
Headphones can be hijacked to surreptitiously record audio - tonybeltramelli
https://www.wired.com/2016/11/great-now-even-headphones-can-spy/
======
bcheung
Here's a neat party trick for you.

I had a MacGyver moment in the past where I made a phone call with only are
pair of old earbuds and a phone cord (no switches, no dial pad).

A speaker is basically the same thing as a microphone in reverse. Normally it
takes an electrical signal to move a physical element that creates the sound
waves. But you can also move the element and it will generate an electrical
signal.

To dial you can use the old rotary trick. The old phones dialed by pulses of
quickly disconnecting and reconnecting. You can do that by hand if you want
but it might require a little bit of practice and dexterity. Basically if you
want to dial a 5, just disconnect the wire from the headphone to the phone
cord and then reconnect it 5 times in a row.

You have to both listen and speak through the ear bud. Not the best quality or
easiest to do but it works.

~~~
telekid
How do you dial a zero?

Edit: Just realized why a zero is in the '10' position on a rotary phone. Huh.

~~~
ptaipale
Yes, except in the Swedish phones, where the numbering starts from 0. So
dialing 0 would make 1 pulse, dialing 1 would make 2 pulses, and dialing 9
would make 10 pulses.

~~~
toomanybeersies
And New Zealand, where it was like Sweden, but backwards. 0 made 10 pulses, 1
made 9 pulses, and dialing 9 would make 1 pulse.

This is why the emergency number in NZ is 111, we had equipment from the UK,
where the number was 999.

As to why it was backwards, I have no idea.

~~~
christoph
112 still works as an emergency number in the U.K. to this day.

~~~
ptaipale
That's more like "ever since digital mobile phones came around". The number
112 is in GSM standard.

Technically, the network gives it a priority, and you can make a 112 call even
without a SIM card, or even if your operator does not have coverage. The call
goes through any operator that has coverage. (You can actually see this in the
phone display when making a 112 call; it handles it quite differently. I have
done it a few times; unfortunately, most of those times, someone has died...)

If the network is so busy that all traffic channels in GSM are occupied, and
you make a 112 call, one of the existing calls is dropped and you get the
emergency call.

This had some interesting side effects in China. There, prior to introduction
of GSM, the number 112 was allocated to phone company technical complaints.
Police was 110 and fire alarm was 119 and so on.

So, if you were making a GSM phone call to a friend, and the network was full
- not that infrequent in China - you wouldn't get through. But you could call
the technical complaint line at 112, and this was a priority service which
dropped one of the existing calls. Once the technical complaint service was
ringing, you could drop that call (to the network, an emergency call) and
you'd have one free GSM time slot in your cell. And you could call your
friend.

Until the next guy did the same, and your ongoing call would get mysteriously
dropped.

------
IshKebab
The bit you want to know:

> Their malware uses a little-known feature of RealTek audio codec chips to
> silently “retask” the computer’s output channel as an input channel

~~~
chinathrow
Reads like a back door to me.

~~~
21
This feature allows you to plug any audio device (input or output) into any
audio jack on the computer and it will JustWorkTM.

Even if the jacks are color coded or annotated, these day they are actually
universal.

So it's more of an accidental backdoor.

~~~
Florin_Andrei
It's the very, very old contradiction between convenience/features on one
hand, and security on the other.

The more convenient something is, and the more features it has, the easier it
is to hijack it.

------
elcapitan
Interesting research, but with people already plugging those headphones into a
portable surveillance set, and plus them using headsets (which are already
microphones as well), this seems a bit chasing the wrong target?

(Assuming that the connected computer is compromised also already implies that
the attacker has a microphone at their disposal, with most modern devices like
smartphones, tablets and mobile computers)

~~~
mojuba
For starters, the fact that RealTek is so easily reprogrammable to turn audio
output into input is very unlikely just a "bug". It's a feature left their on
purpose.

~~~
Senji
It's a selling point. You plug anything at the back then change the jack's
purpose in the control panel gui for the audio card.

~~~
mojuba
Possibly, but why isn't the feature exposed to end users then?

