From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic


It's not just the walls that have ears. It's also the hard drives.

Eggheads at the University of Michigan in the US, and Zhejiang University in China, have found that hard disk drives (HDDs) can be turned into listening devices, using malicious firmware and signal processing calculations.

For a study titled "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone," computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate.

"Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech," their paper, obtained by The Register ahead of its formal publication, stated. "These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive."

The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking.

The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak.

"These extremely precise measurements are sensitive to vibrations caused by the slightest fluctuations in air pressure, such as those induced by human vocalizations," the paper explained.

Vibrations from HDD parts don't yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions.


Noise from blast of gas destroys Digiplex data depot disk drives


Flashing HDD firmware is a prerequisite for the snooping, the paper says, because the ATA protocol does not expose the PES. This could be accomplished through traditional attack techniques – binary exploitation, drive-by downloads, or phishing – or by intercepting HDDs somewhere in the supply chain and modifying them. The researchers point to the Grayfish malware attributed to the Equation Group as an example.

To exfiltrate captured data, the three boffins suggest transmitting it over the internet by modifying Linux operating system files to create a reverse shell with root privileges or storing it to disk for physical recovery at a later date.

While many computing devices come with microphones that might look like easier targets for hijacking, the researchers observe that security conscious individuals may disable known microphones in software or with hardware hacks. A hard disk-focused attack would be less expected.

But look, let's be real: for the vast, vast majority of people, this is all just a cunning academic exploitation of hard drive technology. No one's really going to bug you via your spinning rust.

But... if they were to, the PES sampling rate (34.56 kHz) allows the capture of audio signals up to 17.28 kHz, which covers almost all of human hearing (20 Hz–20 kHz) and is significantly better than the sampling rate of the telephone system (8 kHz). Since the PES data amounts to air pressure readings, the researchers simply turned the series of PES measurements into linear pulse-code modulation values and then converted these samples into sound via digital signal processing algorithms.

Wait, there's a catch

One limiting aspect of the described technique is that it requires a fairly loud conversation in the vicinity of the eavesdropping hard drive. To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound. To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud.

The researchers acknowledge this is louder than most practical scenarios but they say they "expect that an attacker using state of the art filtering and voice recognition algorithms can substantially amplify the channel’s strength."

While the growing popularity of solid state drives diminish the risk even further, there were still twice as many hard drives sold with PCs in 2017 as there were solid state drives, the researchers claimed.

To prevent HDDs from being turned into microphones, the trio suggest hard drive makers sign firmware cryptographically and use TLS when distributing updates to prevent MITM attacks.

They also note that their work may open future research possibilities, such as using a hard disk's read/write head as a crude sounds generator to issue spoken commands to nearby connected speakers like Alexa, Google Home, and Siri. ®

Addendum: If you're suffering deja-vu, the paper cites Alfredo Ortega's earlier work on using hard disks as microphones, although its authors claim they use a different technique to measure the effects of sound, and require a lower volume compared to other approaches.

Other stories you might like

  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • America edges closer to a federal data privacy law, not that anyone can agree on it
    What do we want? Safeguards on information! How do we want it? Er, someone help!

    American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.

    The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.

    Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

    Continue reading

Biting the hand that feeds IT © 1998–2022