Slashdot Mirror
Hard Disks Can Be Turned Into Listening Devices, Researchers Find (theregister.co.uk)
Researchers from the University of Michigan and Zhejiang Univeristy in China have found that hard disk drives can be turned into listening devices, using malicious firmware and signal processing calculations. The Register reports: For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate. "Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."
The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."
The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
Nice find... back in 2010, when most people were still using spinning discs with platters.
Not much recording going on with an SSD stick.
Another great reason to switch to SSD if you've not already though!
A dedicated spy group could probably do really well by selling cheap external enclosures that modified common drives inserted with this hack, then had a cellular data feed built in to transmit real-time audio to whoever on demand.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If I really need to transfer a lot of data, there are still Zip Disks.
"...but would you mind moving closer to your computer, and speaking as loud as possible?"
Why?
"No reason! But try it, might be fun! Thanks!"
Never let a lack of data get in the way of a good rant.
(1) Flashing HDD firmware is a prerequisite for the snooping ... like 75 dBA - 90 dBA, Which is pretty loud. Like lawn mower or food blender loud."
(2) To exfiltrate captured data, either:
- (a) transmit it over the internet by modifying Linux operating system files to create a reverse shell with root privileges, or
- (b) storing it to disk for physical recovery at a later date.
(3) technique requires a fairly loud conversation to take place near the eavesdropping hard drive
So... I need to (1) flash my disk hardware, (2) let someone break into my PC remotely or physically and (3) constantly yell at my PC, with the case open. I'll get right on all that. (To be fair, I have Windows on one system, so I already yell at it a LOT.)
Jesus, wouldn't it be *way* easier to plant either a physical microphone in the room and/or install ease-dropping software on the PC.
Dear Researchers: Drink more, dick around less.
It must have been something you assimilated. . . .
Techniques only get better. Moreover one could flash the firmware enroute to where it's going (intercept the Amazon package).. So there is some small bit of a security issue here.. The NSA was exposed/caught reprogramming routers while they were still on the UPS truck.. Nice little National Security Letter to the driver and no one is the wiser.
Physical access to a device doesn't always mean physical access to the computer/server said device will be installed in.
So in fact they can't be turned into listening devices for any practical definition of "turned into", "listening" or "devices".
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
There are two even EASIER ways a malicious vendor could enable a computer to spy on you:
1. Make the sound chip extra-flexible, so that it's designed to be connected to three 1/8" jacks and allow any jack to be software-configurable as a mic input, a line-level output, or a headphone output. If the user connects a pair of headphones, you can then use them as a pair of low-fidelity microphones, even if they've bent over backwards to make sure to omit/disable any explicit microphone.
2. Connect the piezo transducer soldered to the motherboard (used to beep BIOS error codes) to the sound chip, with the same internal mods to allow it to work in both directions (as both a speaker AND a mic, depending upon whether the pins it's connected to are configured via software to be outputs or inputs).
Or, if the goal is to enable an agent to exfiltrate data from a computer that has its outputs nominally locked down, use the motherboard speaker (if it's wired in a way that uses directly-generated PWM to make sound instead of a transistor feedback loop with a capacitor) to generate ultrasonic audio & capture it with a second device.
The point is, physical security matters at least as much as software security does. If a malicious actor has physical control over a device, you've already lost the battle. On the other hand, attacks like this are practically impossible to pull off unless you literally HAVE the resources of a state espionage agency. While "China" most certainly falls into the category of "has the resources and expertise to do it, at least occasionally", consider for a moment that China's economy (and by extension, the CCP's ability to govern the masses) depends almost entirely upon its ability to sell and export products. Patent laws might be lax in China, but they most certainly apply to products exported to another country. If "China" copied some secret high-tech technology from Tesla or Intel (which they could almost as easily obtain just by downloading the patents from the USPTO's web site), they wouldn't be able to sell it abroad anyway, so it really wouldn't be much use to them ANYWAY. And their overseas divisions of that company would be sued into bankruptcy by the company they stole the technology from.
Corporate espionage sounds hot & sexy, and has been the theme of god knows how many Hollywood movies... but in the real world, it's pretty damn rare. Very, VERY few things are genuine "trade secrets" that aren't publicly-known ANYWAY. Not even Coca-Cola's formula is particularly "secret" -- Coca Cola's value isn't its taste, but its brand name. If you copied Coca Cola's formula verbatim (and somehow managed to source de-cocanized coca leaves), manufactured it, and sold it, the company couldn't do a damn thing to stop you... as long as neither you, nor anyone with any kind of ties to you, EVER uttered the words "Coke" or "Coca Cola". The moment they did, you'd be sued into oblivion for trademark violation. And if nobody ever DID disclose the fact that your product tastes exactly like "the Real Thing", hardly anyone would notice or buy your product... because the truth is, Coca Cola doesn't actually taste all that great (something Pepsi has been reminding people for literally decades at every possible opportunity).
Similarly, consider the annual export value of Huawei's products to China's economy. Now consider the almost piddling value of any intelligence gained using compromised Huawei products relative to the value of those exports, and just how staggeringly HUGE of a hit China's economy would take if it were caught red handed selling products designed to allow spying. China's government would, frankly, have to be completely fucking INSANE to risk that kind of direct economic damage. That's not to say China's intelligence agencies don't try at all to coax companies into including subtle features that can be repurposed and used for espionage purposes... but ultimately, it would be equally naive to think that US intelligence agencies don't have agents working for companies
This isn't some theoretical attack, these guys went out and actually tried it and measured the results. Congratulations to them for trying. What did most of us slashdotters do today? Also what if the attack was 100x more sensitive or what happens in 5 years when hard drives actually are more sensitive to vibration? Hell just doing the experiment could have lead to other interesting things being discovered.