Your Earbuds Can Be Made Into Microphones With Just A Bit Of Malware

from the mic-drop dept

Hyperconnectivity has many positive aspects for many of us, though there are negatives as well. One of the negatives that come along with connectivity is the idea that everything we love can be used to spy on us. Back when prevalent criminal hacking was in the arena of science fiction and broad government surveillance was limited to thematic elements in Orwell novels, the public fear over security exploits like this was limited. Given that the alphabet agencies continue to be shown to use our devices to spy on us, however, Americans likely look more warily at their favorite technology than they did a decade ago. Everything, it seems, is a vector for an invasion of your privacy.

Including, potentially, your headphones. Israeli researchers have shown how, with the aid of some malware, your headphones can be converted into microphones in order to listen in on whatever you happen to be doing.

Researchers at Israel’s Ben Gurion University have created a piece of proof-of-concept code they call “Speake(a)r,” designed to demonstrate how determined hackers could find a way to surreptitiously hijack a computer to record audio even when the device’s microphones have been entirely removed or disabled. The experimental malware instead repurposes the speakers in earbuds or headphones to use them as microphones, converting the vibrations in air into electromagnetic signals to clearly capture audio from across a room.

“People don’t think about this privacy vulnerability,” says Mordechai Guri, the research lead of Ben Gurion’s Cyber Security Research Labs. “Even if you remove your computer’s microphone, if you use headphones you can be recorded.”

And, just like that, I’ll never look at my favorite set of earbuds the same way again. What this ultimately points out is that determined hackers will find creative ways to use our own devices against us. That isn’t new. What is new seems to be the never ending reports of how devices, be they IoT devices or not, can be repurposed for nefarious ends. The use of all of this by our own government, as well as our government’s request for backdoors built into technology, only increases the threat vectors for this type of thing.

This particular exploit relies on ubiquitous RealTek codec chips, which can be instructed by the malware used to switch an output channel to an input channel. Those chips are everywhere and there is no current method to secure them via a patch or update.

There’s no simple software patch for the eavesdropping attack, Guri says. The property of RealTek’s audio codec chips that allows a program to switch an output channel to an input isn’t an accidental bug so much as a dangerous feature, Guri says, and one that can’t be easily fixed without redesigning and replacing the chip in future computers.

Until then, paranoiacs take note: If determined hackers are out to bug your conversations, all your careful microphone removal surgery isn’t quite enough—you’ll also need to unplug that pair of cheap earbuds hanging around your neck.

When even our headphones are a potential enemy, the world has gone mad.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Your Earbuds Can Be Made Into Microphones With Just A Bit Of Malware”

Subscribe: RSS Leave a comment
73 Comments
Ninja (profile) says:

Re: Re:

Hmmm, I don’t know about you but I am interested in new ways malware is being used. Your line would translate like “sexual contact spread diseases, no need to report if the new disease goes through condoms”.

So, yes, it is important to know your gadgets can be turned into spying devices even if their original purpose would make even the most conspiracy nut among us believe otherwise.

DannyB (profile) says:

Re: Re: Re: Re:

I don’t need the doom and gloom preface either. Especially since I generally engage in the doom and gloom outlook myself.

But some people DO need it. Wake up! That is the message.

From TFA . . .

paranoiacs take note

No matter how paranoid and tin foil hat crazy sounding my concerns have been over the years, it always turns out that things are already worse than I imagined.

I DO NOT need to now be told of every example of new malware that can listen through my ear buds. The general purpose takeaway message is: unplug earbuds when not in use. Just as with the camera, put black tape over it when not in use. But I don’t need to know about every new instance of web cam spyware.

I DO need to know about every new capability, such as using the earbuds as microphones.

Anonymous Coward says:

Re: Re: Re:2 Re:

Using speakers as microphones is not a new discovery. The only novel thing was the vulnerability in the driver software. The people who are paranoid enough to remove all microphones from their computer surely know the risks of malware and how to avoid it.

Honestly, if you’re infected with malware there’s a lot worse they can do than make a distorted recording of your heavy breathing.

I.T. Guy says:

Re: Re:

In case you hadn’t noticed the name of the site is TECHDIRT.

Your question:
“Do we really need a breathless report every time someone discovers something that can be done with a computer?”

Should be:
Do we really need a breathless report every time someone discovers something new that can be done with a computer?
ANSWER: Yes.

DannyB (profile) says:

Re: Re: Re:

Based on my experience, I would recommend that when you fashion your aluminum headwear that you use TWO layers of tin foil rather than just one. This more than doubles the effectiveness. The reason is that a resonance effect develops between the two layers, at exactly double the frequency of the government’s invisible brain lasers.

