back to article From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic

It's not just the walls that have ears. It's also the hard drives. Eggheads at the University of Michigan in the US, and Zhejiang University in China, have found that hard disk drives (HDDs) can be turned into listening devices, using malicious firmware and signal processing calculations. For a study titled "Hard Drive of …

  1. itzman
    Meh

    I'll file this in the ...

    ...Interesting, but ultimately useless, use of human endeavour.

    Don't these chaps have something better to do with their time?

    1. ArrZarr Silver badge

      Re: I'll file this in the ...

      Calling it now that at some point, NASA or some other FLSA will be able to use this for research purposes.

      1. Michael Habel

        Re: I'll file this in the ...

        Ok I doubt the National Aeronautic Space Administration, has much in the way of love for spining rust... Sans the planetary body known as Mars, and then I'm sure only the finest 3D TLC Flash will ever be good enough for that lot.

        Otherwise what the flying flip do that buch of commies a.k.a the Fair Labor Standards Act, even care? Are do you think they're trying to push for more pay to the poor smucks stuck glued at a desk somewhere, in Chengdu, who will be repeatedly soldering the same SMD, to the same spot on your <INSERT DEVICE> for the next Five Months?

        1. ArrZarr Silver badge

          Re: I'll file this in the ...

          Bit old now, but FLSA was intended to be Four Letter Space Agency, as an attempt at a riff on the TLA acronym.

    2. Version 1.0 Silver badge

      Re: I'll file this in the ...

      It's a good example of how you can use a sensor - sensors are everywhere. Suppose you don't like Google listening to your cellphone microphone ... and you disable it. Feel safe now? .... But the phone still has an accelerometer so it can still listen to you if you take the same approach as they are documenting here.

      1. Michael Habel
        Terminator

        Re: I'll file this in the ...

        I'm slowly reminded by that scene in 2001 again now. where they cut the Mic to the HAL9k, but, lol they forgot that Hal could read lips... (Or so it was explaind at the time...), But nope this was how HAL managed to get up on that Tab.

        *Termanator cause its the only thing to have a(n) red eye(s).

      2. Robert Helpmann??
        Thumb Up

        Re: I'll file this in the ...

        It's a good example of how you can use a sensor - sensors are everywhere.

        This! You have summed up the utility of this research perfectly. The experiment is merely a proof of concept that points out an entirely new class of exploit. While the implementation may vary from device to device, it is likely that the same code used for signal filtering can be reused across many.

        1. Michael Wojcik Silver badge

          Re: I'll file this in the ...

          an entirely new class of exploit

          Technically, it's a new class of vulnerability. And even then "new class" is debatable (and I certainly wouldn't go with "entirely new") - sensor side channels are well-known, as a class. This is good research, but it's really adding to the existing body of research on sensor-based side-channels in commodity IT hardware.

          And, as you say, the signal processing (while also a well-understood area) can likely be reused with other side channels.

          And it doesn't hurt to have Yet Another reminder that side channels are everywhere.

      3. Hardrada

        Re: I'll file this in the ...

        It might be worth watching out for capacitance and impedance also. I used to work on the servo-writers that create the tracks used by hard drive PES systems, and the capacitance gauges we used to error-map them were capable of picking up a lot of other stuff. Maybe it's possible to turn a touchscreen into a microphone.

    3. Michael Habel
      Black Helicopters

      Re: I'll file this in the ...

      I hear the Alphabet Agencies have some deep pockets, and a fetish to turn EVERYTHING into a live Microphone. All in the name of protecting us from them Terrorsists, and Pedophiles.

    4. Mark 85

      Re: I'll file this in the ...

      Don't these chaps have something better to do with their time?

      Probably not. Since it's Uni researchers, it's most like Phd candidates working on their thesis papers for a degree. Alternately, someone funded them just because it sounded like a neat idea.

      1. Michael Wojcik Silver badge

        Re: I'll file this in the ...

        Since it's Uni researchers, it's most like Phd candidates working on their thesis papers for a degree

        Speculation is fun (I suppose), but I happen to have access to a marvelous world-wide collection of all sorts of information.

        Wong is a PhD student at University of Michigan, but he's only in his second year - too early to be working on his dissertation. (Since this is a US university, it'd be a dissertation for the PhD, not a "thesis".) Which is not to say that it won't eventually become part of that dissertation, of course; dissertations in CS at US universities are often fix-ups of a handful of refereed articles or conference presentations.

        Fu is an Associate Professor at U of M, and Xu is a professor of some rank at Zhejiang University.

        More importantly, this is perfectly good research, despite itzman's anti-intellectual posturing.

    5. cosmogoblin

      Re: I'll file this in the ...

      Useless? Sure, given the caveats noted.