~~~
infogulch
It is. I've seen it on multiple computers.

~~~
lima
Yep. I remember that feature from the Windows NT days.

------
tonybeltramelli
paper: [http://cyber.bgu.ac.il/advanced-
cyber/system/files/SPEAKE%28...](http://cyber.bgu.ac.il/advanced-
cyber/system/files/SPEAKE%28a%29R.pdf)

video:
[https://www.youtube.com/watch?v=ez3o8aIZCDM](https://www.youtube.com/watch?v=ez3o8aIZCDM)

"It’s no surprise that earbuds can function as microphones in a pinch [...]
But the researchers took that hack a step further. Their malware [...]
silently “retask” the computer’s output channel as an input channel, allowing
the malware to record audio even when the headphones remain connected into an
input-only jack and don’t even have a microphone channel on their plug."

~~~
laddng
The link to the paper is dead. Is there a mirror? I am very curious to see it

~~~
jloughry
Replace the %28 and %29 in the URL with parentheses ( ) and the paper loads
correctly. The title is spelt like this:

SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit

~~~
replax
The error changes from not found to access denied..

Do you have a link to the paper?

~~~
sleepprogger
Use f.e google cache to read it: cache:[http://cyber.bgu.ac.il/advanced-
cyber/system/files/SPEAKE%28...](http://cyber.bgu.ac.il/advanced-
cyber/system/files/SPEAKE%28a%29R.pdf)

~~~
jloughry
HN missed the leading `cache:' and failed to make your link clickable. This
ought to work:

[http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...](http://webcache.googleusercontent.com/search?q=cache%3Ahttp%3A%2F%2Fcyber.bgu.ac.il%2Fadvanced-
cyber%2Fsystem%2Ffiles%2FSPEAKE%2528a%2529R.pdf)

(I'm getting `access denied' on the original now too, but the Google cache
link works.)

------
orblivion
Would be cool if Purism or similar companies had a nice big hardware switch
that controlled access to any recording equipment.

~~~
egh5oon
A camera/mic switch should be required by law on every laptop and phone.

Please don tell me a 5c switch is too expensive for a $300 phone.

~~~
chopin
It's not the cost of the switch. It's the cost of assembly (wiring). And the
switch must fit the form factor.

------
mthoms
One thing that's not clear from the article - are external headphones
_required_ for this to work? Can this not be done with the built-in speakers?

~~~
justinclift
It seems like something that would work for built-in speakers too. They're
driven by the same audio codec chips (eg realtek), but wired directly instead
of through an external socket.

~~~
janci
I think the opposite. Speakers are driven by an amplifier that will not let
the audio in reverse, even if the soundcard output was switched to act as an
input.

~~~
wallacoloo
But might there be sufficient coupling between the amplifier's output and its
input, such that driving the output pins via speaking into the speaker can
produce a voltage on what is usually the input line to the amplifier?

I suspect it _may_ be possible, depending on what the firmware allows -
amplifier circuitry often utilizes feedback in some form or another, which is
essentially coupling the output to the input. And even if the amplifier is
powered off, there's bound to be capacitive coupling between the input/output
lines, but that's probably too small to be useful.

~~~
qb45
This could totally work in this kind of circuit for example:

[https://en.wikipedia.org/wiki/Operational_amplifier_applicat...](https://en.wikipedia.org/wiki/Operational_amplifier_applications#Inverting_amplifier)

While I have seen a soundcard using two such inverting stages in series for
headphone output, in laptops dedicated chips are more common which probably
don't have such strong coupling. But better safe than sorry if the NSA is
after you :)

------
mark-r
Analog headphone amplifiers are quite easy to come by and can fix the problem
for the ultimate paranoids.

~~~
mojuba
Or USB amps for that matter.

~~~
Florin_Andrei
If the USB amp uses the same RealTek chip, then good luck with trusting it.

~~~
planteen
If it is constructed just that there is an amplifier after what is supposed to
be the output channel, you would probably be fine even if it was the the
RealTek chip. There isn't going to be much coupling between a signal input to
the output of the amplifier going back to the input as an output.

------
hotdogs
"Great. Now Even Your Headphones Can Spy on You" Ironic coming from Wired, one
of the most ad/tracker infested sites you could visit.

