A team of researchers has showed how a piece of malware can spy on users by silently turning their headphones into a microphone that can capture audio data from a significant distance.
In the past years, experts from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel disclosed several methods for stealing data from air-gapped computers, including via heat emissions, cellular frequencies, electromagnetic signals emitted by graphics cards, and noise from hard drives and fans.
New research conducted by the experts aims to show how certain types of audio output devices can be abused for spying. The attack method, dubbed SPEAKE(a)R, is based on the fact that microphones and speakers are physically similar but work differently – speakers convert electric signals to sound, while microphones transform sound into electric signals.
If speakers are plugged into a mic jack, they can be used as a microphone and vice versa. The problem is that many of the audio chipsets found in modern PCs (e.g. Realtek sound cards) include a feature that allows changing the functionality of a jack at software level.
A piece of malware can abuse this feature to retask the socket and change the “line out” port to “line in,” effectively turning the speakers into microphones without the victim noticing.
The researchers noted that the attack method works best with headphones and earphones. It also works with passive speakers, but active speakers (i.e. ones that include an amplifier) prevent the attack as the amplifier blocks the signal from passing from the output to the input. Since most modern speakers include an amplifier, the threat is mainly relevant to earphones and headphones.
Experts described two scenarios in which such an attack could be useful. In one scenario, the malware-infected device does not have a microphone or the microphone is turned off, but it does have headphones, earphones or passive speakers connected to it. In the second scenario, the targeted computer has both a microphone and headphones, but the headphones are better positioned for recording the victim.
The experiments conducted by the researchers showed that an intelligible audio transmission can be achieved from several meters.
The experts also proposed a series of software and hardware countermeasures that can prevent such attacks. The hardware countermeasures include banning all audio output devices or allowing only active speakers, and deploying noise emitters or audio jammers.
Software countermeasures include disabling audio hardware from the BIOS/UEFI, and configuring the audio driver to prevent jack retasking. The kernel driver can also be designed to request explicit approval from the user for such retasking operations. However, researchers pointed out that all these measures have both pros and cons.
Related Reading: Hackers Can Disrupt 911 Services With Small Smartphone Botnet
Related Reading: Shazam for Mac Keeps Listening Even When Disabled