Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Data Storage Software Technology

Hard Disks Can Be Turned Into Listening Devices, Researchers Find (theregister.co.uk) 74

Researchers from the University of Michigan and Zhejiang Univeristy in China have found that hard disk drives can be turned into listening devices, using malicious firmware and signal processing calculations. The Register reports: For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate. "Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive."

The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking. The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak. Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions.
"Flashing HDD firmware is a prerequisite for the snooping [...] because the ATA protocol does not expose the PES," The Register reports. "To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date."

The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive. "To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound," the report says. "To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud."
This discussion has been archived. No new comments can be posted.

Hard Disks Can Be Turned Into Listening Devices, Researchers Find

Comments Filter:
  • by SuperKendall ( 25149 ) on Friday March 08, 2019 @06:34PM (#58240404)

    Nice find... back in 2010, when most people were still using spinning discs with platters.

    Not much recording going on with an SSD stick.

    Another great reason to switch to SSD if you've not already though!

    A dedicated spy group could probably do really well by selling cheap external enclosures that modified common drives inserted with this hack, then had a cellular data feed built in to transmit real-time audio to whoever on demand.

    • A dedicated spy group could probably do really well by selling cheap external enclosures that modified common drives inserted with this hack, then had a cellular data feed built in to transmit real-time audio to whoever on demand.

      If you're making the enclosures, why bother hacking the firmware? Let me introduce you to The Thing [wikipedia.org]. A marvelous piece of KGB engineering which was a half century ahead of its time. (If you don't want to read the link, you can make the enclosure a passive microphone which re-tr

    • by iggymanz ( 596061 ) on Friday March 08, 2019 @07:28PM (#58240620)

      not a great reason to do anything. this is not a security concern at all. drive has to be flashed with malware, then the people next to a office PC have to yell at each other. This won't work in a data center server for reasons only those never in a data center would need explanation.

      It's a non-issue. Someone could put an underwater camera and mike in your toilet and record you jacking off and taking a shit too. It's that level of concern...

    • Comment removed based on user account deletion
      • I expect the vast majority of those new hdd are going into enterprise class storage arrays like EMC Power Max, Isilon; Hitachi g series; NetApp vault servers; and in converged solutions like oracle ExaData, ExaLogig; VCE Vblock vxrail or vxrack. I support storage and backup for a portion of 5 modest datacenters, we churn through a couple hundred spare drives per year.

        At the local level, almost nobody gets hdd anymore.

        Considering the background noise in the datacenters, and the relative lack of human prese

    • Please let me flash your hard drive's firmware and then stand over here and speak very loudly.

      Thank you.

      *facepalm*

    • by Anonymous Coward

      Or they could put an ordinary mic+transmitter into it. Cheaper and much more effective.

    • Comment removed based on user account deletion
    • by epine ( 68316 )

      Another great reason to switch to SSD

      For at least a decade, there has been one major reason to stick with spinning rust. Hint: it's inside your pants, and it probably folds in half.

      I've read that YouTube costs $6b per year to operate. If you don't think they'd shit their bloomers over another flood in Thailand, that's only because it's not your $6b outflow.

      Do you really think YouTube is storing video of your drunken frat party on spendy SSD, long term?

  • by jfdavis668 ( 1414919 ) on Friday March 08, 2019 @07:19PM (#58240590)
    If I really need to transfer a lot of data, there are still Zip Disks.
  • by Radical Moderate ( 563286 ) on Friday March 08, 2019 @07:21PM (#58240600)
    "...but would you mind moving closer to your computer, and speaking as loud as possible?"
    Why?
    "No reason! But try it, might be fun! Thanks!"
    • wait that's the wrong order. First you have to ask for permission to shut down the computer, remove and reflash a hard drive with bad wares, and reinsert and boot up the machine. But don't worry, no one will think this is suspicious at all.

      Pffft, this is some kind of security news? for idiots.

      • Comment removed based on user account deletion
      • First you have to ask for permission to shut down the computer, remove and reflash a hard drive with bad wares

        Why would you have to remove the HD to reflash it? Many if not most modern HDDs have user-upgradeable firmware.

        • oh they're nice enough to let you install and run the flashing wares while they look over your shoulder? be sure to remind them to always talk real loud so the sneaky cool warez can pwn them.

          An mp3 recorder with gigabytes storage left in the next cube could pick up speech at normal volume for a week but that's not as much fun

  • by fahrbot-bot ( 874524 ) on Friday March 08, 2019 @07:32PM (#58240636)
    So, from TFS, to exploit this:

    (1) Flashing HDD firmware is a prerequisite for the snooping
    (2) To exfiltrate captured data, either:
    - (a) transmit it over the internet by modifying Linux operating system files to create a reverse shell with root privileges, or
    - (b) storing it to disk for physical recovery at a later date.
    (3) technique requires a fairly loud conversation to take place near the eavesdropping hard drive ... like 75 dBA - 90 dBA, Which is pretty loud. Like lawn mower or food blender loud."

    So... I need to (1) flash my disk hardware, (2) let someone break into my PC remotely or physically and (3) constantly yell at my PC, with the case open. I'll get right on all that. (To be fair, I have Windows on one system, so I already yell at it a LOT.)

    Jesus, wouldn't it be *way* easier to plant either a physical microphone in the room and/or install ease-dropping software on the PC.

    Dear Researchers: Drink more, dick around less.

