: (Score:3)
... or any external speakers...should be possible in theory ...
Not "any" external speakers. Powered speakers, (with their own amplifiers between the transducers and the input), won't send any usable signal back to the jack on the computer.
Re: Small tidbit (Score:2)
The internal PC speaker is a single-bit i/o line without a DAC (digital audio from it is bitbanged 1-bit pwm. Google: RealSound ). Assuming you could read the port all, the audio quality would be really bad since there's no way to quantize sampled pwm. And having at work at all assumes the i/o's data direction register can be changed.
Basically, this exploit takes advantage of the audio chip's ability to use any line as an input or output, so you can sample stereo and output mono, or output stereo and sample
Re: Small tidbit (Score:1)
Most laptops already have a microphone with no hardware on/off switch.
Laptop speakers (just like computer speakers) are powered = amplified. You might reset the speaker line into an input but the amp chip between said audio i/o and speakers will function as one way filter.
Re: (Score:3)
It's even a "feature" not a security bug on some computers (especially tiny laptops) to have the same jacks available as both inputs and outputs. I'm fairly the MacBook Pro's with 1 jack can do it and I've seen it done on a custom computer as well.
I want to be a 'security researcher' and state the obvious.
Re: (Score:3)
For most people, it probably was not obvious that a speaker even had the correct hardware to function as a microphone. I for one had no idea.
It should be apparent if you think about it for a moment. A speaker is a transducer, and almost all transducers work both ways (albeit one mode is usually more efficient than the other). A speaker and a microphone are basically the same thing, just optimized for sound in or sound out.
Stress a piezoelectric chip slightly and you get voltage, apply voltage and it bends slightly.
Apply heat to a thermocouple and you get voltage, apply voltage and it heats up.
Expose a photosensitive chip to light and you get vol
Re:Small tidbit (Score:4, Informative)
> It should be apparent if you think about it for a moment. A speaker is a transducer
Electromechanically, it's apparent. In terms of feedback that can be read by any sensory circuitry on the PC itself, it is not. A headphone or speaker circuit need have no _sensors_ that can be read or recorded by the signal generator. I'm afraid it's the introduction of simple chip solutions, designed to connect different electrical jacks to different programmable signals, and the introduction of A/D circuitry for noise cancellation and microphones that allows the cross connection of what is normally an output circuit to an input circuit.
Such features help reduce costs of circuitry for computer motherboards by providing single well designed, well understood chips for both functions. But it's not a design requirement.
Re: (Score:2)
It seems like any plugin speaker with its own amplifier would mitigate this problem. Am I correct in making this assumption?
Generally speaking, yes.
Re: Small tidbit (Score:2)
Re: (Score:2)
If you remember that picture of Mark Zuckerberg sitting at his laptop, not only was the camera taped over but also the headphone jack. He knew that there was a security problem with the headphone jack that also functioned as an audio input.
The headphone jack on its own can do nothing. It's when you plug in headphones (or speakers) into it that the sound can be recorded.
Re: (Score:2)
http://www.omgubuntu.co.uk/201... [omgubuntu.co.uk]
I think the news here is potential malware doing it instead of it being a deliberate choice by the user.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
amplifier (Score:2)
Re: (Score:2)
Nope, because you can't "retask" an amplifier to sense the voltage at its output and feed it into its input. It only works with passive devices like nonamplified headphones (desktop speakers usually need an amp).
Re: (Score:1)
Actually, it depends on your amplifier.. But a good rule of thumb is that you would be safe. This 'hack' on PCs date back to when voice chats appeared .. since no one had dedicated pc microphone, everyone I knew was using cheap headphones.. And doing this without the user knowledge has been possible for quite a while --- since the input/ouput could be reaffected, which is also too long ago to remember. News, anyone ?
Real hackers (Score:1)
Real hackers pull this stunt through wireless headphones.
A headphone... (Score:5, Informative)
Re:A headphone... (Score:5, Interesting)
Even if you know that, it is far from obvious that there will be a hardware and software interface that'll let you turn an apparent read-only/write-only device into a read/write device. It could have dedicated ports or use fused circuits to set it in a device, the coupling could have had mode indicators or firmware that forced it into headphone or microphone mode. I've never heard of any malware doing it before, so I'd say this is pretty clever.
