Hacker News new | past | comments | ask | show | jobs | submit login
Hard disks can be turned into listening devices (theregister.co.uk)
279 points by bjoko 46 days ago | hide | past | web | favorite | 75 comments

Buried 4/5 down the page: "One limiting aspect of the described technique is that it requires a fairly loud conversation in the vicinity of the eavesdropping hard drive. To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound."

For context, a vacuum cleaner is also 75 decibels, with 80db as the threshold for hearing loss: https://ehs.yale.edu/sites/default/files/files/decibel-level...

So you literally have to scream at each other right in front of the hard drive for it to record discernible speech. This is not an "eavesdropping mic" as the subheading of the article claims. Therefore, it's yet another clickbait BS fearmongering article about an interesting tech hack.

This is wrong. I'm a professional sound engineer who's done location recording for film for over a decade and has another decade's worth of studio/editing experience.

A vacuum cleaner is loud but not that loud. You don't have to scream over it. 80db will cause hearing loss if you listen to that level sustained over a long time, but it's not remarkably loud. In fact, the chart you link shows everyday examples of noises in that range like phones ringing, chamber music (from acoustic stringed instruments using resonant cavities, a good proxy for human voices), city traffic, and more.

While a 75dB noise floor is definitely a problem for obtaining a clean recording (the kind you hear in a tv show), it's nothing unusual in forensic work. The sound from the servos moving the heads back and forth will consist of aperiodic loud but relatively slow and brief transients. It'll be like trying to listen in to a space while a spastic Autechre track plays on a speaker nearby - hard work but not impossible. A more prosaic example would be trying to follow the words of an unfamiliar song or rap at a live concert.

I'm pretty confident that I could get what you said into your phone while you sat in front of your laptop with a mechanical hard drive, without even hearing any of their source material. I would find this easier than trying to deal with a bad recording made in high wind or in the vicinity of a diesel engine.

Author here. I disagree that a straightforward report on computer science research qualifies as "clickbait BS fearmongering." Note the all caps subhead. That should make it clear there are limitations: GOOD ENOUGH TO RECOGNIZE MUSIC VIA SHAZAM IF YOU TURN IT UP TO 11. And as the researchers state in their paper, they expect the technique can be improved.

I'm looking forward to reading the paper and I know exactly how I'd deal with the noise reduction either manually or by piping it through a Cedar box (https://www.cedar-audio.com/ - I'm not affiliated with them).

I don't think most people realize how good forensic audio tools are in. Cedar stuff is expensive because it works in realtime (sub millisecond processing latencies!) and can be operated by anyone who is capable of manually tuning a radio.

Intriguing - do they use FPGAs or something for the processing?

Perhaps so, because those law latencies exceed what the best DACs on the market provided a few years ago, but I don't own any of their gear. I've always considered their hardware to be magic - I know what they're doing all the way down to understanding the mathematics of fourier transforms, and it still blows my mind.

The most basic FM radio still blows my mind.

OP is likely taking exception to the use of the word "eavesdropping", since it means listening to, specifically, conversations.

The researchers use that very word in the title of their paper: "Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone"

Yeah, researchers are known to do this kind of thing to get more publicity for their research, they have career goals too after all.

It's research clickbait basically.

How much experience do you have with forensic audio analysis?

I really hate your use of ‘eggheads’ and similar crap. Just call them researchers ffs.

Could the technique be used for something more localized, like sensing keystrokes via vibration? If an attacker knew a make/model of laptop, they could make a "training set" of data to compare against for greater confidence.

Does another team have control of the actual title?

Reporters submit suggested heds. Editors often change them.

> So you literally have to scream at each other right in front of the hard drive for it to record discernible speech.

Right. Because certainly no one can figure out how to improve this.

How about using multiple hard disks simultaneously and use signal processing magic to clean it up, just like microphone arrays do?

Maybe you could even start to get some limited spatial information about the surroundings, based on sound arrival time difference between multiple disks? Similar to the way reflections of sound waves in the Earth crust and below can be used to compute Earth internal structure. Or how bats navigate.

I'm not saying these ideas work — most likely not. What I'm saying, that someone with this knowledge and some brilliant discovery might be able to take this technique way further.

> Maybe you could even start to get some limited spatial information about the surroundings,

Good point. I guess you could accurately triangulate the position of the hard drive using seismic reference data, in the case of an earthquake. Or you could make loud noises at different places in a city, and locate the hard drive that way.

You make 2 or 3 passes with a supersonic aircraft to get the location, and then one more pass to drop a bomb.

In a more civilian context, you have a nice fireworks show and then send the SWAT team.

I didn't mean that, but that's also an interesting idea.

Maybe a spy satellite passes overhead and records the data center walls vibrating.

Jokes aside, hearing a sound directly from a low orbit is a thing [0]. Only problem is, the sound has to be extremely loud.

[0] https://agupubs.onlinelibrary.wiley.com/doi/full/10.1002/grl...