In addition, if you create two antennas on the top instead of one, it further increases the effectiveness by an additional 37 percent.

Anonymous Coward says:

Re: Re: Re:2 Re:

I’ll have you take back those mean and nasty things your saying about my Aluminum hat. According to the Wiki, it’s working as advertised. :/

https://en.wikipedia.org/wiki/Tin_foil_hat

“The notion that a metal foil hat can significantly reduce the intensity of incident radio frequency radiation on the wearer’s brain has some scientific validity, as the effect of strong radio waves has been documented for quite some time.[6] A well-constructed aluminum foil enclosure would approximate a Faraday cage, reducing the amount of (typically harmless) radiofrequency electromagnetic radiation passing through to the interior of the structure. A common high school physics demonstration involves placing an AM radio on aluminum foil, and then covering the radio with a metal bucket. This leads to a noticeable reduction in signal strength.”

Roger Strong (profile) says:

Re: Not the most earth shattering discovery

Last year I read about a company planning to hand employees Microsoft Bands with some custom web-connected app. My first thought was “Their employees will have networked tracking devices with microphones strapped to them all day?”

Being marketed as a fitness device, the Microsoft Band’s sensors included a heart rate sensor and skin galvanometer. “Their employees will have networked lie detectors strapped to them all day?”

DannyB (profile) says:

Re: Re: Not the most earth shattering discovery

Don’t forget laser microphones.

Don’t forget that if you use a CRT at night in a dark room, like back in the covered wagon days, a van on the street can capture the glow of the CRT on the wall or ceiling and re-create a fairly decent readable copy of what is on the CRT. It just takes a few guesses at the refresh rate and how many scan lines tall the screen image is.

Another thing. Suppose there is some subject that you are not supposed to see. It is in an area not exposed to public view. But part of the walls of the area are visible to public view. So you could capture the color of the light reflecting on one of those walls visible to the subject. Now suppose you could replace a light source in the secure area with digital projector such as used in a conference room. The projector would, like a flood light, project light upon the subject. But that light is a rectangular array of pixels. And it would illuminate the area, one pixel at a time, at high speed. Now it is possible to capture the reflected light on the wall, from a public area, and re-create what the light source can “see”. The recreated image looks as though you “see” it as through the projector (eg “light bulb”) as if it were a camera. I’m not sure of the practicality of this, but I know there was a good article about the success of the technique on Slashdot some years ago.

Anonymous Anonymous Coward (profile) says:

The long run

Don’t wear ear buds, it’s rude.

Don’t wear headphones, you can’t hear anything else (your phone is ringing).

Don’t use speakers, it is likely you are violating someones perceived rights, if your not listening to a ‘fully authorized, DRM infected’ source. You old analog owners beware. Vinyl won’t have protections for long, you will need a subscription to listen to those old albums (as stated in the 2025 copyright update passed by congress with a 98% approval and shrugged at by SCOTUS when sued as unconstitutional).

Have your hearing impaired so that you no longer need speakers of any kind, but then watch out for police who yell all kinds of thing at you that you won’t hear, and then they will have an excuse to shoot you, because they don’t care if you can’t hear. Your failure to obey put their lives in danger. Oh, and no excuse for not recognizing their sign language expressed at 10,000,000 decibels (you think cops know the difference?), cuz it won’t be a real argument, you will be dead. Not to mention lipreading those cops behind you, failure to turn around and intently read lips is a lethal offence.

This particular hack is really insipid, isn’t it?

Anonymous Coward says:

Re: Re:

Why is this news?
I remember playing with headphones when I was a kid, 20 years ago, and turning them into a microphone.

It’s a bad headline. The news is not that headphones/speakers can be made into microphones, it’s that a computer’s headphone jack can be made into a microphone jack. (Which isn’t shocking either, if you’ve read some datasheets and thought about it, but isn’t so obvious—for ex., as was pointed out on Bruce Schneier’s blog, Snowden didn’t mention it when demonstrating how to desolder the microphones on a smartphone to "go black".)

PaulT (profile) says:

Re: Re:

Yeah, the way this has been reported everywhere is as if people are shocked that the physical headphones can work as mics. This is sloppy, that fact has been known for a long, long time and it’s not news in any way (or at least shouldn’t be on a site with a tech savvy audience).

The specifics of the actual issue found are as follows:

“Their malware uses a little-known feature of RealTek audio codec chips to silently “retask” the computer’s output channel as an input channel, allowing the malware to record audio even when the headphones remain connected into an output-only jack and don’t even have a microphone channel on their plug”

So, the surprise here is that headphones plugged into a headphone jack can act as a mic without any user interaction to do that (such as plugging into a mic socket). Well, it’s not actually a surprise that such a feature can be used by malware, but it’s good to note that this feature and thus vulnerability exists.

