Slashdot Mirror
Hard Disks Can Be Turned Into Listening Devices, Researchers Find (theregister.co.uk)
Researchers from the University of Michigan and Zhejiang Univeristy in China have found that hard disk drives can be turned into listening devices, using malicious firmware and signal processing calculations. The Register reports: For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate. "Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."
The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."
The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
Nice find... back in 2010, when most people were still using spinning discs with platters.
Not much recording going on with an SSD stick.
Another great reason to switch to SSD if you've not already though!
A dedicated spy group could probably do really well by selling cheap external enclosures that modified common drives inserted with this hack, then had a cellular data feed built in to transmit real-time audio to whoever on demand.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So, as usual, this needs physical access to the computer; it'd be simpler to just install a regular bug. Not that there's anything wrong with this sort of research... it's exceedingly clever yet altogether useless. Just what grant money was invented for.
Was any testing done to determine whether 5.4k, 7.2k, 10k, or 15k drives had different sensitivities?
Firmware upgrades to enterprise-grade drives is a common procedure.
Kendall I don't know if you meant for that to be ironic but they've written papers on this since the 1980's. You certainly seem new to this line of reading.
HEY GUYS I SEKKKURITY TOO PROPAGANDA ME ON FACEBOOK WHERE I SUCK DICK FOR IPHONES AND COAL!
Filter error: Don't use so many caps. It's like YELLING. Filter error: Don't use so many caps. It's like YELLING.
These must be made in China
If I really need to transfer a lot of data, there are still Zip Disks.
"...but would you mind moving closer to your computer, and speaking as loud as possible?"
Why?
"No reason! But try it, might be fun! Thanks!"
Never let a lack of data get in the way of a good rant.
wait that's the wrong order. First you have to ask for permission to shut down the computer, remove and reflash a hard drive with bad wares, and reinsert and boot up the machine. But don't worry, no one will think this is suspicious at all.
Pffft, this is some kind of security news? for idiots.
(1) Flashing HDD firmware is a prerequisite for the snooping ... like 75 dBA - 90 dBA, Which is pretty loud. Like lawn mower or food blender loud."
(2) To exfiltrate captured data, either:
- (a) transmit it over the internet by modifying Linux operating system files to create a reverse shell with root privileges, or
- (b) storing it to disk for physical recovery at a later date.
(3) technique requires a fairly loud conversation to take place near the eavesdropping hard drive
So... I need to (1) flash my disk hardware, (2) let someone break into my PC remotely or physically and (3) constantly yell at my PC, with the case open. I'll get right on all that. (To be fair, I have Windows on one system, so I already yell at it a LOT.)
Jesus, wouldn't it be *way* easier to plant either a physical microphone in the room and/or install ease-dropping software on the PC.
Dear Researchers: Drink more, dick around less.
It must have been something you assimilated. . . .
85dba isn't a conversation any more. It's an argument.
Techniques only get better. Moreover one could flash the firmware enroute to where it's going (intercept the Amazon package).. So there is some small bit of a security issue here.. The NSA was exposed/caught reprogramming routers while they were still on the UPS truck.. Nice little National Security Letter to the driver and no one is the wiser.
Physical access to a device doesn't always mean physical access to the computer/server said device will be installed in.
This is a dupe from around 20 years ago... maybe before BeauHD was born
So in fact they can't be turned into listening devices for any practical definition of "turned into", "listening" or "devices".
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
In America, you have fun listen to disk drive music.
In Soviet Russia, disk drive listen to YOU.
There are two even EASIER ways a malicious vendor could enable a computer to spy on you:
1. Make the sound chip extra-flexible, so that it's designed to be connected to three 1/8" jacks and allow any jack to be software-configurable as a mic input, a line-level output, or a headphone output. If the user connects a pair of headphones, you can then use them as a pair of low-fidelity microphones, even if they've bent over backwards to make sure to omit/disable any explicit microphone.
2. Connect the piezo transducer soldered to the motherboard (used to beep BIOS error codes) to the sound chip, with the same internal mods to allow it to work in both directions (as both a speaker AND a mic, depending upon whether the pins it's connected to are configured via software to be outputs or inputs).
Or, if the goal is to enable an agent to exfiltrate data from a computer that has its outputs nominally locked down, use the motherboard speaker (if it's wired in a way that uses directly-generated PWM to make sound instead of a transistor feedback loop with a capacitor) to generate ultrasonic audio & capture it with a second device.
The point is, physical security matters at least as much as software security does. If a malicious actor has physical control over a device, you've already lost the battle. On the other hand, attacks like this are practically impossible to pull off unless you literally HAVE the resources of a state espionage agency. While "China" most certainly falls into the category of "has the resources and expertise to do it, at least occasionally", consider for a moment that China's economy (and by extension, the CCP's ability to govern the masses) depends almost entirely upon its ability to sell and export products. Patent laws might be lax in China, but they most certainly apply to products exported to another country. If "China" copied some secret high-tech technology from Tesla or Intel (which they could almost as easily obtain just by downloading the patents from the USPTO's web site), they wouldn't be able to sell it abroad anyway, so it really wouldn't be much use to them ANYWAY. And their overseas divisions of that company would be sued into bankruptcy by the company they stole the technology from.