      But now, we know that it's useless. Now, we know that hard disk drives can be used in this way, but not effectively. That knowledge is valuable to the security industry.

    6. cat_mara

      Re: I'll file this in the ...

      I wouldn't dismiss it altogether, given the number of numpties I've had to work with in the past who were apparently unclear on the whole "indoor voice" thing...

      1. John Brown (no body) Silver badge

        Re: I'll file this in the ...

        "I wouldn't dismiss it altogether, given the number of numpties I've had to work with in the past who were apparently unclear on the whole "indoor voice" thing..."

        I wonder if the same technique can be used in reverse. The "voices" come out of the PC, but so faintly that only the one person can hear them. "Yes, yer Honour, the voices made me do it"

  2. Pascal Monett Silver badge

    Sign firmware ? Not worth the bother.

    If my PC gets hijacked I think that the data on it is very much more interesting to the miscreant then trying to find out what I'm saying, which is frankly of no interest to most people.

    If we're talking about espionage, a good directional microphone or a bug are time-honored procedures with a very good success rate.

    And you can even hear whispers with those.

  3. Anonymous Coward
    Anonymous Coward

    I'm guessing these tests weren't in real world situations where it's sometimes sat next to a big noisy fan? Interesting experiment none the less.

    1. Peter2 Silver badge

      Not to forget being in a sealed box under a desk. A pro grade microphone would struggle to record audio under those circumstances.

      1. John Brown (no body) Silver badge

        "Not to forget being in a sealed box under a desk. A pro grade microphone would struggle to record audio under those circumstances."

        I still see lots of "pizza box" PCs on the desktop with the screen on top of it. There's also lots of NUC-alikes out there now, mainly but not always mounted on the back of the screen. But as suggested in the article many new PCs come with SSDs, which most NUC-alikes generally come with although I've seen quite a few with 1TB 2.5" spinners.

  4. Anonymous Coward
    Anonymous Coward

    Hardly likely in normal circumstances.

    "These extremely precise measurements are sensitive to vibrations caused by the slightest fluctuations in air pressure, such as those induced by human vocalizations," the paper explained.

    I was under the impression that Hard Drives generally weren't 'exposed' to room air pressure and were specifically 'sealed' against it - how then would 'any' fluctuations in air pressure arrive at the read/write head to be detected in the first place.

    Unless you were maybe speaking via a megaphone directly at the drive.

    1. Filippo Silver badge

      Re: Hardly likely in normal circumstances.

      Sound will transfer through anything, not just air. The head has to be physically attached to something.

    2. M.V. Lipvig Silver badge

      Re: Hardly likely in normal circumstances.

      They did say it had to be pretty loud, and it's likely their testing wouldn't be considered valid if the hard drive wasn't installed and running.

    3. Jamie Jones Silver badge

      Re: Hardly likely in normal circumstances.

      No, they are sealed against dust, but have a moving diaphragm thingie to equalise the inside pressure to room pressure: https://superuser.com/questions/368774/what-is-the-purpose-of-the-holes-marked-do-not-cover-on-hard-drives

  5. RyokuMas
    Joke

    Patent time!

    A new way of converting something common into a snooping device? Quick, down the patent office before Google tries to nick it!

  6. Paul Kinsler

    using a hard disk's read/write head as a crude sounds generator

    I had that last week, but at the time thought (because it sounded like it) that it was just a case fan that needed replacement. :-/

    1. Baldrickk

      Re: using a hard disk's read/write head as a crude sounds generator

      Makes me think of Floppotron

  7. Rich 11

    Crank up the volume

    These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive.

    "You spin me right round, baby, right round, like a hard disk platter, baby, right round..."

  8. Anonymous Coward
    Anonymous Coward

    Only 30 years too late ...

    Back in the 80s there were programs that played tunes on Floppy drives*. I distinctly recall the idea of spinning a floppy and examining the tracks for evidence of response to sound waves being discussed in lectures. No idea how academia works nowadays, but a lecturer basically said "rather than asking, why not do it ?"

    We didn't, but it might have been a final year project the next year ...

    *although the owners reaction to the tortured sounds was more amusing.

    1. Michael Habel

      Re: Only 30 years too late ...

      There are littery millions of Videos of this on YouTube. Google Flopatron...

      1. Captain Scarlet

        Re: Only 30 years too late ...

        Ah yes complete with hard drives to act as drums and I think 2 scanners

      2. dajames

        Re: Only 30 years too late ...

        There are littery millions of Videos of this on YouTube. ...

        Yup, there are an awful lot of littery videos in some places.

      3. Scott 53

        Re: Only 30 years too late ...

        There are about 151,000 videos of Floppotrons on YouTube so you've managed to be wrong at least three times in twelve words. Four if you include the capital V.

