Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Turns HDD Into Rudimentary Microphone (bleepingcomputer.com)

Posted by BeauHD on from the inside-voices dept.

An anonymous reader writes from Bleeping Computer: Speaking at a security conference, researcher Alfredo Ortega has revealed that you can use your hard disk drive (HDD) as a rudimentary microphone to pick up nearby sounds. This is possible because of how hard drives are designed to work. Sounds or nearby vibrations are nothing more than mechanical waves that cause HDD platters to vibrate. By design, a hard drive cannot read or write information to an HDD platter that moves under vibrations, so the hard drive must wait for the oscillation to stop before carrying out any actions. Because modern operating systems come with utilities that measure HDD operations up to nanosecond accuracy, Ortega realized that he could use these tools to measure delays in HDD operations. The longer the delay, the louder the sound or the intense the vibration that causes it. These read-write delays allowed the researcher to reconstruct sound or vibration waves picked up by the HDD platters. A video demo is here.

"It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable." Furthermore, the researcher also used sound to attack hard drives. Ortega played a 130Hz tone to make an HDD stop responding to commands. "The Linux kernel disconnected it entirely after 120 seconds," he said. There's a video of this demo on YouTube.

34 of 65 comments (clear)

  1. 130hz tone sample :) by dizzy8578 · · Score: 1

    https://www.youtube.com/watch?...

    --
    *"Cogito Ergo Liberalis"*
    1. Re:130hz tone sample :) by omnichad · · Score: 1

      Nyquist theorem? I know neither YouTube not my speakers have what it takes.

  2. Don't shout at your JBOD! by djsmiley · · Score: 2

    Remember: NEVER SHOUT AT YOUR JBOD!.

    It's not yelling, if it's yelling?

    --
    - http://www.milkme.co.uk
  3. This is pretty old and well-known by gweihir · · Score: 4, Insightful

    The original finding from 2008 is here:

                    https://www.youtube.com/watch?...

    No idea why anybody thinks this is worth a talk now.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:This is pretty old and well-known by rmdingler · · Score: 1

      Yes. A startling departure from the cutting edge news source we've come to expect here at the Slashdot.

      /. --downright old (by internet standards) and pretty well-known.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  4. Re:Idiot by gx5000 · · Score: 1

    Thank you.

    --
    End of Line.
  5. Before you go on a "spy on anyone" rant... by IGnatius+T+Foobar · · Score: 4, Insightful

    Before all the silly conversations begin about "omg anyone's computer can be turned into an eavesdropping device!!!1" ... remember that if you can compromise a computer to the point where you can make low-level manipulations to the hard disk ... you can also simply turn on the microphone.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
    1. Re:Before you go on a "spy on anyone" rant... by cachimaster · · Score: 4, Informative

      God damn, nobody read the article anymore?

      No, you don't need low-level manipulations to the hard disk, you only need to read a file, a low-privileged operation. Also, you can do it in servers that don't usually have a microphone.

    2. Re:Before you go on a "spy on anyone" rant... by bsDaemon · · Score: 1

      My laptop doesn't have a microphone or camera specifically so that they aren't physically there for anyone to compromise. The OS and most of my apps live on NVMe. There is a 2TB disk in there, though. So if someone can implant malware that could monitor disk latency caused by vibrations and then reconstruct, to some degree, ambient audio, up to and including conversation then... i guess it means that I have an excuse to upgrade that disk to an SSD and justify it as a surveillance countermeasure. (even though this seems unreliable).

    3. Re:Before you go on a "spy on anyone" rant... by Junta · · Score: 2

      The server would just hear a lot of fan noise in the vast majority of cases. It is rare for a human to even be around disks for conversation.

      In a slightly more interesting thing, you could make an out-of-band communication method, induce noise (through disk accesses but more likely fan responses) and measure noise using HDD, of course it's hard to imagine getting that much access to two distinct systems and being so desparate as to communicate this way.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    4. Re:Before you go on a "spy on anyone" rant... by Bing+Tsher+E · · Score: 1

      You only need to read a file, in such a fashion that you can monitor and record low level artifacts of the file reading process.

      Wow. I bet there's a driver for that built right into the Linux kernel. One that requires no privilege escalation to access.

      Geez, get a clue. Junk science wants it's junk back.

    5. Re:Before you go on a "spy on anyone" rant... by cachimaster · · Score: 1

      You can try it yourself. There's a link to the repo in TFA.