~~~
vortico
And a big difference is that you _know_ ad trackers on Wired spy on you, while
headphones... eh, unlikely in practice.

------
gnicholas
Finally we know why Apple ditched the minijack on the iPhone 7...

~~~
Grangar
I'd say USB only makes things worse in this case.

------
MisterBastahrd
What we need here is a non-profit to vett devices and appliances against
uninvited listening.

~~~
sedachv
> What we need here is a non-profit to vett devices and appliances against
> uninvited listening.

The Free Software Foundation already does this:

[https://www.fsf.org/resources/hw/endorsement/respects-
your-f...](https://www.fsf.org/resources/hw/endorsement/respects-your-freedom)

------
Animats
Incidentally, if Wired's ad-blocking "veil" gets in the way, right click,
select "Inspect Element", find the "veil" item, right click, and select
"Delete Node". No more veil.

------
posterboy
makes me wonder if the same thing goes for screens, because the reverse
photoelectric effect in LEDs can be reversed.

~~~
CogMonster
You would still need a lens to form an image on the screen.

~~~
jkaptur
It might be possible to use multiple screens to form a sort-of synthetic lens.
Also, there is such a thing as a single-pixel camera
([http://dsp.rice.edu/cscamera](http://dsp.rice.edu/cscamera)).

------
mcs
This technique was just as valid 8 years ago as it is today. The only
difference today is that the realtek chipsets with port reassignment are more
prevalent.

------
ff10
Do Apple machines really use Realtek audio chips? Is reassigning port
direction possible even when there's just one physical plug?

~~~
mikeash
There's not much in the way of direction when it comes to analog audio
signals. For output, you're driving the coil with some current. For input,
you're reading current from the coil. This particular chip supports both on
the same wires, you just have to tell it which one you want.

------
some1else
I wish there was an easy way to do the opposite in control panel. Having two
audio outputs on a laptop comes in handy.

------
sqldba
The article as a whole is quite sensationalist.

Once people have access to your underlying device - what exactly do you think
is going to happen?

"Oh but if you disconnected your microphone then think again". How many bloody
people do that? A few dozen in the world?

What a piece of shit.

Now the technical underpinning that jacks can be reassigned isn't new for
Realtek, lots of PC motherboards have given the option for years and years.

This is all not really news.

------
jastanton
Serious question: I understand the argument against the classic "why should I
care if someone records my conversations? I don't do anything illegal.", being
that once the government starts recording everything you say the freedom of
being able to say anything negative against them goes away knowing they could
be listening. That said, why should I, a boring law abiding citizen, go around
disabling my hardware and covering webcams etc...? If someone were to ask my
what I was doing, just the fact that it's possible to hijack desktop mics is
that enough for me to start putting faraday cages around myself? Serious
question. Thanks :)

~~~
nkrisc
It's not just the government you need to worry about, it's independent
malicious actors as well. Video or audio recordings from your devices could be
used to blackmail you unless you're very, very careful what you do or say at
all times such devices are around.

With regards to the government, while you may not be doing anything illegal
now, it will be illegal when they outlaw it.

~~~
jsprogrammer
In the US, ex post facto laws cannot be made.

~~~
AnthonyMouse
> In the US, ex post facto laws cannot be made.

That fact has been so inconvenient for the government that the entire system
has been redesigned to thwart it. Can't prove Al Capone is a mobster?
Prosecute for tax evasion.

Keep passing broad overlapping laws and they can charge anyone with something.
Then they don't have to change the law, only who they decide to prosecute.

~~~
jsprogrammer
Are you saying Capone didn't evade taxes?

~~~
AnthonyMouse
I'm saying nobody would have been looking at him for tax evasion if he wasn't
a mobster, even if he was doing it.

And after Capone the mobsters started paying their taxes, so now they charge
them with money laundering, which is essentially a law against paying your
taxes on unexplained income.

------
dang
We changed the baity title to representative language from the article. If
anyone suggests a better (more accurate and neutral) title, we can change it
again.

------
69mlgsniperdad
Are there more details of the 'hack' somewhere? Does this mean that one could
take advantage of an extra input channel, or possibly two? What would be
sacrificed if anything, latency?