    2. Mage Silver badge
      Megaphone

      Re: Only 30 years too late ...

      ACT Sirius One / Victor 9000 5.25" floppy got 1.2M bytes when Apple was 100K and IBM about 360K. It varied the speed as then much more can be recorded on the outer tracks. I think there was a competition to do a tune.

      It certainly made the IBM PC look like junk (which reached UK at the same time as the Sirius 1).

      Really this isn't a realistic threat, though interesting research.

      1. david 12 Silver badge

        Re: Only 30 years too late ...

        >It certainly made the IBM PC look like junk<

        On the other hand, contemporary reviews note that the IBM PC keyboard redefined the category.

        People who actually used computers might be forgiven for thinking that was itself significant.

  9. GlenP Silver badge

    Can Anyone Remember...

    using a hard disk's read/write head as a crude sounds generator

    Does anyone remember the old ACT floppy disk drives that used primitive* RLL (Run Length Limited) technology to maximise storage?

    Basically the drives spun faster when the heads were at the outside edges and slower at the inside altering the sound. They were commonly known as "musical disk drives" but I'm not sure if anyone ever exploited this.

    *HD implementations would vary the transfer rates at the drive heads to achieve the same effect. A 20MB** drive would store around 32MB, so worthwhile.

    **For the younger readers MB is not a mistyping!

  10. Michael H.F. Wilkinson Silver badge
    Coat

    They have been listening all this time!!!!

    Maybe this explains the phenomenon that computer demos that screw up can suddenly and inexplicably start behaving once you threaten them with violence.

    I'll get me tinfoil hat and cloak

  11. Francis Boyle Silver badge

    Brian Blessed

    is worried. The rest of us not so much.

    1. ibmalone
      Megaphone

      Re: Brian Blessed

      GORDON'S A DRIVE!

      IS THAT MY COAT?

  12. Anonymous Coward
    Anonymous Coward

    I wonder if they're the first to discover this

    This is exactly the sort of thing the NSA would have figured out 20 years ago, back when everyone had a hard drive in their PC. Increasingly useless knowledge today though, when PCs shipping with hard drives are a dying breed, or at least should be.

    1. Anonymous Coward
      Anonymous Coward

      Re: I wonder if they're the first to discover this

      Indeed, so now we are allowed to know about it.... From the spooks perspective it's redundant technology now Amazon have released their 'Echo for Dictators' special edition with carved ivory filligree inlaid with gold and blood diamonds.

    2. Tromos

      Re: I wonder if they're the first to discover this

      20 years ago the head positioning wouldn't have been anywhere as small as nanometres so even with the volume at 12 you probably won't get enough head vibration to be detectable. Also, I doubt that firmware was downloadable then, more likely to be burnt into ROM. If intercepting the drives somewhere at the manufacturing/distributing stage, why bother doing something to use the drive as a microphone as opposed to fitting it with a small condenser mic?

      1. ROC

        Re: I wonder if they're the first to discover this

        A mic would be visible to visual inspection (if done), but not so much for a firmware mod.

      2. Anonymous Coward
        Anonymous Coward

        More shocking still that computer security is so bad that something as fundamental as the firmware in your hard drive can be overwritten without your consent / or being alerted by your BIOS. If only the secure by design philosophy were present at the firmware / hardware level. I guess the reason it's not is intentional - i.e. they don't want us having security.

      3. John Brown (no body) Silver badge

        Re: I wonder if they're the first to discover this

        "20 years ago the head positioning wouldn't have been anywhere as small as nanometres so even with the volume at 12 you probably won't get enough head vibration to be detectable."

        ISTR my first ever 20MB HDD from Seagate was sold with the benefit that it used "voice coil technology".

        Not sure if this is relevant in any way though.

  13. TRT Silver badge

    Given the noise coming out...

    of our multi-rack HPC, which requires PPE mitigations just to work in the same room alongside it, I'm surprised that spinning disk storage works at ALL!

    Rather like the comparison one can make between the energy transfer in the hair cells of the cochlea and the amount of thermal noise from hot blood passing nearby, or working out how stereo-location could possibly work given that neuronal spikes require ~7ms minimum per pulse and the speed of sound in air means that there's just a 700µs time difference for sound arriving at each ear. (Actually, that's achieved in a very clever way indeed - evolution is incredible sometimes).

  14. Dunstan Vavasour

    Shouting at your discs

    This video from 10 years ago shows that disc performance is affected by shouting at your discs. I suppose this is an extrapolation of the same effect.

    https://www.youtube.com/watch?v=tDacjrSCeq4

    1. Anonymous Coward
      Anonymous Coward

      Re: Shouting at your discs

      When people shout at me it also has a negative effect on my work performance... for some reason they are surprised by this.