Anonymous Coward says:

Re: Re: Re: Re:

Years ago, weren’t there devices, like a credit card reader, that connected to the phone only via the headphone jack?

On a phone that’s a headphone+microphone jack, and you’ll see the extra connection if you look at the plug on a headset (a TRRS plug with 4 parts: microphone, ground, right output, left output). But now we know that even a 3-connection TRS plug can capture audio.

Unplugging it probably isn’t good enough: the phone has a built-in speaker to play ringtones, and that could be reversed too. Likewise, PCs generally have at least one built-in speaker for the BIOS beep, and laptops have speakers connected to the Realtek audio chip.

PaulT (profile) says:

Re: Re: Re:3 Re:

“asshole”

I assume you’re the model of maturity AC who lost his shit when I pointed our that not knowing the difference between Java and Javascript invalidated any arguments you wanted to make on their usage? The one who imagines grand conspiracies when a community tells him to stop being a prick?

Words mean things. If you’re going to have argument using them, make sure you know what that is. Your inability to have an adult conversation without devolving into a sweary little child and your proud ignorance of language do not change this fact one bit.

Anonymous Coward says:

Re: Re: Re:4 Re:

“I assume”

Stop assuming. You look like a fucking idiot.

“Words mean things. If you’re going to have argument using them, make sure you know what that is.”

That is why your an asshole, you’ve explained it perfectly. I read his comment once and knew what he was trying to say. Just because he didn’t use the correct words, doesn’t make his argument any less valid. Instead of giving him the benefit of the doubt, you took the opportunity to try and look superior. You are an asshole, plain and simple.

Anonymous Coward says:

Re: Re: Re:4 Re:

“I assume”

Stop assuming. You look like a f*cking idi0t.

“Words mean things. If you’re going to have argument using them, make sure you know what that is.”

That is why your an ahole, you’ve explained it perfectly. I read his comment once and knew what he was trying to say. Just because he didn’t use the correct words, doesn’t make his argument any less valid. Instead of giving him the benefit of the doubt, you took the opportunity to try and look superior. You are an ahole, plain and simple.

PaulT (profile) says:

Re: Re: Re:5 Re:

“You look like a f*cking idi0t”

We’ll let the other readers of this site work out who looks like the idiot. I’ll guess it’s more likely to be the sweary child having a tantrum than the adult calmly telling them to stop making a scene.

“I read his comment once and knew what he was trying to say”

…and then spent time ranting because someone else didn’t interpret it the same way. Even if you had the higher ground, you lost it the second you started typing this comment in the state you did.

Plus, again, even if he did simply misuse a word, the point he was making was still wrong. Having any specific audio expertise is irrelevant. Throwing a fit doesn’t change that.

Anonymous Coward says:

Re: Re: Re:6 Re:

“…and then spent time ranting because someone else didn’t interpret it the same way. “

Not ranting, pointing out your arrogance. I.T. Guy tried to say something, miss used a word, and you try to invalidate his entire statement instead of giving him the benefit of the doubt. It’s bully behavior of the worst kind, intellectual. And instead of just apologizing and being cool about it, you double down on dumbass.

“Plus, again, even if he did simply misuse a word, the point he was making was still wrong. Having any specific audio expertise is irrelevant. “

No, your completely wrong. Understand how microphones, and and their associated equipment’s hard and software works, is very much part of being an Audio Technician. There may be other un-releated jobs that require knowledge of such, sure. But he’s not wrong. As art guerrilla noted below, there are many “tricks” Audio Technicians and Musicians utilize to produce or record sound using headphones and the headphone jack.

Being “tech savvy” does not make you an Audio Technician. That was what he was trying to say before you climbed up on your high horse and talked down to him.

PaulT (profile) says:

Re: Re: Re:7 Re:

“I.T. Guy tried to say something, miss used a word, and you try to invalidate his entire statement instead of giving him the benefit of the doubt”

No, I addressed what he actually said, not what he wished he said. If one of us is mistaken, I’m in the habit of addressing grown adults who are capable of laughing it off or bantering a little more, not whining like a little brat. But, then, there’s you…

I will note that he hasn’t returned, so you’re assuming as much as I am. I will apologise if my slightly sarcastic comment didn’t address what was in his head if he feels it wasn’t correct. I won’t apologise to the petulant fool who decided to dive in and display his lack of maturity, though.

