Over the years, many of us in the security community have heard about attacks directed against our computers’ microphones. One scenario in particular demonstrated how an attacker could piggyback off a Skype session and record an unsuspecting user’s audio and video.
As a community, we’ve responded to these threats differently. Some have developed tools to help prevent actors from abusing our microphones. Others have disabled their computer’s audio input functionality, or physically removed the mic component from their machine.
Still others have cried in a corner, and given up hope of securing their microphones because it’s “impractical”.
Well guess what? All of those responses (especially the last one) can’t stop attackers from surreptitiously recording you. That’s because researchers have devised a jack retasking attack to reprogram a computer’s input and output audio ports and thereby turn your headphones… into audio recorders.
Researchers at the Cyber Security Research Center at Ben Gurion University, the same institute which has in the past messed around with air-gapped computers and investigated the resilience of 911 emergency services, came up with the method by exploiting two facts.
These are as follows:
- Fact #1: Headphones/earphones are inverses of microphones. Both make use of power, a magnetic field, and sound waves. They just do so in the reverse order based upon what type of audio jack they’re plugged into. (Input vs. output determines the flow of those properties.)
- Fact #2: Realtek’s audio chipsets, which are found in a lot of different computers’ motherboards, allow an actor to reprogram the function of an audio port at the software level using a method called jack retasking. That means someone can remap an audio input port as an audio output port and vice versa.
See where they’re going with this? The researchers clarify in their paper :
“The fact that headphones and earphones are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically from output to input, creates a vulnerability which can be abused by hackers. A malware can stealthy reconfigure the headphone jack from a line out jack to a microphone jack. As a result, the connected headphones can function as a pair of recording microphones, thereby rendering the computer into an eavesdropping device – even when the computer doesn’t have a connected microphone.”
The attack, which works through a piece of malware that does the jack retasking, is applicable in two main threat scenarios: when a computer doesn’t have a mic component or when someone’s headphones are better positioned to record the user.
In their experiment, the researchers proved their attack could work with a pair of Sennheiser headphones. They found that they could record from up to 20 feet away and still make out what the user was saying.
The team recommends that RealTek and others modify their chipsets so that someone can’t retask the audio jacks. But even if those companies complied, that would take years for new chipsets to reach our computers.
That harsh reality leaves users with few countermeasures.
At the hardware level, users can decide to never plug in any speakers, headphones, or earphones into their computers. They might also want to consider using audio jammers and white noise emitters near their computers.
When it comes to software, they could choose to disable the audio component entirely in their computer’s BIOS. But that means no music, no Skype, no anything. Just the dull hum of their computer.
It’s up to you to decide whether you want to take that leap. But at the end of the day, there will always be the risk of an attack. We shouldn’t needlessly deprive ourselves because of it.
I don't understand something: if I plug in a set of earphones, and some malware has reprogrammed the audio chip to turn them into microphones, am I not going to be a little suspicious when no sound comes out of the 'phones? As far as the 'phones presenting the danger of eavesdropping, since the only thing you want them for is to listen to sound coming out, why is it difficult for users to simply pull them the out of the jack when they're finished listening?
Plugging in speakers, mentioned in the article, will not enable the hack described in many cases. Specifically, it won't work if the speakers, like many or most, are amplified, since the amplifiers normally will not be reversable even though the speakers connected to their outputs are. While it might be possible to further hack the attached speakers (a rather extreme stretch) attached speakers with a separate power supply almost certainly will protect against software reconfiguration of the computer audio output. And, of course, unplugging earphones and speakers when carrying on private conversations fully prevents exploitation.
In general, only a tiny fraction of the population needs to worry about this and the large number of similar attacks that depend on access to and elevated privileges on the computer. The great majority