Microphones Listen To Your… Monitor?

A song by Rockwell, “Somebody’s Watching Me” might be the anthem for the tin foil hat crowd. But a new paper reveals that it might be just as scary to have someone listening to you. Researchers have used common microphones to listen in on computer monitors. The demonstration includes analyzing audio to determine input from virtual keyboards and even a way to tell if people are surfing the web during a Google Hangout session.

Reading monitors based on electronic emissions is nothing new — ask Wim van Eck or read about TEMPEST. What makes this worrisome is that we constantly have live microphones around our computers. Webcams, phones, the latest smart assistant. Even some screens have built-in microphones. According to the paper, you could even pick up data from recorded audio. The paper has three main goals: extract display text, distinguish between different websites on screen, and extracting text entered with a virtual keyboard.

The analysis looked at 31 different screens. There were 12 distinct models from 6 different vendors. They did use a special VGA cable to tap the vertical sync to help manage the data, but they claim this was only an aid and not essential. They also used a high-end sound setup with a 192 kHz sampling rate.

Measuring the sound made by different display patterns was empirical. The authors think the mechanism is from subtle changes in the vibrations of the power supply components due to changes in current consumption. The refresh rate of the monitor also plays a part.

Armed with the proof of concept, the team went on to use an LG V20 cellphone and via a Hangouts call. Imagine if the person on the other end of your call could tell when you were reading Hackaday instead of paying attention to the call.

Different types of monitors need to be learned for best accuracy. It appears that reading small text may have problems, too. Even website detection depends on training. Still, maybe the tin hat people aren’t exactly wrong.

If you want to try your hand at reading the RF emissions, software defined radio is your friend. We’ll be interested to see if anyone duplicates the acoustic method in this paper, though.

Office Depot And OfficeMax Find Malware That Isn’t There

Sometimes we are rebuilding a RAID array or replacing a BIOS chip and we wonder how ordinary people keep their computes running. Then we realize that most of them come to someone like us for help. But what if you don’t have a family member or friend who is computer savvy? No problem! Plenty of stores — including big box office stores such as Office Depot and OfficeMax — will be glad to help you. Why most of them will be willing to test your computer for free. Sounds nice until you find out that at least in some cases these tests were showing problems that didn’t need fixing so users would pay for services they didn’t need. The Federal Trade Commission (FTC) has fined Office Depot (who owns OfficeMax) $25 million and plans to use the funds to issue refunds. In addition, a vendor, Support.com, will pay $10 million to support the refunds.

The free check used software to detect problems on a PC. However, during the scan the user is asked if their computer has any of the following symptoms. For example, if their PC has become slow or frequently reboots. If you said yes to any of these questions, the software would produce a report claiming to have found evidence of malware and offering fixes that could cost significant amounts of money even if there was no other evidence.

Continue reading “Office Depot And OfficeMax Find Malware That Isn’t There”

Would You Like To Play A Game? WOPR Summit Is This Weekend

During the summer months it might be known as “America’s Playground”, but around this time of year, Atlantic City is generally the destination of choice for bus loads of seniors looking to burn up some of that fixed income. Of course, that was before the WOPR Summit came to town. From March 1st to the 3rd, it promises to transform Bally’s Hotel and Casino on the famous Atlantic City Boardwalk into a high-tech oasis in a sea of oxygen tanks and walkers. There might not be any fun in the sun to be had at this time of year, but a full schedule of talks and workshops covering everything from penetration testing to ham radio is more our speed anyway.

There’s still a couple days to register for WOPR online at a discount, but naturally they’ll be happy to take your money at the door if you miss the cutoff. As of this writing, there’s even still rooms left at Bally’s for the special WOPR rate, which you’ll probably want to take advantage of as the schedule has events running until well past our normal bedtime.

WOPR looks like it will be a nice mix between hardware and software, with a generous sprinkling of InfoSec. Presentations such as “Strategies for your projects: Concept to Prototype” and “Being Q. — Designing Hacking Gadgets” sound like classic Hackaday fare. But even if you aren’t normally into the security scene, talks such as “Ham Hacks: Breaking into Software Defined Radio” and “An Introduction to IoT Penetration Testing” seem like they’ll be an excellent way to cross the divide. In between the talks, they promise to have a hackerspace up and running for you to check out, complete with soldering classes and contests.

It’s not often that you get to witness the birth of a new hacking conference, especially one on the East Coast, so Hackaday will be shaking off the last bits of our long winters nap as I catch the next bus out of the Senior Center that’s headed towards the Boardwalk. Track me down and you might even be able to take some of our Jolly Wrencher stickers home along with your slot machine winnings. But even if you can’t make it to America’s rather chilled and blustery playground this weekend, I’ll be sure to report on all the highlights so you can live vicariously through the comforting flicker of your favorite screen.

Cybersecurity And Insurance

Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.

The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.

It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.

Continue reading “Cybersecurity And Insurance”

E-Mail Service Claims It Doesn’t Store Your Mail

There have been many news stories lately about companies misusing your data, including your e-mails. What’s more, these giant repositories of data are favorite targets for hackers. Even if you trust the big corporations, you are also betting on their security. Criptext claims they have (possibly) the most private e-mail service ever. It uses the open Signal protocol and stores private keys and encrypted mail only on your device. All the applications to access your mail are open source, so presumably, someone would eventually spot any backdoors or open holes.

At the moment the service is free and the company reports that even when a paid offering is ready, there will still be a free tier. Of course, you can send and receive normal e-mail, too. You can also use a passphrase you send to someone else (presumably not by e-mail) so they can read an encrypted message.

Continue reading “E-Mail Service Claims It Doesn’t Store Your Mail”

Screaming Channels Attack RF Security

As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.

Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.

Continue reading “Screaming Channels Attack RF Security”

3D Printing, Cybersecurity, And Audio Fingerprinting

We all understand the risk of someone taking over our computers or phones for nefarious purposes. But remote access to printers and fax machines was something most people took a little less seriously. After all, you might get some obscene printouts or someone wasting some paper, but in general, those are not big deals. Some researchers however have lately been pondering what might happen should someone break into your 3D printer. Of course, you could bring a printer down to deny service, or cause things to malfunction — maybe even in ways that could be dangerous if the printer didn’t have sufficient safety features. But these researchers are more crafty. They are studying how you know what you’ve printed hasn’t been subtly sabotaged. They also think they have an answer.

If you are printing another Benchy at home this probably isn’t a real concern. However, according to the paper, 3D printing now accounts for over $6 billion of revenue with 33.8% of all parts having some function. This includes a recent FAA approval for a 3D-printed fuel nozzle for a jet engine. So indulge us in a little science fiction. You are about to fly your drone to take video of an important social function. You are worried about one of your props, so you 3D print a new one. Too bad your competitor has hacked your computer with a phishing e-mail and modified your STL files so that the new prop will have built-in weak spots internally. The prop will look fine and you’ll be able to install it. But it is going to fail right when you are taking those critical shots.

Continue reading “3D Printing, Cybersecurity, And Audio Fingerprinting”