Attacks/Breaches
11/23/2016
02:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Demo Method For Turning A PC Into An Eavesdropping Device

The audio chipsets in many modern PCs allow audio jacks to be flipped from lineout to line-in, says team from Israel's Ben-Gurion University.

Researchers at Israel’s Ben-Gurion University of the Negev have devised a way to turn any computer into an eavesdropping device by surreptitiously getting connected headphones or earphones to function like microphones.

In a paper titled "SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit," the researchers this week described malware they have developed for reconfiguring a headphone jack from a line-out configuration to a line-in jack, thereby enabling connected headphones to work as microphones.

The exploit works with most off-the-shelf headphones and even when the computer doesn’t have a connected microphone or has a microphone that has been disabled, according to the researchers.

The malware takes advantage of the manner in which some audio chipsets in modern motherboards and soundcards work. In a typical computer chassis, the audio jacks that are built into the front or rear panel are used either as line-in or input jacks or line-out jacks for audio output.

The chipsets in such cards support a little-used jack re-mapping or a jack re-tasking option for changing the function of the audio ports from line-in to line-out via software.

Audio chipsets from Realtek Semiconductor, for instance support this capability, though it is not documented in any technical specifications for the product, the researchers from Ben-Gurion University noted. Realtek codecs are the most widely used in PCs but other codec manufacturers allow jack repurposing as well, the researchers said.

In addition, researchers have for some time known that speakers can, with a little tweaking, be made to function like a microphone, they said. “Loudspeakers convert electric signals into a sound waveform, while microphones transform sounds into electric signals,” their paper noted.

In a speaker, electrical signals are used to create a changing magnetic field that moves a diaphragm in order to produce sounds. In a microphone, a diaphragm moves through a magnetic field to induce an electrical signal. “This bidirectional mechanism facilitates the use of simple headphones as a feasible microphone, simply by plugging them into the PC microphone jack,” the research paper said.

This capability, coupled with the fact that audio jacks can be programmatically altered to switch from output only to input jacks, creates a vulnerability that attackers can use to turn any computer into an eavesdropping device, according to the BGU researchers.

Tests to evaluate the quality of audio signals generated by off-the-shelf headphones plugged into jacks that had been modified by SPEAKE(a)R showed it is possible to acquire intelligible audio from several meters away.

Craig Young, a cybersecurity researcher for Tripwire says the fact that audio-chipsets allow this sort of reprogramming is interesting. But the chances of someone being able to pull off an attack are not easy, he says. For one thing, in order for the exploit to work, an attacker would likely need full access to the computer that is being used for eavesdropping. Anti-malware tools would also likely be able to easily spot and block the malware from working, he says.

“Based on the description of the malware, it is using the RealTek retasking feature to reconfigure an output line to be used as an input line,” he says. In a Windows environment, this is generally controlled within the registry, he says. “Anti-malware software should be able to detect either an unauthorized registry change or unexpected communication with the hardware,” he says.

The attack would also only work under a limited set of conditions.  The victim for instance would need to have done something to have the malware installed on the system. The victim’s headphone would need to be connected to the compromised system and the victim also needs not to be using the headphones for this attack to work, Young says.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.