From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic
GOOD ENOUGH TO RECOGNIZE MUSIC VIA SHAZAM IF YOU TURN IT UP TO 11
It's not just the walls that have ears. It's also the hard drives.
Eggheads at the University of Michigan in the US, and Zhejiang University in China, have found that hard disk drives (HDDs) can be turned into listening devices, using malicious firmware and signal processing calculations.
For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate.
"Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive."
The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking.
The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak.
"These extremely precise measurements are sensitive to vibrations caused by the slightest fluctuations in air pressure, such as those induced by human vocalizations," the paper explained.
Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions.
Noise from blast of gas destroys Digiplex data depot disk drivesREAD MORE
Flashing HDD firmware is a prerequisite for the snooping, the paper says, because the ATA protocol does not expose the PES. This could be accomplished through traditional attack techniques – binary exploitation, drive-by downloads, or phishing – or by intercepting HDDs somewhere in the supply chain and modifying them. The researchers point to the Grayfish malware attributed to the Equation Group as an example.
To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date.
While many computing devices come with microphones that might look like easier targets for hijacking, the researchers observe that security conscious individuals may disable known microphones in software or with hardware hacks. A hard disk-focused attack would be less expected.
But look, let's be real: for the vast, vast majority of people, this is all just a cunning academic exploitation of hard drive technology. No one's really going to bug you via your spinning rust.
But... if they were to, the PES sampling rate (34.56 kHz) allows the capture of audio signals up to 17.28 kHz, which covers almost all of human hearing (20 Hz–20 kHz) and is significantly better than the sampling rate of the telephone system (8 kHz). Since the PES data amounts to air pressure readings, the researchers simply turned the series of PES measurements into linear pulse-code modulation values and then converted these samples into sound via digital signal processing algorithms.
Wait, there's a catch
One limiting aspect of the described technique is that it requires a fairly loud conversation in the vicinity of the eavesdropping hard drive. To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound. To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud.
The researchers acknowledge this is louder than most practical scenarios but they say they "expect that an attacker using state of the art filtering and voice recognition algorithms can substantially amplify the channel’s strength."
While the growing popularity of solid state drives diminish the risk even further, there were still twice as many hard drives sold with PCs in 2017 as there were solid state drives, the researchers claimed.
To prevent HDDs from being turned into microphones, the trio suggest hard drive makers sign firmware cryptographically and use TLS when distributing updates to prevent MITM attacks.
They also note that their work may open future research possibilities, such as using a hard disk's read/write head as a crude sounds generator to issue spoken commands to nearby connected speakers like Alexa, Google Home, and Siri. ®
Addendum: If you're suffering deja-vu, the paper cites Alfredo Ortega's earlier work on using hard disks as microphones, although its authors claim they use a different technique to measure the effects of sound, and require a lower volume compared to other approaches.
Sponsored: Becoming a Pragmatic Security Leader