Hard Disks Can Be Turned Into Listening Devices, Researchers Find (theregister.co.uk) 74
Researchers from the University of Michigan and Zhejiang Univeristy in China have found that hard disk drives can be turned into listening devices, using malicious firmware and signal processing calculations. The Register reports: For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate. "Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."
The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions. "Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."
The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
A little late on this one guys (Score:5, Interesting)
Nice find... back in 2010, when most people were still using spinning discs with platters.
Not much recording going on with an SSD stick.
Another great reason to switch to SSD if you've not already though!
A dedicated spy group could probably do really well by selling cheap external enclosures that modified common drives inserted with this hack, then had a cellular data feed built in to transmit real-time audio to whoever on demand.
In da Russia (Score:1)
In Soviet Russia, disk drive listen to YOU.
Re: (Score:2)
>> There are plenty of ceramic capacitors inside any electronic device, why not use the piezoelectric effect and re-purpose those caps as microphones
1) Those caps are usually not connected to a high gain amplifier
2) not sensitive enough
It's much more easy and effective to amplify the sound coming out of a speaker repurposed as microphone. It's a real chance that they are not connected to a preamplifier. Are they ?
Re: (Score:3)
If you're making the enclosures, why bother hacking the firmware? Let me introduce you to The Thing [wikipedia.org]. A marvelous piece of KGB engineering which was a half century ahead of its time. (If you don't want to read the link, you can make the enclosure a passive microphone which re-tr
Re:A little late on this one guys (Score:5, Insightful)
not a great reason to do anything. this is not a security concern at all. drive has to be flashed with malware, then the people next to a office PC have to yell at each other. This won't work in a data center server for reasons only those never in a data center would need explanation.
It's a non-issue. Someone could put an underwater camera and mike in your toilet and record you jacking off and taking a shit too. It's that level of concern...
Re:A little late on this one guys (Score:5, Funny)
It's a non-issue. Someone could put an underwater camera and mike in your toilet and record you jacking off and taking a shit too.
I just feel sorry for Mike.
Re: (Score:1)
Re: A little late on this one guys (Score:2)
I expect the vast majority of those new hdd are going into enterprise class storage arrays like EMC Power Max, Isilon; Hitachi g series; NetApp vault servers; and in converged solutions like oracle ExaData, ExaLogig; VCE Vblock vxrail or vxrack. I support storage and backup for a portion of 5 modest datacenters, we churn through a couple hundred spare drives per year.
At the local level, almost nobody gets hdd anymore.
Considering the background noise in the datacenters, and the relative lack of human prese
Re: (Score:2)
Re: (Score:3)
Please let me flash your hard drive's firmware and then stand over here and speak very loudly.
Thank you.
*facepalm*
Re: A little late on this one guys (Score:1)
Or they could put an ordinary mic+transmitter into it. Cheaper and much more effective.
Re: (Score:2)
Re: (Score:2)
For at least a decade, there has been one major reason to stick with spinning rust. Hint: it's inside your pants, and it probably folds in half.
I've read that YouTube costs $6b per year to operate. If you don't think they'd shit their bloomers over another flood in Thailand, that's only because it's not your $6b outflow.
Do you really think YouTube is storing video of your drunken frat party on spendy SSD, long term?
Re: (Score:2)
That is why I still use floppies. (Score:4, Funny)
Re: (Score:1)
Riiiiing! "Hello, I'm totally not spying on you... (Score:4, Funny)
Why?
"No reason! But try it, might be fun! Thanks!"
Re: (Score:2)
wait that's the wrong order. First you have to ask for permission to shut down the computer, remove and reflash a hard drive with bad wares, and reinsert and boot up the machine. But don't worry, no one will think this is suspicious at all.
Pffft, this is some kind of security news? for idiots.
Re: (Score:3)
Re: (Score:2)
First you have to ask for permission to shut down the computer, remove and reflash a hard drive with bad wares
Why would you have to remove the HD to reflash it? Many if not most modern HDDs have user-upgradeable firmware.
Re: (Score:2)
oh they're nice enough to let you install and run the flashing wares while they look over your shoulder? be sure to remind them to always talk real loud so the sneaky cool warez can pwn them.
An mp3 recorder with gigabytes storage left in the next cube could pick up speech at normal volume for a week but that's not as much fun
Re: (Score:2)
actually some have wifi-connection these days. so what if found, plant one somewhere else next time but in the meantime enjoy the juicy conversation of Jane yelling at her husband over the phone.
Researchers need a better hobby. (Score:5, Insightful)
(1) Flashing HDD firmware is a prerequisite for the snooping ... like 75 dBA - 90 dBA, Which is pretty loud. Like lawn mower or food blender loud."
(2) To exfiltrate captured data, either:
- (a) transmit it over the internet by modifying Linux operating system files to create a reverse shell with root privileges, or
- (b) storing it to disk for physical recovery at a later date.