And I just got a scary thought, many laptops have built-in speakers that you can't easily disconnect, can they too be reprogrammed as inputs? Even if it doesn't have much reach if you can hear what the person on the laptop is doing talking on the phone or whatever, that could be huge. I mean many headsets have a mic, so if you're worried about anyone listening in you'd have disconnected it anyway, this only adds the capability to pure headphones/earbuds.
Re: (Score:2)
I just got a scary thought, many laptops have built-in speakers that you can't easily disconnect, can they too be reprogrammed as inputs?
That depends on the CODEC and how it is used. If it has repurposeable outputs and they use them just for routing convenience because they have more than they need on the device then it's not impossible.
Not all codecs even have switching onboard, for those you are safe for sure. For the ones that do, it's going to be a case-by-case basis.
Re: (Score:2)
Is CODEC the right acronym? Do you mean DAC? I know a codec to be the format in which a signal is encoded by software.
Re: (Score:2)
Codec isn't an acronym. It's short for compressor/decompresser like modem is to modulator/demodulator
Re: (Score:2)
CODEC isn't correct, no. An audio/video codec is an *algorithm* which operates in the digital realm, converting digital data from uncompressed to compressed format and vice-versa. A codec can be implemented in hardware but is not the hardware itself.
Ffmpeg is a codec.
Re: (Score:2)
That's what I was thinking. But if so, I'm wondering what component specifically the parent is referring to, apart from it being just "the audio chip". IS there a specific term?
Re: (Score:2)
It is correct: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Even if you know that, it is far from obvious that there will be a hardware and software interface that'll let you turn an apparent read-only/write-only device into a read/write device.
I think it's a reasonable assumption that few hardware manufacturers have bothered to create a design where electrical signals can be sent to a speaker/headphone jack, but never received. That sounds like the sort of thing that would require more money to build.
The software interface could/would be provided by the attacker, of course.
I've never heard of any malware doing it before, so I'd say this is pretty clever.
Meh. It's not a new idea at all. I had an electronics kit in the 6th grade that came with a little earpiece that functioned as both a speaker and a microphone. There obvious
Most plug allow both in and out (Score:2)
Re: (Score:3)
it is far from obvious that there will be a hardware and software interface that'll let you turn an apparent read-only/write-only device into a read/write device.
Have you not used a computer in the past 15 years? The vast majority of desktop computers have come with apps to dynamically assign recording / playback outputs to various ports as you see fit. It stands to reason that the underlying hardware has been capable of this since we first started abandoning the Soundblaster.
Re: (Score:2)
many laptops have built-in speakers that you can't easily disconnect
Don't they usually come with a MIC you can't easily disconnect?
Re: (Score:2)
I'm just guessing here, but I would imagine that the speakers may have a small audio amplifier built into the motherboard, but headphones would be driven directly off of the chip. The amplifier would prevent the audio from the speakers going the other direction.
Cheers
Re: (Score:1)
Re: (Score:2)
is a microphone. Both headphones and microphone share the same mechanism (using a voice coil). The microphone is more sensitive (as it generates small alternative current when the sound makes the diaphragm vibrate) ; and headphones do the opposite, its diaphragm vibrates when the device injects positive or negative current. Even a bigger speaker is sensitive enough to act as a microphone.
This is only true for *dynamic microphones* which are tiny voice coil speakers. Most microphones are electret microphones which are a variation of the condender microphone and nothing like speakers but in consumer gear they are increasingly being replaced by MEMS microphones.
Re: (Score:2)
The hardware allows it and has since WAY BACK (Like Sound Blaster Live using kX drivers you could route anything anywhere.)
And with things like the newer Windows Sound System (Win7+) you can now surreptitiously and maliciously make it so that your malware can listen in on a specific program. You couldn't do that in XP, as XP didn't have per-program audio control.
Hasn't this always been the case (Score:5, Interesting)
Phbbt (Score:2)
I figured that out when I was 8!
Slow researchers!
(In seriousness, its a nice hack. Now excuse me while I put black electrical tape over all my microphones... oh wait...)
What about the motherboard speaker? (Score:2)
Does it work on that too if you dont have any other audio?
