It’s bad enough that our devices can listen to us, whether it’s to use ultrasound to track us (even if we’re on an anonymous network) or whether it’s voice assistants picking up on our private conversations (including with human contractors listening in).
Now, PricewaterhouseCoopers (PwC) security researcher Matt Wixey brings us news of attacks that can make our devices’ embedded speakers scream at us, be it at inaudible, high-intensity frequencies or audible sounds at hearing-damaging volumes.
On Sunday at the Defcon security conference, he presented a talk on what he calls acoustic cyber-weapons.
Wixey, head of research at PwC’s cyber security practice, said that his experiments were done as part of his PhD research at University College London, where he delves into what he calls “unconventional” uses of sound as applied to security – including digital/physical crossover attacks that use malware to create physical and/or acoustic harm.
REALLY LOUD STUFF MAKES YOUR HEAD EXPLODE
If you aren’t already aware of how much damage given sounds can cause, in his slideshow for the Defcon talk, Wixey annotated a decibel chart from Survival Life to show what level of sound will cause…
- Your eyes to twitch – 100 dB, or somewhere between a chainsaw and a lawnmower.
- Your lungs to collapse/death imminent – 188 dB.
- Your bones to shatter and your internal organs to rupture – 194 dB.
- Instant death – 200 dB, or the sound of Windows XP starting up*.
(*I’m fairly sure the Windows XP reference is just a joke. But if you want to see what level of noise will cause your eardrums to rupture, check out this training manual from Purdue University.)
Wixey talked about how inflicting “aural barrages” can cause both psychological and physiological effects, from neurasthenia, cardiac neurosis, hypotension, bradycardia, nausea, fatigue, headaches, tinnitus, ear pain and far more.
Wired quoted him:
I’ve always been interested in malware that can make that leap between the digital world and the physical world. We wondered if an attacker could develop malware or attacks to emit noise exceeding maximum permissible level guidelines, and therefore potentially cause adverse effects to users or people around.
If you keep melting your speakers, we won’t buy you more toys
Wixey told the BBC that he and his team used custom-made viruses, known vulnerabilities and other exploits to force a collection of devices to emit dangerous sounds for long periods of time.
Wixey didn’t specify which name brands they preyed on, but the devices included a $1,000 laptop upon which the team inflicted malware (remote and local), a $200 mobile phone that also got the remote and local malware treatment, a $50 Bluetooth speaker, a $200 smart speaker for which they exploited a known control-audio vulnerability, $400 headphones that were susceptible to multiple attack vectors, and other, even cheaper gadgets with embedded speakers.
It doesn’t really matter which brand names are susceptible to catching on fire or burning a hole in your eardrums, since their susceptibility was pretty agnostic, Wixey said. Though we don’t know the brand names, we do know that many consumer devices do all sorts of things via ultrasound.
In September 2017, for example, scientists from China’s Zheijiang University proved it’s possible to control voice-activated programs on Siri, Alexa, and other voice-activated programs by using inaudible ultrasound commands.
As the New York Times reported in May 2018, further research showed that such technology could be used to unlock doors, wire money or buy stuff online, simply by hiding commands in white noise played over loudspeakers and through YouTube videos.
At any rate, back to Wixey and the experiments he subjected his toys to when he locked them into a soundproof container with minimal echo – called an anechoic chamber – and then subjected them to simple code scripts or slightly more complete malware he wrote to run on each device.
Some of his attacks leveraged known vulnerabilities in a particular device, which could be done locally or remotely in some cases, he said. Other attacks would require physical proximity or physical access. The results: after getting each device to play a particular tone for 10 minutes, one of them – a vibration speaker – vibrated so much that it kept falling over.
But it was the smart speaker that gave off the best fireworks: Wixey’s attacks caused it to melt. The speaker began to give off a burning smell, and further testing showed that it had been permanently damaged.
Wixey said that the manufacturers have all been informed, that they were responsive and cooperative, and that updates have been rolled out to fix the issues. He told Wired that he and his team are keeping the details close to the vest, given the ethics involved:
There are a lot of ethical considerations and we want to minimize the risk. But the upshot of it is that the minority of the devices we tested could in theory be attacked and repurposed as acoustic weapons.