(3) technique requires a fairly loud conversation to take place near the eavesdropping hard drive
So... I need to (1) flash my disk hardware, (2) let someone break into my PC remotely or physically and (3) constantly yell at my PC, with the case open. I'll get right on all that. (To be fair, I have Windows on one system, so I already yell at it a LOT.)
Jesus, wouldn't it be *way* easier to plant either a physical microphone in the room and/or install ease-dropping software on the PC.
Dear Researchers: Drink more, dick around less.
Re: (Score:1)
The point was to find out that it would be so damn difficult, rather than presuming it's impossible. A lot of what would otherwise be "common sense" is wrong. It's nice for people willing to put in the effort because (1) may be possible from the factory and (2) may be part of a coordinated attack with a compromised NIC. That (3) makes the point moot is really the critical aspect of it, and while many people would say it's "obvious", I'm actually amazed they could get even 75 dBA - 90 dBA into the discern
Re: Researchers need a better hobby. (Score:3, Insightful)
Oh, come on. This is cool even if it's wholly impractical.
85dba? (Score:1)
85dba isn't a conversation any more. It's an argument.
Correction (Score:3)
So in fact they can't be turned into listening devices for any practical definition of "turned into", "listening" or "devices".
Two even EASIER ways (Score:5, Insightful)
There are two even EASIER ways a malicious vendor could enable a computer to spy on you:
1. Make the sound chip extra-flexible, so that it's designed to be connected to three 1/8" jacks and allow any jack to be software-configurable as a mic input, a line-level output, or a headphone output. If the user connects a pair of headphones, you can then use them as a pair of low-fidelity microphones, even if they've bent over backwards to make sure to omit/disable any explicit microphone.
2. Connect the piezo transducer soldered to the motherboard (used to beep BIOS error codes) to the sound chip, with the same internal mods to allow it to work in both directions (as both a speaker AND a mic, depending upon whether the pins it's connected to are configured via software to be outputs or inputs).
Or, if the goal is to enable an agent to exfiltrate data from a computer that has its outputs nominally locked down, use the motherboard speaker (if it's wired in a way that uses directly-generated PWM to make sound instead of a transistor feedback loop with a capacitor) to generate ultrasonic audio & capture it with a second device.
The point is, physical security matters at least as much as software security does. If a malicious actor has physical control over a device, you've already lost the battle. On the other hand, attacks like this are practically impossible to pull off unless you literally HAVE the resources of a state espionage agency. While "China" most certainly falls into the category of "has the resources and expertise to do it, at least occasionally", consider for a moment that China's economy (and by extension, the CCP's ability to govern the masses) depends almost entirely upon its ability to sell and export products. Patent laws might be lax in China, but they most certainly apply to products exported to another country. If "China" copied some secret high-tech technology from Tesla or Intel (which they could almost as easily obtain just by downloading the patents from the USPTO's web site), they wouldn't be able to sell it abroad anyway, so it really wouldn't be much use to them ANYWAY. And their overseas divisions of that company would be sued into bankruptcy by the company they stole the technology from.
Corporate espionage sounds hot & sexy, and has been the theme of god knows how many Hollywood movies... but in the real world, it's pretty damn rare. Very, VERY few things are genuine "trade secrets" that aren't publicly-known ANYWAY. Not even Coca-Cola's formula is particularly "secret" -- Coca Cola's value isn't its taste, but its brand name. If you copied Coca Cola's formula verbatim (and somehow managed to source de-cocanized coca leaves), manufactured it, and sold it, the company couldn't do a damn thing to stop you... as long as neither you, nor anyone with any kind of ties to you, EVER uttered the words "Coke" or "Coca Cola". The moment they did, you'd be sued into oblivion for trademark violation. And if nobody ever DID disclose the fact that your product tastes exactly like "the Real Thing", hardly anyone would notice or buy your product... because the truth is, Coca Cola doesn't actually taste all that great (something Pepsi has been reminding people for literally decades at every possible opportunity).
Similarly, consider the annual export value of Huawei's products to China's economy. Now consider the almost piddling value of any intelligence gained using compromised Huawei products relative to the value of those exports, and just how staggeringly HUGE of a hit China's economy would take if it were caught red handed selling products designed to allow spying. China's government would, frankly, have to be completely fucking INSANE to risk that kind of direct economic damage. That's not to say China's intelligence agencies don't try at all to coax companies into including subtle features that can be repurposed and used for espionage purposes... but ultimately, it would be equally naive to think that US intelligence agencies don't have agents working for companies
What if (Score:1)
Hard Disk Vibes and other side channel attacks (Score:1)
Brendon yells at computers: part two (Score:1)
This is really an update to the classic "Bendon Yells Gregg yells at servers": https://www.youtube.com/watch?v=tDacjrSCeq4
They did it - what's with the negativity? (Score:3)
Re: (Score:1)
Univeristy (Score:2)
Nice typo! :P
Speaking loudly more common... (Score:1)
I remember Kevin Fu (Score:1)