“Understand how microphones, and and their associated equipment’s hard and software works, is very much part of being an Audio Technician”

…among many other professions, hobbies and general living life in the modern world. Most people who know this fact probably learned it in school or at home. I was probably 8 when I learned of this fact, which I learned by observing what happened when I accidentally plugged the jack in the wrong place. After which, I used the headphones to record some amazingly bad audio to tape, which amused me for a few moments. Then, learning basic electronics in school educated me as to why it happened.

I’m amused to learn this automatically means I work in the field, however, especially since I’ve never so much as bought an actual microphone unless it was attached to a phone, laptop or headset. Which other professions do I have by making basic observations about the world around me, I wonder?

Stop digging, you’ve embarrassed yourself enough.

nasch (profile) says:

Re: Re: Re:8 Re:

I’m amused to learn this automatically means I work in the field

That’s a logic fail. He said "Understand [sic] how microphones… works, is very much part of being an Audio Technician". So if p (one is an audio technician) then q (one understands microphones). This does not imply that if q then p.

But maybe you were just joking.

Anonymous Coward says:

Re: Re: Re:8 Re:

” I will apologise [sic] if my slightly sarcastic comment didn’t address what was in his head if he feels it wasn’t correct.”

Finally! Not that you care; but stopped reading right there. It really doesn’t matter whats said after this point, although I’m sure the rest of your post is your typical self serving, name calling, finger pointing babble.

On I.T. Guys behalf, (again not that anyone cares) your apology is accepted.

PaulT (profile) says:

Re: Re: Re:9 Re:

“Finally!”

He hasn’t commented yet. I don’t believe he authorised you as his personal representative here, although you seem to have taken that job up for some reason.

Next time, I think he might appreciate it if you did so without the childish sweary tantrum, though. I know I wouldn’t want a raging moron representing me if I were him.

Anonymous Coward says:

>There’s no simple software patch for the eavesdropping attack,

There is a simple way to block the attack, keep something playing on your earphones, as an attack would have to check for active use before switching to microphone mode, as silence would make the user investigate their earphones. You do not need to be listening to it, just keep the output mode occupied.

Anonymous Coward says:

Re: Re:

There is a simple way to block the attack, keep something playing on your earphones, as an attack would have to check for active use before switching to microphone mode, as silence would make the user investigate their earphones.

Most audio tracks would have occasional silence. Do we know how quickly this can be switched? It seems optimistic to assume it will be audible.

Jeffrey Nonken (profile) says:

Re: Re:

“There is a simple way to block the attack, keep something playing on your earphones, as an attack would have to check for active use before switching to microphone mode, as silence would make the user investigate their earphones. You do not need to be listening to it, just keep the output mode occupied.”

… Or unplug your earphones when they’re not in use.

Anonymous Coward says:

One of the negatives that come along with connectivity is the idea that everything we love can be used to spy on us

Not so much no. I don’t think most people really realize that in any fundamental way.

The negative, is that barrier to entry for managing the individual identity is increasing. IMHO the next evolution of porn blackmail, is just collective dirt brokering on every facet of an individuals life.

The only people who are going to be able to maintain any kind of reasonably untainted identity are those who’ve never done anything worth noting, and those who can pay large sums to clean up after themselves in the post epoch dirt market.

This will become a social class deliniating factor. Ultimately it will taint the pool of available leadership, just like formal aristocracy did in Britain. It might be fair to say that it already has, looking at the last electoral cycle.

DB (profile) says:

First of all, remember that aluminum foil works well to block radio waves, but it does nothing to block mind control rays. You need tin foil to block that. But the government long ago secretly banned tin foil, using the rays to cause aluminum foil to be substituted in every application.

Back to the point at hand. I don’t know why these people are getting press. This is a a specific feature of many modern audio subsystems. It’s ubiquitous on mobile SoCs (phone and tablet chips). It’s used to automatically adapt to the incompatible plugs of mono earphones, stereo headphones, mono headsets (w/ mic) and stereo headsets. Some even support uncommon connections such as stereo microphones, digital audio, Rx/Tx serial connections, and combined optical digital audio (an optical fiber or IR LED/receiver on the very tip of the 1/8″ plug).

Jeffrey Nonken (profile) says:

I use bluetooth headsets, myself. Those won’t transmit sound back when they’re in streaming mode, and if they’re in headset mode, it’s a live mic by design. (Also much lower quality sound.)

Except on my desktop when I’m playing video games, and I’ve got a mic plugged in anyway to talk to my gaming buddies. No need to get elaborate. But what you hear will probably not be terribly interesting unless you’re a fan of Payday 2. And probably not then, either.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...