    2. stevej.cbr

      Re: Shouting at your discs

      and reported by El Reg in 2009

      https://www.theregister.co.uk/2009/01/05/shouty_sun_engineer/

  15. FrogsAndChips Silver badge

    90 dBA. Which is pretty loud. Like lawn mower or food blender loud

    Time for a new El Reg Standards Unit maybe?

  16. Joe W Silver badge

    HDD as a microphone

    There was (I think in an April issue) an article in a German computer magazine (ct, if you must know) about 20 years ago to use these corrections for inertia based navigation. Together with a road atlas it should be accurate enough to spot which road you were on.

  17. Simon Harris
    Joke

    Extra Security...

    Just to be on the safe side, I've coated my hard drive with aerated chocolate.

    Now all it can hear is a Wispa.

    1. ActionBeard

      Re: Extra Security...

      Reminds me of when, as a child, I managed to get a peanut stuck in one ear. My mum knew an old trick - she inserted some chocolate into the ear and the nut came out a treat.

      (Works better when spoken out loud, rather than in writing.)

      1. Simon Harris

        Re: Extra Security...

        Good job it wasn't stuck more firmly or it would have been a marathon effort to get it out.

      2. FrogsAndChips Silver badge

        Re: Extra Security...

        Interesting how you get vastly different results on Google Images for Treet vs. Treets (regional settings may also affect the results).

      3. JimmyPage Silver badge
        Happy

        Re: the nut came out a treat

        It's like Tim Vine was in the room ...

  18. Michael Habel

    Stories from bygone days....

    So can this be used in conjuction with an Acustic Keyloger?

  19. Stevie

    Bah!

    So an internal speaker mounted on one's hdd playing, say, "Hey Mickey" quietly inside the case would be called for?

    1. Cynic_999

      Re: Bah!

      Seeing that the HDD is usually inside a case close to one or more noisy fans, I really doubt that it would ever be able to discern normal conversations.

  20. Anonymous Coward
    Joke

    Pinky and Perky...

    I'm using a Helium filled drive so that Pinky & Perky get the blame for anything nefarious I might be recorded saying.

  21. Baldrickk
  22. tcmonkey
    Devil

    Despite the impracticality of this particular rusty endeavour, malware hiding in the firmware of system devices is one of the really nasty things in the security space. HDDs are especially unpleasant, given their ability to monitor what the user is doing (provided they're not using disk encryption) and control the machine through the modification of the filesystem. They also have plenty of space to stash juicy bits of data away from prying eyes and would be exceptionally difficult to catch in the act. You can forget about disinfecting them without specialist tools.

    El Reg have previously spoken about Sprite's piece on this, but I will link it again. Well worth a read. http://spritesmods.com/?art=hddhack

    1. ROC

      I would think that very few organizations/people that have anything worth encrypting would fail to do so. It is a prominent option when setting up a Linux user account in most distros I believe. I have been doing it for my various PC setups for a while now (and that's just personal use by an old retiree).

  23. Anonymous Coward
    Anonymous Coward

    And if you have half a rack of raid san/nas ?

    Then clearly you can record audio three floors up from the server room.

    Even if anyone going in not wearing earprotectors spends the next day shouting.

  24. GinBear

    Reminded me of this

    https://youtu.be/X4SCSGRVAQE

  25. DV Henkel-Wallace

    Can't believe you missed the pun opportunity

    Are editorial standards slipping? There's clearly a "voice coil" pun in this story!

  26. Dave 13

    Back in the old Sun days

    We screamed and yelled at arrays.

    They sputtered and shook

    for the trouble we took

    And didn't come back online for days..

    https://www.youtube.com/watch?v=tDacjrSCeq4

  27. Allan George Dyer

    So you can record Rock Concerts

    Has anyone told the MPAA?

  28. whitepines
    Paris Hilton

    "suggest hard drive makers sign firmware cryptographically "

    Sigh. This old fallacy again? Anyone interested enough to target a particular individual will get the keys for the signature one way or another (and in some cases the vendor will assist creating the malware, e.g. Chinese companies under state order), and if widespread attack is desired again somehow they keys will be obtained or a bypass found.

    It's time we looked past "one key unlocks millions of computers" vendor signing stuff. In fact stated that way it really sounds like a back door of sorts, no? Not in a remote access sense per se, but in the sense of having a lock on a door of your house that you can't control...

    Icon 'cause it represents how such critical keys are normally handled in commercial operations...pasted on a sticky note on the boss's secretary's desk.

  29. W.S.Gosset

    Telephone 11kHz?

    > sampling rate of the telephone system (8 kHz)

    I thought the standad POTS was 11kHz?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like