Skip to content
Naked Security Naked Security

How your speakers could be turned into eavesdropping microphones

A proof of concept attack uses malware to turn headphones into microphones that can eavesdrop from across a room.

Computers often have two audio jacks: one for sound input when you record something or talk on a Skype call and one for plugging in your headphones to listen to tunes, play games or whatever other noises you’ve got coming from it.

Anybody who’s looked at the YouTube tutorials on how to turn headphones into microphones knows that the microphones in your earbuds or headphones are two-way streets: it’s simple to switch them from devices you listen with into devices that listen to you.

All you have to do is plug the earbuds or headphones into the microphone jack instead of the headphone jack, start up a recording app, and you’re good to go with picking up whatever sounds your earbuds-used-as-mics can hear.

But it turns out that there’s a hack that spares you that whole switching-jacks thing: instead, you can go behind the scenes to switch the audio ports’ function invisibly, by malicious reprogramming.

In this scenario, an eavesdropper doesn’t even need to get at your earbuds: they can switch your output port into an input port and record you even without a mic attached to the PC.

The vulnerability – called “jack retasking”- was reported by researchers at Ben-Gurion University of the Negev’s Cyber Security Research Center.

They’ve dubbed it SPEAKE(a)R. In a paper (PDF), they note that the reprogramming option is available on audio chipsets from Realtek, which are embedded in a wide range of modern PC motherboards.

In fact, the researchers say the RealTek chips are so common that the attack works on practically any desktop computer, whether it runs Windows or MacOS, and most laptops, too, as Wired reports.

It’s not just Realtek, though; other codec manufacturers also support jack retasking.

The researchers managed to use SPEAKE(a)R to retask a computer’s outputs to inputs, then to record audio when the headphones were in the output-only jack.

Then, the team recorded audio playing 20 feet across a room, as you can see in their YouTube demonstration:

The researchers also compressed the recording and sent it over the internet, as a hacker would. The quality was good enough to distinguish the words spoken during the recording.

The option to retask, or rejack, isn’t new: it’s in the equipment’s technical specs.

Almost no one seems to know about it, though, as noted by Linux audio developer David Henningsson:

Most of today’s built-in sound cards are to some degree retaskable, which means that they can be used for more than one thing… the kernel exposes an interface that makes it possible to retask your jacks, but almost no one seems to use it, or even know about it.

There are no known attacks in the wild at this point.

It’s an interesting vulnerability to know about, but for now, it’s just a proof of concept.


13 Comments

Webcam hacks are at the software level too. I don’t get what your point is in the last bit.

I removed that bit for clarity. As you say, the reason for putting a hardware barrier in place (e.g. tape over your webcam, speakers or headphones) is to prevent any signal from getting to the software part in the first place.

Wouldn’t people get suspicious when they stick the earphones in their ears and don’t hear anything?

Just how much ambient sound (outside of the rushing of the blood in my ears) would be picked up?

Most laptops have speakers built in. Couldn’t the built in speakers be retasked to record as well?

So, my new computing device has a ***single*** combo jack for headphones/mic. (Like those on cellphones.)
Where do these devices stand?
I suppose one with this option must disable both sound and microphone?

This is another example of how a convenience feature may be used against us. That re-tasking was first known to me as “JackSense”… touted as a way to make life simpler. Indeed it did do that, but once again there is a potential price to be paid for that convenience.

Exactly how does the software go about recording with headphones that are completely unplugged?

Looking back on this, I don’t think the resesrchers even tested what happened when nothing was plugged in to the output jack. The authors did address the issue that a device’s *built-in* speaker might be able to do the “act as a mic” trick (which would theoretically allow recording with nothing visibly plugged in) – but I don’t think they tested it. They seem to suggest that most built-in speakers aren’t wired directly back into the output circuit but have an amplifier chip in between, which would stop the current induced by the coils in the speaker from making it back into the system as an input – thus they tested with headphones only.

I edited the text accordingly – thanks :-)

This is interesting to me for a different reason… I have an old HP laptop that has both blown speakers and a busted headphone port. If the proof-of-concept code could also make the microphone port work as a headphone port, I could bring back working sound to that computer! I guess it goes to show that even malicious code can be used for good!!

The software is not malicious. The software has no intentions. It becomes malicious when someone uses it with malicious intent. The software on itself is ethically neutral.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?