Corporate espionage sounds hot & sexy, and has been the theme of god knows how many Hollywood movies... but in the real world, it's pretty damn rare. Very, VERY few things are genuine "trade secrets" that aren't publicly-known ANYWAY. Not even Coca-Cola's formula is particularly "secret" -- Coca Cola's value isn't its taste, but its brand name. If you copied Coca Cola's formula verbatim (and somehow managed to source de-cocanized coca leaves), manufactured it, and sold it, the company couldn't do a damn thing to stop you... as long as neither you, nor anyone with any kind of ties to you, EVER uttered the words "Coke" or "Coca Cola". The moment they did, you'd be sued into oblivion for trademark violation. And if nobody ever DID disclose the fact that your product tastes exactly like "the Real Thing", hardly anyone would notice or buy your product... because the truth is, Coca Cola doesn't actually taste all that great (something Pepsi has been reminding people for literally decades at every possible opportunity).
Similarly, consider the annual export value of Huawei's products to China's economy. Now consider the almost piddling value of any intelligence gained using compromised Huawei products relative to the value of those exports, and just how staggeringly HUGE of a hit China's economy would take if it were caught red handed selling products designed to allow spying. China's government would, frankly, have to be completely fucking INSANE to risk that kind of direct economic damage. That's not to say China's intelligence agencies don't try at all to coax companies into including subtle features that can be repurposed and used for espionage purposes... but ultimately, it would be equally naive to think that US intelligence agencies don't have agents working for companies
This "news" is SO old my corns remember them. This is like 10 years too late. Duh.
What if you were told that capacitor can be acting as a listening device?
This reminds me of Van Eyk Phreaking (1982)- capturing electromagnetic emissions from computer monitors, keyboards, printers, etc. and reconstructing the digital data. This and the hard disk song are examples of side channel attacks. They exploit vulnerabilities in the implementation of a computer system rather than in its algorithms. https://en.wikipedia.org/wiki/...
This is really an update to the classic "Bendon Yells Gregg yells at servers": https://www.youtube.com/watch?v=tDacjrSCeq4
First you have to ask for permission to shut down the computer, remove and reflash a hard drive with bad wares
Why would you have to remove the HD to reflash it? Many if not most modern HDDs have user-upgradeable firmware.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
We knew about this as radio amateurs (hams) in the 1970s when (the crappier) receivers or transmitters with variable capacitors and inductors could pick up voice/ sound and inject it into the audio.
I had a heathkit intercom that used the speakers as mic's.
I'm sure microphonics were known decades earlier.The effect is long-established.
This isn't some theoretical attack, these guys went out and actually tried it and measured the results. Congratulations to them for trying. What did most of us slashdotters do today? Also what if the attack was 100x more sensitive or what happens in 5 years when hard drives actually are more sensitive to vibration? Hell just doing the experiment could have lead to other interesting things being discovered.
Who needs to use a hard drive for a microphone? There are plenty of ceramic capacitors inside any electronic device, why not use the piezoelectric effect and re-purpose those caps as microphones?
Old DIP (dual-inline-package) chips can be used to brush your or your pet's hair!
Also, floppy drives and peripherals can make music! (https://www.youtube.com/watch?v=3m9OgVkAbE8)
Our reign has gone on long enough. Indeed. Summon the meteors.
hide in plain sight as a smart speaker or smart tv
hide in plain sight as a mobile browser with built in software support for camera and microphone access .....
oh they're nice enough to let you install and run the flashing wares while they look over your shoulder? be sure to remind them to always talk real loud so the sneaky cool warez can pwn them.
An mp3 recorder with gigabytes storage left in the next cube could pick up speech at normal volume for a week but that's not as much fun
You've been able to turn sound cards with attached mics into listening devices for years now.
I don't feel right seeing somebody who is obviously mentally disabled and is an employee at a sheltered workshop getting killed.
I would contact the supervisor of said workshop, and tell him that one of his workers is posting garbage on the internet using their computers. I also recommend asking to arrange for this person's medication to be adjusted.
Nice typo! :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
You have to speak very loudly they say, but that's more common than you may think, just ask my (step)mom. She consistently makes my eardrums buckle whenever she opens her mouth
Only those who risk going too far can possibly find out how far they can go. T. S. Eliot
An mp3 recorder with gigabytes storage left in the next cube could pick up speech at normal volume for a week but that's not as much fun
It's also obvious what it is when it is found. It also needs to be physically retrieved at some point. Not so for the HDD.
actually some have wifi-connection these days. so what if found, plant one somewhere else next time but in the meantime enjoy the juicy conversation of Jane yelling at her husband over the phone.
Old news.. Hard disk platters can detect vibration from shouting...
https://www.youtube.com/watch?v=tDacjrSCeq4
Many hard drives include an accelerometer, normally used for drop (free-fall) detection for parking heads, and also for impact detection for warranty voiding.
Some basic MEMS accelerometers operate up to multiple kilohertz and with resolution of 100 microgravities.
Perhaps audio signal could be recovered this way, by firmware patch to change accelerometer measurement mode and record high-speed data. Perhaps conversion from acceleration to velocity or displacement might be performed via integration in time domain, or using Fourier methods.
Already been done. Here's the proof of concept.
Computer scientist Kevin Fu used to be SysOp of Bob's Golden Apple BBS in Holland, MI. I think it was WWIVNet.