A security researcher has demonstrated how to force everyday commercial speakers to emit harmful sounds.
Speakers are everywhere, whether it’s expensive, standalone sound systems, laptops, smart home devices, or cheap portables. And while you rely on them for music or conversation, researchers have long known that commercial speakers are also physically able to emit frequencies outside of audible range for humans. At the Defcon security conference in Las Vegas on Sunday, one researcher is warning that this capability has the potential to be weaponized.
It’s creepy enough that companies have experimented with tracking user browsing by playing inaudible, ultrasonic beacons through their computer and phone speakers when they visit certain websites. But Matt Wixey, cybersecurity research lead at the technology consulting firm PWC UK, says that it’s surprisingly easy to write custom malware that can induce all sorts of embedded speakers to emit inaudible frequencies at high intensity, or blast out audible sounds at high volume. Those aural barrages can potentially harm human hearing, cause tinnitus, or even possibly have psychological effects.
“I’ve always been interested in malware that can make that leap between the digital world and the physical world,” Wixey says. “We wondered if an attacker could develop malware or attacks to emit noise exceeding maximum permissible level guidelines, and therefore potentially cause adverse effects to users or people around.”
The research analyzed the potential acoustic output of a handful of devices, including a laptop, a smartphone, a Bluetooth speaker, a small speaker, a pair over-ear headphones, a vehicle-mounted public address system, a vibration speaker, and a parametric speaker, which channels sound in a specific direction. Wixey wrote simple code scripts or slightly more complete malware to run on each device. An attacker would still need physical or remote device access to spread and implant the malware.
From there, Wixey placed them one by one in a soundproof container with minimal echo called an anechoic chamber. A sound level meter within the enclosure measured the emissions, while a surface temperature sensor took readings of each device before and after the acoustic attack.
Wixey found that the smart speaker, the headphones, and the parametric speaker were capable of emitting high frequencies that exceeded the average recommended by several academic guidelines. The Bluetooth speaker, the noise canceling headphones, and the smart speaker again were able to emit low frequencies that exceeded the average recommendations.
Additionally, attacking the smart speaker in particular generated enough heat to start melting its internal components after four or five minutes, permanently damaging the device. Wixey disclosed this finding to the manufacturer and says that the device maker issued a patch. Wixey says that he is not releasing any of the acoustic malware he wrote for the project or naming any of the specific devices he tested. He also did not test the device attacks on humans.
“There are a lot of ethical considerations and we want to minimize the risk,” Wixey says. “But the upshot of it is that the minority of the devices we tested could in theory be attacked and repurposed as acoustic weapons.”
The experiments on the internet-connected smart speaker also highlight the potential for acoustic malware to be distributed and controlled through remote access attacks. And Wixey notes that existing research on detrimental human exposure to acoustic emanations has found potential effects that are both physiological and psychological.
The acoustic academic research community has increasingly been warning about the issue as well. “We are currently in the undesirable situation where a member of the public can purchase a $20 device that can be used to expose another human to sound pressure levels…in excess of the maximum permissible levels for public exposure,” Timothy Leighton, a researcher at the University of Southampton wrote in the October issue of the Journal of the Acoustical Society of America.
And while it is still unclear whether acoustic weapons played a role in the attack on United States diplomats in Cuba, there are certainly other devices that intentionally use loud or intense acoustic emanations as a deterrent weapon, like sound cannons used for crowd control.
“As the world becomes connected and the boundaries break down, the attack surface is going to continue to grow,” Wixey says. “That was basically our finding. We were only scratching the surface and acoustic cyber-weapon attacks could potentially be done at a much larger scale using something like sound systems at arenas or commercial PA systems in office buildings.”
Other Internet of Things device researchers have stumbled on similar findings in their work as well, whether they originally intended to study acoustic emanations or just realized the potential through studying consumer electronics. Last year, a group of researchers reported findings at the Crypto 2018 conference in Santa Barbara, California that ultrasonic emanations from the internal components of computer monitors could reveal the information being depicted on the screen.
Vasilios Mavroudis, a doctoral researcher at University College London, also found in his research into ultrasonic tracking that most commercial speakers are capable producing at least “near-ultrasonic” frequencies—sounds that are inaudible to humans, but don’t quite technically qualify as ultrasonic—if not more.
And Ang Cui, who founded the embedded device security firm Red Balloon, published research in 2015 in which he used malware to broadcast data from a printer by crunching the internal components of the printer to make sounds that could be picked up and interpreted by an antenna.
“I’m not at all surprised that speakers can be manipulated this way,” Cui says. “Think about it— if there’s no limiter or filter in place, things that make sounds can be forced to make really loud or intense sounds. The physics makes sense. And absolutely, it could potentially be dangerous.”
Wixey suggests a number of countermeasures that could be incorporated into both device hardware and software to reduce the risk of acoustic attacks. Crucially, manufacturers could physically limit the frequency range of speakers so they’re not capable of emitting inaudible sounds. Desktop and mobile operating systems could alert users when their speakers are in use or issue alerts when applications request permission to control speaker volume.
Speakers or operating systems could also have digital defenses in place to filter digital audio inputs that would produce high and low frequency noises. And antivirus vendors could even incorporate specific detections into their scanners to monitor for suspicious audio input activity. Environmental sound monitoring for high frequency and low frequency noise would also catch potential cyber-acoustic attacks.
Though acoustic weapons are certainly not an all-purpose offensive tool, Wixey points out that one of the most insidious things about this class of potential attacks is that in many cases you would have no idea they’re going on. “You never really know, unless you’re walking around with a sound meter, what you’re being exposed to,” he says.