> Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech. These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive. This proof of concept attack sheds light on the possibility of invasion of privacy even in absence of traditional sensors. We also present defense mechanisms, such as the use of ultrasonic aliasing, that can mitigate acoustic eavesdropping by synthesized microphones in hard disk drives.
So this attack is for magnetic HDDs, not SSDs or flash media.
For those now questioning hard drives in their security arenas.
The 'researchers' (again, it's Wenyuan Xu, she's the clickbait of security research) took computer speakers on nearly max volume onto either side of a hard drive. Shazam barely recognizes the song (more often recognizes it as something else).
This is early stage proof-of-concept research, so making some allowances for practicality is warranted. In the future, it's possible that the techniques used will be refined to make the attack more practical in the real world.
The paper itself states: "When playing our audio samples at 75 dBA, which is comparable to a loud conversation, we are able to recover muffled recordings; however, in order to yield a large signal to noise ratio (SNR) for the purpose of demonstrating our proof of concept attack, our audio samples are played at a volume of 85 dBA. While this is louder than what can be expected in most practical scenarios, we aim only to demonstrate the presence of such a side-channel, and expect that an attacker using state of the art filtering and voice recognition algorithms can substantially amplify the channel’s strength."
Personally, I thought the research was brilliant because the author figured out something that seems so obvious in retrospect but everyone was blind to before they recognized it: that hard drive sensors could be used as microphones because they are sensitive to vibrations in the air.
It's a very novel attack vector which has no precedent that I'm aware of.
But yeah, a) turning it from simply detecting that loud sound is happening to getting a meaningful audio channel out of the sound and b) treating this as a security concern instead of just a performance one (and flipping the direction of the attack, from sound attacking drive performance to drives attacking sound privacy) is novel, AFAIK.
Indeed. And a today barely usable weakness can be tomorrows glaringly exploitable security hole. If we are aware of the problems, we can at least make sure to not make them bigger.
The main trait of a top researcher is skepticism -- the willingness to doubt results. You learn to be skeptical as part of the training during your Ph.D.
Unfortunately, the standards have fallen. The security community is one of the worst instances of the lack of skepticism in the science arena. The community has started to reward clickbaity papers because they "sell". It's a race to the bottom.
Security is tough because you a mix of complete idiots trolling for attention, business, or jobs, vendors seeking fud to drive sales, and incredibly talented people reverse engineering and discovering things.
I suspect that some the worst are seeded and encouraged by parties who benefit from a lack of trust in research and maximum chaos.
But there should be a distinction between academic conferences where professors from U. Mich are publishing and practitioner conferences aimed at industry (including sales, etc.).
My criticism is about academic conferences -- there's little skepticism left when reviewing papers describing attacks. As long as it's cool, it's in.
Look at the title above: "Hard Drive of Hearing: Disks that Eavesdrop...". It's not far off from the headlines on CNN or Fox News. At this rate, I predict by 2025 we'll have Breaking News red banners on academic conferences sites.
Let me re-assure everyone out there ... No, your disks are not eavesdropping. Disks eavesdropping should be the least of your worries security-wise.
>Let me re-assure everyone out there ... No, your disks are not eavesdropping. Disks eavesdropping should be the least of your worries security-wise.
Sure, but think about how many people will refuse your statement and - thanks to the article - will start to believe that aliens use hard disk recordings before abducting them.
The damage has alas already been done, on - quite frankly - a very thin basis, your general criticism is very well founded, a "reputable" institution would (should) never accept those clickbaity titles.
Security researchers should be much more skeptical of claims that a system is safe than they should about claims that a system is unsafe. The default posture of accepting that all reputable claims about a system being unsafe are true is probably not too bad of a one to have.
What does it matter when Facebook, Equifax and the like are let off the hook anyway? We know they’re selling the data anyway? So it’s not privacy we’re protecting but corporate bottom lines (if everyone has it the data has less value).
There is no truly secure computer system because there is no security from laws of nature and human avarice. There’s always a relative position from which one can get the data they need.
The best security we have is competent, functioning government diffusing and negotiating stable arrangements.
IMO we’ve pushed too many paranoias from social norms into products we build. Your data isn’t secure and there is no changing that.
And really the data isn’t THAT valuable. We’re just excited by a new level of granularity. This is promises of “nuclear powered rocket cars” all over again.
Sure there’s some novelty coming from it in scientific realms, but it’s largely useless to day to day life (only a truly lazy person can’t be bothered to phone call in their hair appointments).
Steve Bannon got all !! over data showing people that live by a church.... go to the church. Pretty sure that was already well known.
That’s the sort of “value” we’re achieving with all this big data. Obvious answers we’re already familiar with. Cause there are few interesting questions left to be asked about us in a context of “who are we in daily life.”
This reminds me of a similar article many years ago about reading network packet content from the light of the led in network cards.
It is another example of how things are safer in practice than in theory. Entropy helps to keep things safe by introducing noise. All these measures are easier in a lab than in the wild.
I'm kind of surprised to learn this wasn't obvious or already known. People have been hacking old hard drives into crappy speakers for a long time there are countless examples of this on Youtube. Perhaps the most artistic is a rendition of Radio Head's, Big Ideas (Don't Get Any) played on a Sinclair ZX Spectrum attached to an array of hard drives. [0] I always just assumed that any thing that acts like a speaker could also be made to act like a Mic.
Only slightly tangential but every time I see another story about a new way to conduct surveillance I can't help wondering if Rockwell had seen the future and was trying to warn us with his song "I feel like someone is watching me."
i think the other direction it would work too - generating HDD head movements in a way to encode info in the resulting noise - taken together with the OP it means that one can cross the air gap in both directions (the Cuban sounds look more and more like an electronic attack with humans being just an unfortunate collateral). Similar things can probably be done with the CPU/case fans - thus for example a "bad" motherboard can talk and listen to the world.
generating HDD head movements in a way to encode info in the resulting noise
That's not so interesting, as anyone who has used a machine with an audible hard drive knows --- you can tell whether the system is idle, working, or doing something strange ("I'm not doing anything that would write to the disk, why is it still grinding?") just by the sound.
Their setup it's arguably contrived. HHD is in an external enclosure with a fan. While they turn the fan too max power in an attempt to get a more typical or "worst case" setup, it seems to me that is far from a common setup of a hard drive inside a computer chassis with associated mounting hardware between the HHD and source of speech.
> Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech. These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive. This proof of concept attack sheds light on the possibility of invasion of privacy even in absence of traditional sensors. We also present defense mechanisms, such as the use of ultrasonic aliasing, that can mitigate acoustic eavesdropping by synthesized microphones in hard disk drives.
So this attack is for magnetic HDDs, not SSDs or flash media.