Hackers Turn Hard Drive Into Microphone That Can Listen In On Your Computer’s Fan Whine

As reported by The Register, hackers can now listen in on conversations happening around your computer by turning a hard drive into a microphone. There are caveats: the hack only works if these conversations are twice as loud as a blender, or about as loud as a lawn mower. In short, no one talks that loud, move along, nothing to see here.

The attack is to be presented at the 2019 IEEE Symposium on Security and Privacy, and describes the attack as a modification of the firmware on a disk drive to read the Position Error Signal that keeps read/write heads in the optimal position. This PES is affected by air pressure, and if something is affected by air pressure, you’ve got a microphone. In this case, it’s a terrible microphone that’s mechanically coupled to a machine that has a lot of vibrations including the spinning platter and a bunch of fans inside the computer. This is an academic exercise, and not a real attack, and either way to exfiltrate this data you need to root the computer the hard drive is attached to. It’s attacks all the way down.

The limiting factor in this attack is that it requires a very loud conversation to be held near a hard drive. To record speech, the researchers had to pump up the volume to 85 dBA, or about the same volume as a blender crushing some ice. Recording music through this microphone so that Shazam could identify the track meant playing the track back at 90 dBA, or about the same volume as a lawnmower. Basically, this isn’t happening.

The interesting bit of this hack isn’t using a hard drive as a microphone. It’s modifying the firmware on a hard drive to do something. We’ve seen some hacks like this before, but the latest public literature on hard drive firmware hacking is years old. If you’ve got a tip on how to hack hard drives, even if it’s to do something that’s horribly impractical, we’d love to see it.

24 thoughts on “Hackers Turn Hard Drive Into Microphone That Can Listen In On Your Computer’s Fan Whine

  1. 1: Attacks never get worse, they only get better.

    2: The only people still running spinning-rust are running LOTS of it.

    3: If you have an array of time-correlated microphones, you can do beamforming.

    4: Manufacturers’ own firmware update utilities can rewrite the firmware over the SATA connection. Ergo, so can hackers. It just wasn’t the focus of this research.

    I expect by next summer, someone will have turned a small NAS into a microphone array capable of picking up regular conversation several feet away.

    1. I’d certainly be impressed by someone turning the NAS into a usable mic; but in terms of ‘unnerving possibilities’ the suggestion for exfiltration(use compromised HDD to tamper with system files) seemed even more alarming and likely more immediately practical(and useful against disk arrays that are shoved into a rack and touched as little as possible because it’s loud and cold in there).

      HDD controllers are fairly punchy(the one in the linked article had 3 ARM cores, one apparently just spare, SSD controllers tend to be even punchier and equipped with more cache RAM), and responsible for bad block handling/general mapping between what happens inside and the logical address space presented to the outside world.

      That’s very possibly enough to accommodate at least enough of one or more filesystems to allow recognizing files worth changing and room for both the unmodified versions(to pass secure boot type integrity checks) and tampered versions(to achieve the desired behavior).

      Trying to run a system where your mass storage device hates you would not be a pleasant business.

      The attack would be tricky and have to be tailored to the target(since filesystems and files worth tampering with differ) and might not be viable if you only control one disk in an array(though, in that case, anyone know if there’s a way for HDDs to chat with each other without the host noticing? The SGPIO or i2c connections used by backplanes might be worth a look…); but against a known target it would not be pleasant.

      1. The best defense I’ve seen against this is using something like grub in a coreboot payload to load up a 100% encrypted disk by doing the decryption in the bios. From there you use a filesystem that can detect and repair errors in case the drive wants to try tampering with the data anyway.

        Of course, somebody could still just *brick* the drive.

  2. By combining measurements of hard drive usage and fan speed(which is roughly proportional to CPU load), you might be able to achieve a crude power-analysis-based side channel attack.

  3. Wasn’t their some talk about using fans to exfiltrate data by controlling their frequency and using that as a slow data channel that could cross an air gap?
    Would the internal fans in a server or storage appliance add too much vibration to detect fans nearby?
    The comments here sound like using the HDD as a mic had been done before but has anyone tried putting these two things together?
    It might be pointless as both machines would need to be compromised which would imply an attacker has access to both machines. But it might be interesting as an academic exercise.

Leave a Reply to Thinkerer Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.