Re: (Score:3)
Does it work on that too if you dont have any other audio?
The short answer is no
A longer answer is, only if your motherboard speaker is tied not just to the buzzer output, but also to the audio codec, which is outstandingly rare in a PC but not actually unheard of.
Re: (Score:2)
It may be rare in build your own motherboards, but it's not uncommon in low-end Dell desktops. I see a fair amount of desktops with what sounds like a typical crap beep speaker wired to the sound chip output. The sound quality and volume is poor, but you hear Windows audio out of it.
I doubt it would make a useful microphone as the audio output quality is poor and its buried inside the noisy PC case, which may be made worse by being a SFF case where its closer to fans or drives.
Re: (Score:2)
I see a fair amount of desktops with what sounds like a typical crap beep speaker wired to the sound chip output. The sound quality and volume is poor, but you hear Windows audio out of it.
Yes, in such hardware, I would definitely be concerned about the risk of such an attack.
I doubt it would make a useful microphone as the audio output quality is poor and its buried inside the noisy PC case, which may be made worse by being a SFF case where its closer to fans or drives.
Yes, only in the case where the speaker is front-mounted does it seem like it would be possible to get high-quality audio. Then again, with sufficient processing, you might be able to get usable audio, and there's a processor right there.
I've also recently become aware that the original PC speaker hardware could be used in reverse. How much useful audio you could get through a crap speaker inside a noisy steel box full o
Re: (Score:2)
If you need a whole audio codec to run the PC speaker, how do you get POST beeps to decode when you're having a problem? Or is the expectation that you just buy a new one when that happens?
Either the BIOS knows how to make that happen, or (more likely) the codec isn't the only thing connected to the speaker.
Realtek's bad design strikes again. (Score:2)
Not only do they make bad networking chipsets, their audio chipsets are even worse.
Feature, not a bug (Score:3)
Not only do they make bad networking chipsets, their audio chipsets are even worse.
I'm with you on the rtl eth, but being able to switch inputs in the codec is a feature, not a bug. It enables you to do stuff like plug in a device, answer a question about what it is, and not have to worry about which port is which. It also lets you have multiple inputs or multiple outputs with just two jacks, which would often be useful on a laptop.
The problem isn't in the hardware, it's in the software.
Re: (Score:2)
Not only do they make bad networking chipsets, their audio chipsets are even worse.
What about this is bad design? I see a bug, but I see it in a good design that allows you to dynamically assign I/O where needed be it the back or the front or the riser card or the whatever. Computers have done this for 15 years. Researchers have demonstrated it on one device but I'll bet you a Mars bar that this feature is exploitable across a wide range of vendors, even dedicated Soundcard vendors.
So Apple did something right (Score:1)
This hack won't work on your iPhone 7. Now they can never turn it into a device that can pick up sounds at any time... Oh...
Everything old is new again... (Score:1)
Re: (Score:2)
Re: (Score:2)
In fact, this whole exploit is becoming increasingly pointless, since all cell phones have a built-in microphone, and so do almost all laptops.
Re: (Score:2)
There are some companies [puri.sm] who provide a hardware kill switch to the microphone (grep for "HKS"), but this exploit means that the speakers are also vulnerable.
Home automation is better at sending data to cloud (Score:2)
Who needs to hack into anything when we are installing home automation devices like Amazon Alexa Echo and Google Home that stream audio to the cloud. In the case of the Echo its 16bit, 16KHz audio with a sophisticated microphone array that can determine the direction of the conversation. Both Google and Amazon are proud of their voice recognition capabilities.
How do you know it is only sending audio when you talk to it? Blinking LEDs? See discussion about software control of indicator LEDs.
Tinfoil hat subversion (Score:1)
OK. So... (Score:2)
Prevention (Score:1)
Re: (Score:2)
Would a diode put a stop to this?
Yes sort of but that is not the way to go about it. Adding a headphone amplifier would neatly solve the problem.
Feature, not a bug (Score:1)
So... how can I invoke this deliberately? I would *love* to swap my laptop's line-in/out in software, because one port's never been used and the other is damaged beyond repair.
Re: (Score:2)
Works as well, just needs a lot of DSP after to correct.
Re: (Score:2)
Yes. Plasma speakers may be a bit harder to hack though...