According to the paper, the frequency has to be very low ~0.1 Hz.

And conversely the ISS makes sonic booms in its LEO, they're just very weak. Sonic murmurs.

Here's a Video of Brendan Gregg and Bryan Cantrill giving a demonstration of the effect

> https://m.youtube.com/watch?v=tDacjrSCeq4

I saw the post and immediately thought of this video, glad someone posted it!

So far. Perhaps there are ways for it to still be useful, regardless. For example, you might care more about the binary state of sound vs no sound (learning the hours that someone or something is in operation).

It’s also really freaking cool, and an amazing way to make something that’s created for one purpose into a seemingly unrelated one.

"Fearmongering"? This is an exceedingly cynical and uncharitable take on the article, which literally says:

But look, let's be real: for the vast, vast majority of people, this is all just a cunning academic exploitation of hard drive technology. No one's really going to bug you via your spinning rust.

Eavesdropping: To secretly listen to a conversation.

The title is accurate. It's currently not the best or completely practical, but this type of attack will likely have room for improvement.

You mentioned vacuum cleaner which could happen to be perfect. Imagine knowing the exact day and time the house cleaning service comes by to your target.

Exactly - just because it can't pick up speech doesn't mean it's not useful. That it can pick anything up at all can be gamed to your advantage depending on the purpose.

This is precisely why I avoid any articles published by El Reg. They're essentially the The Daily Mail of the tech scene. You're far better off reading about this stuff from other sources.

> So you literally have to scream at each other right in front of the hard drive for it to record discernible speech.

That's how people routinely talk in our open office, so entirely plausible.

Typical middlebrow dismissal of every sidechannel attack ever.

But, "Attacks only get better."

Still pretty interesting without the need for conspiratorial bent.

What if you had samples from multiple hard drives in the same room? Could they be combined to provide a better signal than a sample from a single drive alone?

> Could they be combined to provide a better signal than a sample from a single drive alone?

It's not as simple as just combining them but yes, the second data point would be immensely helpful.

There is a principle I have learned over time in infosec. Attacks only get better over time. If the defender does nothing, it is a net bad thing.

And they get combined in novel and creative ways to create effective practical exploits.

This tool would probably be useful in conjunction with other tools or in specific conditions:

* A tool that can clear the noise from the hard disk, allowing a glimpse at some parts of the conversation

* When the computer is turned-off (assuming the listening device can stay on)

* Some areas in an Airport

* Construction areas

It is not impossible to be useful for some actors, but it does require specific conditions.

In my rig, both my work and home machines, the drive is also exposed to massive local fan noise, not to mention the case. At these sensitivities, footfalls, even keyboard typing, might be enough to mask voices.

It is all just another nail in the "spinning rust" coffin imho: A novel technique applicable only to a declining target base.

There's a volume measurement device in a bar I frequent (I'm here now), which hosts music in a very small venue. It's decently full right now (maybe 40-50 people) and there's music playing over the speakers (not live), and this device is reading 80-85db.

I'll update if a band plays tonight.

London tube trains are typically about 90-100db in the train when moving so it's not that freakily loud.

Wow, that is super fun. There is a story which I can neither confirm nor deny that a company with large data centers and drive firmware that exported PES data was able to correlate data from drives in different locations of said data center and make a seismic interferometer which could "image" traffic on a freeway nearby. :-)

I had no idea you could get as much as 4KHz of frequency bandwidth out of those sensors. That is a pretty cool result.

That's a very credible story. Pulling signals from arrays of noisy microphones is computationally intensive but very very powerful. On a small scale, that's what allows Alexa to hear people clearly from across the room.

...which leads immediately to the question of whether they're using the fact that HDDs have multiple platters.

I would, but I'm not a good enough mathematician to say whether you'd get better results from an average or a differential. You'd need to ID the drive model then figure out the # of platters and the distance between them and then take the speed of sound into account while getting rid of small peaks, and...

I've often wondered what sort of physical problems the people who engineer hard disks deal with, whether they have problems with micro-turbulence and suchlike.

That was the first video that came to mind when I saw the headline in a chat earlier today.

Any system that converts physical energy to electric activity (loosely: transducer) can be used to collect signals remotely.

I think this is kind of a basic thing that once you know it, you see the possibilities almost everywhere, where you understand how electrical fields can be generated with physical interaction. Transportation of the sensing then becomes the next problem to solve.

The inaudible range is far more likely to used as an attack vector for nefarious purposes.



I wonder whether there is a way to reconfigure audio jacks into microphone jacks on an average sound card these days. Little known fact: speakers and headphones are also microphones simply by the physics of how they work.


Interestingly, the audio chipsets in modern motherboards and sound cards include an option to change the function of an audio port at the software level, a type of audio port programming sometimes referred to as ’jack retasking’. This option is available on most audio chipsets (e.g., Realtek’s audio chipsets) integrated into PC motherboards today. Jack retasking, although documented in the technical specifications, is not well-known [34]. For an in-depth technical discussion on malicious retasking of an audio jack, from the hardware to the operating system level, we refer the interested reader to the following previous work [29].