    6. Re:Before you go on a "spy on anyone" rant... by JaredOfEuropa · · Score: 1

      God damn, nobody read the article anymore?

      You should know better by now...

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    7. Re:Before you go on a "spy on anyone" rant... by bws111 · · Score: 1

      Yeah, and the very first thing that code does is open /dev/sda in read mode. How poorly must you have your system configured that a regular user can do that?

    8. Re:Before you go on a "spy on anyone" rant... by phorm · · Score: 1

      Well, a lot of distros put the primary user(s) a group that allows access to external/plugabble storage devices, which would also include external hard drives.

    9. Re:Before you go on a "spy on anyone" rant... by bws111 · · Score: 1

      It is not reading 'a file'. It is reading the DISK. In any sane setup, and especially on servers, regular users can not access the disk. It is in no way a 'low privilege operation'.

    10. Re:Before you go on a "spy on anyone" rant... by Gr8Apes · · Score: 1

      SSDs.

      --
      The cesspool just got a check and balance.
    11. Re:Before you go on a "spy on anyone" rant... by Gr8Apes · · Score: 1

      Well damnit - it doesn't work on my SSD.

      --
      The cesspool just got a check and balance.
  6. Re:Idiot by Anonymous Coward · · Score: 1

    I'm sure some nice men from the TLAs are now queuing outside his place offering money and facilities for him to conduct this 'further research' that you diss. One day headlines will say that terrorists have been caught using HDD sound recording technology.

  7. Re:Idiot by cachimaster · · Score: 4, Interesting

    I'm the original author.
    First, you are kind of rude for calling me idiot, specially if you didn't even read the friendly article.

    Second, have you even looked at the video? no, the disk don't "temporarily park". The delay is proportional to the vibration amplitude, mean you can sense sound volume at a low rate. Sample rate is about 50 hz, it can't reconstruct a kHz signal but voice is in the ~300 Hz, and you don't need to reconstruct the complete signal to recognize it. You don't need to recognize a conversation, you need to recognize the patterns that the conversation causes. In the original article I proved a link to a research do does exactly that with the gyroscopes in mobile devices.

  8. Great, but by 93+Escort+Wagon · · Score: 2

    Let me know when you can do the same thing with a microwave oven.

    --
    #DeleteChrome
  9. Re:Idiot by Lobachevsky · · Score: 5, Interesting

    I would like to apologize on behalf of people with dismissive attitudes. It is a real problem not just with anonymous posts, but even at the workplace, especially among "half-technical" people, who are are smart enough to understand jargon and comment but not enough to understand a reasoned argument. I've seen countless times where someone will quote from stackoverflow or some other source out-of-context, and several times where the source itself they quote from is utterly wrong to begin without even in-context. I might prove something with complex numbers, and they'll just quote someone saying you can't take a square root of negative numbers. Even after I convince them, they'll just laugh saying Intel cpus don't support complex numbers, and I have to show them the Intel cpu spec for hardware acceleration of complex numbers (and even without hardware support, it can be easily emulated in software). I've learned to stop trying, half-technical people are impediments to innovations.

    Now, after that apology is done, I would like to bring up some academic research that may relate to your study of signal processing. There was some research done a while back (early 2000s, I think), that found that keyboard keystrokes leaked information on electricity draw. And even though they could not directly tell which key was hit, they were able to apply a model of qwerty keystroke cadence, since people tend to be faster or slower with keystrokes depending on the sequence of keys. Applying that model with a roughly 60Hz electrical tap, they were able to successfully reconstruct full text input at a 90% confidence. Because the model relied heavily on predictive modeling, it is not good for high-entropy signals like 8-character passwords, but it is excellent for low-entropy signals like a legal memo with several paragraphs explaining one point. You also mentioned a study directly applying to low SNR audio, for speech. However, I wonder if the vibrations for keystrokes are enough to disrupt HDD latency, and if so, a bivariate model using both HDD signal and electricity signal may yield a far superior reconstruction than electricity on its own, especially since the two 60Hz signals are likely out-of-phase. My 2 cents.

  10. Re:Idiot by cachimaster · · Score: 4, Interesting

    > I've learned to stop trying, half-technical people are impediments to innovations.

    It's the internet. They are assholes, you just have to have thick skin :)

    > I wonder if the vibrations for keystrokes are enough to disrupt HDD latency

    Yes, they do. I saw it myself, the HDD is much more sensitive to vibrations transmitted by the chassis than sound. You might be onto something great here. I will quote you if I ever do something like this in the future.

