When even your headphones betray you

A team of Israeli students from Ben-Gurion University has successfully demonstrated that modern computer systems are susceptible to physical eavesdropping by repurposing connected headphones into an improvised microphone [pdf].

This might sound farfetched, but if it’s been demonstrated successfully in the lab, it could well be a concern for governments and businesses alike, especially if sensitive information is discussed in the workplace.

In the introduction to their paper, the research team cite a paragraph taken from a declassified memorandum, published by the US government’s National Security Agency in 1995. This collection of documents contains the following warning:

"The speakers in paging, intercom and public address systems can act as microphones and retransmit classified audio discussions out of the controlled area via the signal line distribution."

- NSA, 12/12/95

This is exactly how simple office intercom systems work and, if the US government has been aware of the potential of this kind of attack for at least two decades, it’s fair to say that so have most other governments and advanced cyber-criminal gangs.

This principle, where the physical construction of the speaker is the same as the microphone is the basis of their work.

Using this premise, the team needed to find a way to turn the voltage input signal from the headphone interface into something they could digitise into a computer readable format. In fact, it’s a built-in feature of the chipset on most modern computers, known as jack remapping or jack retasking, and is an integral design feature of Intel’s high definition audio specification.

This means that audio jacks (earphone and microphone) are connected to both analogue-to-digital convertors and digital to analogue converters, making the researchers’ life a lot easier.

Now, all they needed was a software driver that could take the input from the headphones and convert it into a digital signal. Easy!

The fact that Intel’s specification (along with other chipset manufacturers) details jack retasking as a legitimate feature shows this threat is real and could be in use today. All an attacker would need is a programmer with the wherewithal to build an appropriate software driver.

There are a few things that can be done to mitigate this risk. Make sure you focus on all aspects of your people, processes and technology rather than relying on just one kind of control. Start by educating your users: explain the threat in simple, understandable terms.

For high security areas where you could be discussing sensitive information, make sure any connected headphones or speakers have inline amplifiers if they must remain connected, since this will eliminate the threat.

If that’s impossible, create and publish a process to instruct users to ensure earphones are only inserted when required, and physically inspect computers in the room before you have a sensitive conversation.

From a technical perspective, Microsoft Windows can enforce driver signing, whereby only legitimate drivers from vendors you trust can run on the system. You should use this control anyway, but its use will certainly help prevent this kind of exploit code running on your system.

Alternatively, you can look to enable application whitelisting, so that all executable code (which includes drivers) must be authorised by your administration team prior to being deployed. Application whitelisting is one of the best security countermeasures, so it’s a worthwhile investment.

The research is a prime example of how legitimate design features in our technology can be repurposed for malicious intent.