    • by Anonymous Coward

      The point was to find out that it would be so damn difficult, rather than presuming it's impossible. A lot of what would otherwise be "common sense" is wrong. It's nice for people willing to put in the effort because (1) may be possible from the factory and (2) may be part of a coordinated attack with a compromised NIC. That (3) makes the point moot is really the critical aspect of it, and while many people would say it's "obvious", I'm actually amazed they could get even 75 dBA - 90 dBA into the discern

    • by Anonymous Coward

      Oh, come on. This is cool even if it's wholly impractical.

  • 85dba isn't a conversation any more. It's an argument.

  • by Hognoxious ( 631665 ) on Friday March 08, 2019 @08:22PM (#58240800) Homepage Journal

    Flashing HDD firmware is a prerequisite for the snooping [...] The researchers note that this technique does require a fairly loud conversation to take place near the eavesdropping hard drive.

    So in fact they can't be turned into listening devices for any practical definition of "turned into", "listening" or "devices".

  • by Miamicanes ( 730264 ) on Friday March 08, 2019 @08:34PM (#58240856)

    There are two even EASIER ways a malicious vendor could enable a computer to spy on you:

    1. Make the sound chip extra-flexible, so that it's designed to be connected to three 1/8" jacks and allow any jack to be software-configurable as a mic input, a line-level output, or a headphone output. If the user connects a pair of headphones, you can then use them as a pair of low-fidelity microphones, even if they've bent over backwards to make sure to omit/disable any explicit microphone.

    2. Connect the piezo transducer soldered to the motherboard (used to beep BIOS error codes) to the sound chip, with the same internal mods to allow it to work in both directions (as both a speaker AND a mic, depending upon whether the pins it's connected to are configured via software to be outputs or inputs).

    Or, if the goal is to enable an agent to exfiltrate data from a computer that has its outputs nominally locked down, use the motherboard speaker (if it's wired in a way that uses directly-generated PWM to make sound instead of a transistor feedback loop with a capacitor) to generate ultrasonic audio & capture it with a second device.

    The point is, physical security matters at least as much as software security does. If a malicious actor has physical control over a device, you've already lost the battle. On the other hand, attacks like this are practically impossible to pull off unless you literally HAVE the resources of a state espionage agency. While "China" most certainly falls into the category of "has the resources and expertise to do it, at least occasionally", consider for a moment that China's economy (and by extension, the CCP's ability to govern the masses) depends almost entirely upon its ability to sell and export products. Patent laws might be lax in China, but they most certainly apply to products exported to another country. If "China" copied some secret high-tech technology from Tesla or Intel (which they could almost as easily obtain just by downloading the patents from the USPTO's web site), they wouldn't be able to sell it abroad anyway, so it really wouldn't be much use to them ANYWAY. And their overseas divisions of that company would be sued into bankruptcy by the company they stole the technology from.

    Corporate espionage sounds hot & sexy, and has been the theme of god knows how many Hollywood movies... but in the real world, it's pretty damn rare. Very, VERY few things are genuine "trade secrets" that aren't publicly-known ANYWAY. Not even Coca-Cola's formula is particularly "secret" -- Coca Cola's value isn't its taste, but its brand name. If you copied Coca Cola's formula verbatim (and somehow managed to source de-cocanized coca leaves), manufactured it, and sold it, the company couldn't do a damn thing to stop you... as long as neither you, nor anyone with any kind of ties to you, EVER uttered the words "Coke" or "Coca Cola". The moment they did, you'd be sued into oblivion for trademark violation. And if nobody ever DID disclose the fact that your product tastes exactly like "the Real Thing", hardly anyone would notice or buy your product... because the truth is, Coca Cola doesn't actually taste all that great (something Pepsi has been reminding people for literally decades at every possible opportunity).

    Similarly, consider the annual export value of Huawei's products to China's economy. Now consider the almost piddling value of any intelligence gained using compromised Huawei products relative to the value of those exports, and just how staggeringly HUGE of a hit China's economy would take if it were caught red handed selling products designed to allow spying. China's government would, frankly, have to be completely fucking INSANE to risk that kind of direct economic damage. That's not to say China's intelligence agencies don't try at all to coax companies into including subtle features that can be repurposed and used for espionage purposes... but ultimately, it would be equally naive to think that US intelligence agencies don't have agents working for companies

  • What if you were told that capacitor can be acting as a listening device?
  • This reminds me of Van Eyk Phreaking (1982)- capturing electromagnetic emissions from computer monitors, keyboards, printers, etc. and reconstructing the digital data. This and the hard disk song are examples of side channel attacks. They exploit vulnerabilities in the implementation of a computer system rather than in its algorithms. https://en.wikipedia.org/wiki/... [wikipedia.org]
  • by Anonymous Coward

    This is really an update to the classic "Bendon Yells Gregg yells at servers": https://www.youtube.com/watch?v=tDacjrSCeq4

  • by FeelGood314 ( 2516288 ) on Friday March 08, 2019 @09:54PM (#58241096)
    This isn't some theoretical attack, these guys went out and actually tried it and measured the results. Congratulations to them for trying. What did most of us slashdotters do today? Also what if the attack was 100x more sensitive or what happens in 5 years when hard drives actually are more sensitive to vibration? Hell just doing the experiment could have lead to other interesting things being discovered.
  • Comment removed based on user account deletion
  • Nice typo! :P

  • You have to speak very loudly they say, but that's more common than you may think, just ask my (step)mom. She consistently makes my eardrums buckle whenever she opens her mouth
  • Computer scientist Kevin Fu used to be SysOp of Bob's Golden Apple BBS in Holland, MI. I think it was WWIVNet.

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...