  11. Re:Idiot by Doctor+Memory · · Score: 1

    They already have his research, and plenty of smart people in their own labs. No further work by the original researcher needed for their purposes.

    --
    Just junk food for thought...
  12. Re:Idiot by Lobachevsky · · Score: 1

    This is the BlackHat pdf / powerpoint from 2009, by Andrea Barisani and Daniele Bianco, titled "Side Channel Attacks Using Optical Sampling Of Mechanical Energy and Power Line Leakage": https://www.blackhat.com/prese...

    It appears it less about predictive modeling regarding cadence of keystrokes and more about the data cable itself being poorly shielded and leaking onto the +5V and GND power cables.

    I still think a multivariate model using multiple low-SNR signals can be quite useful even if no univariate model of a single low-SNR signal has enough fidelity to reconstruct conversations or keystrokes. Speaking of which, how orthogonal are the signals from different HDDs in a JBOD? Will signals from 12 HDDs in the room provide sufficient signal strength for a multivariate model? If you're able to sample at 60Hz, speed of sound moves 5 meters in 1/60th of a second, so HDDs separated by 2.5m should provide considerable phase-shift. Even at 1m separation, the signals should be fairly orthogonal, and having 12 HDDs at varying distances from the audio source should give you nearly 10x the sampling frequency.

  13. Re:Idiot by cachimaster · · Score: 1

    Hey I remember your project. Or something similar. You needed like 8 SDRs right? it's basically a radar. It was great.

    Hey, it's research, not engineering. Our work is to prove that it's possible, engineers work is to make it practical.

  14. Re:Idiot by Lobachevsky · · Score: 1

    Regarding multi-variate / multi-signal modeling, LIGO used the same approach to successfully detect gravitational waves. They used multiple low-SNR signals from different detectors (Washington State and Louisiana) since their noise is highly orthogonal and the signal is highly correlated with the correct phase-shift applied (solve for phase-shift using SSE minimization, then extract a high-SNR signal from the newly aligned signals). Some similar approach with multiple HDDs may work if the noise is less about ambient room noise and more about internal HDD initial-head location, other HDD geometric properties, and OS reporting error due to jiffies and NMIs (these are the sort of noise that should be very non-correlated / orthogonal across multiple HDD/CPU sources).

  15. Re:Myopic. by Junta · · Score: 1

    The practicality of any sort of potential vulnerability must be considered. In a datacenter, even a human ear can generally not hear things. While someone will say 'well I tore my laptop apart and tore out the microphones and still have a spinning disk', this is a vanishingly small portion of the userbase.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  16. Re:Myopic. by cachimaster · · Score: 1

    You can make this work even if you are inside a VM on your notebook. In fact, I did the whole talk while listening sound from inside a virtualbox VM, with no access to the physical mic.

  17. Re:Myopic. by bws111 · · Score: 1

    You mean inside a VM that just happens to have a real (not emulated) disk dedicated to it, and with user priviliges that allow direct access to said disk (IOW, root), right? And with both guest and host being very lightly loaded so little details like task switches don't complely hose your timing.

  18. Re:130Hz failure -- article contains very little i by cachimaster · · Score: 1

    Hey anonymous,

    Heres the complete kernel log of one of my test. HDD disconnect starts at line 156. Maybe it helps you.

    https://pastebin.com/K22qc2Ju

    Regards,

    Alfred

  19. Re:130Hz failure -- article contains very little i by cachimaster · · Score: 1

    You provide great information. For the complete paper I might use some of it, for example I didn't look at the smart parameters but they might provide some info.

    BTW the firmware just completely blocks, as you can see in the video, it doesn't even answer the hdparm -I. But in my tests, I was also accessing the HDD constantly (this is to draw the delay graph showing above in the video) so it might be that a read() comand is queued and blocks, waiting for vibrations to stops, and it blocks all other commands being sent to the HDD.

    Another information lacking in the article: I managed to permanently damage an HDD. It didn't completely stop responding, but now the read delay is much bigger than before. While testing it at high vibrations, the HDD did some loud mechanical noises, so apparently the HDD did try to park itself multiple times. That HDD is now unusable for tests because it randomly delays reads over 10 ms (normally the read syscall takes about 500 ns).

  20. Earthquakes? Seismograph? by aklinux · · Score: 1

    I wonder if this would be more useful as a seismograph?

  21. Are you wondering? by kerembaharlar · · Score: 1

    I think this website help us: http://www.fanatik.com.tr/2014...