Mordechai Guri and Yosef Solwicz and Andrey Daidakulov and Yuval Elovici. 'MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication'. arXiv preprint 1803.03422v1 [cs.CR], 9th March 2018.

Mordechai Guri and Yosef Solewicz and Andrey Daidakulov and Yuval Elovici. 'Speake(a)r: Turn speakers to microphones for fun and profit'. 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, 2017.

Curious how the average user could try to mitigate this threat. Perhaps if you were using speakers connected to an HDMI monitor, rather than an audio jack? Presumably then you'd have to figure out how to exploit both the audio chip on the motherboard and the HDMI device, which I presume would not by default be willing to operate as an input device.

hdajackretask on Linux does that, part of alsa-tools.

Blog post by author from 2011: http://voices.canonical.com/david.henningsson/2011/11/29/tur...

I believe similar utilities exist on Windows at least with some cards.

It happens occasionally that a DJ will plug their headphones to the mic input in their console and talk to the earpiece to make some announcement in bars/clubs when there is no mic available around. But, yeah, if one could turn the headphone output to a mic input using software, that would be major because lots of people leave their headphones plugged.

The quality is not that good though. I've tried it and I need to speak directly into it, a few decimetres away or a little to the side and it's beyond recognition already. At least with the two or so earphones/headphones (don't remember) that I tried, maybe it's different with other hardware?

But the information is captured, even if the signal to noise ratio is very low. There are audio restoration tools nowadays that work amazingly well, some even using AI(or claiming to) - so even if you have a recording where it sounds just like plain noise, there is still some capacity of extracting the signal you need out of it. That's mostly because the background noise is not random, it is of a certain pattern, constant and repeating and therefore can be captured and cancelled. Then the actual signal we need, which differs from the noise pattern, stands out.

I know people who did that via custom driver, it depends on sound card capabilities.

Story time: I was a young programmer in the 80's, working in an environment where the computers were all housed in their own special isolated computer room, and we devs had to use terminals to gain access - a typical computer ops setup, you've seen it all before.

One day, in order to comply with some law or other, the company upgraded the security system, renovating the space such that it was enclosed in bullet-proof glass panels, required a key-card to enter, had an operator at all times (24/7), etc. They installed a Halon fire suppression system, and a gigantic alarm horn to function as a company-wide alert.

Well, the day it was all set up, it was time to test it all - Halon test dump, done (very expensive test). Operator still alive (had to use an oxygen mask), done. Alarm siren test: done. Okay, back to work .. hang on .. all of the systems are down .. what's going on ..

Yes, the siren was so loud, and had been positioned close enough to the bullet-proof walls, that the focused energy it created had crashed the disks. ;)

That was a very expensive renovation. Fortunately, we got the 'restore from last backup' test done pretty quickly ..

I've always been interested to know what kinds of physical attacks security consultants at major firms have uncovered. How many 'obscure' espionage techniques like this or listening for keystroke combinations via audio have been deployed in the real world for malicious purposes?

I was thinking exactly the same. Keystroke noises on a computer keyboard as well as when entering security pins on ATM's.

Also any fast enough accelerometer can be used as a microphone, and no user would complain if an app would ask permissions to use the accelerometer and network pretending they're needed for positioning and updates. Not sure though how many phones are using fast enough accelerometers to be used to sample voice. Most should go up to a few hundred Hertz with the right software, but human voice requires at least a few KHz bandwidth.

Interesting. I just watched a video yesterday about how you could see screaming on hard drive stats in a data center:


It would be way easier to just, you know, eavesdrop with the actual microphone instead?

Although it is a cool experiment and POC. A few years ago I took apart 5 HDD's to see if I could make a usable speaker (as a desk/novelty thing). 2 of them worked, one of them worked with decent fidelity. Three failed (probably my fault). The one that worked was a literally massive double-5.25" Maxtor.

The latest in a long long line of TEMPEST research. I think I would prefer to see academic security research steered in the direction of solving problems affecting millions, but an interesting discovery nonetheless.

I remember watching an old YouTube movie from Brendan Gregg where he screams in front of a sun NAS and the voice vibration affects the HD reading speed among other parameters.

When I was in college, we had issues with the oscilloscopes in our electronics lab. They were sensitive enough to register body movement nearby with no physical contact. This was about 20 years ago. Think they were HPs...

It wasn't really a problem; we only noticed because we couldnt get a signal out of our circuit due to a busted internal lead connection, but we noticed the changes as people walked past. Was curious.

This is interesting probably only from an academic point of view (as stated in the article) and only a corner case of what could be done when having the possibility to replace the firmware of a HDD.

I can't believe The Register of all sites managed to write this article without making a voice coil pun.

So the signal already exists in the software. Just make it available via a "secret" file.

Guess I picked the wrong week to start shouting secrets at my hard drive.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact