Speakers are everywhere, whether it is expensive, standalone audio systems, laptops, smart home devices or cheap laptops. And while you rely on them for music or conversation, scientists have long known that commercial speakers are also physically capable of delivering frequencies out of audible reach to humans. At a Defcon security conference in Las Vegas on Sunday, a scientist warns that this ability has the potential to become a firearm.
It's scary enough that companies have experimented with tracking users' browsing by playing inaudible, ultrasonic beacons through their computer and phone speakers when they visit certain websites. But Matt Wixey, cybersecurity research at technology consultancy PWC UK, says it's surprisingly easy to write custom malicious software that can cause all kinds of built-in speakers to emit high-frequency audible frequencies, or blast high-volume audible sounds. These oral barriers can potentially damage human hearing, cause tinnitus or even possibly have psychological effects.
"I've always been interested in malware that can make the leap between the digital and the physical world," says Wixey. "We were wondering if an attacker could develop malicious software or attacks to emit noise that exceeds the maximum permitted guidelines, and therefore could potentially cause adverse effects for users or people around."
Lily Hay Newman covers information security, digital privacy and hacking for WIRED.
The research analyzed the potential sound effect of a handful of devices, including a laptop, a smartphone, a Bluetooth speaker, a small speaker, a pair of over-ear headphones, a vehicle-mounted public address system, a vibration speaker, and a parametric speaker. , which channels are heard in a specific direction. Wixey wrote simple code scripts or some more complete malware to run on each device. An attacker will still need physical or external device to spread and implant malicious software.
From there, Wixey placed them one by one in a soundproof container with minimal echo called an anechoic chamber. A sound level meter in the cabinet measured the emissions, while a surface temperature sensor took readings of each unit before and after the acoustic attack.
Wixey found that the smart speaker, headphones, and parametric speaker were capable of emitting high frequencies that exceeded the average recommended by several professional guidelines. The Bluetooth speaker, noise-canceling headphones, and the smart speaker again managed to emit low frequencies that exceeded average recommendations.
In addition, the attack on the smart speaker in particular gave enough heat to begin to melt its internal components after four or five minutes, permanently damaging the device. Wixey disclosed this finding to the manufacturer, saying that the device manufacturer has issued a patch. Wixey says he will not release any of the acoustic malicious software he wrote for the project or name any of the specific devices he tested. He also did not test the device attacks on humans.
"There are many ethical considerations, and we want to minimize the risk," says Wixey. "But the result of that is that the minority of the units we tested in theory could be attacked and reused as acoustic weapons."
The experiments on the Internet-connected smart speaker also highlight the potential for acoustically harmful software to be distributed and controlled through remote access attacks. And Wixey notes that existing research on harmful exposure of humans to acoustic emissions has found potential effects that are both physiological and psychological.
The acoustic academic research community has increasingly warned about the problem. "We are currently in the undesirable situation where a member of the public can purchase a $ 20 device that can be used to expose another human to sound pressure levels … in excess of the maximum permissible levels of public exposure," says Timothy Leighton , a researcher at the University of Southampton wrote in the October issue of the Journal of the Acoustical Society of America.
And while it is still unclear whether acoustic weapons played a role in the attack on US diplomats in Cuba, there are certainly other entities that intentionally use high or intense acoustic emanations as a deterrent, such as sound guns used for audience control.
"As the world becomes interconnected and the boundaries break down, the surface of the attack continues to grow," Wixey says. “It was basically our discovery. We were just scratching the surface and acoustic cyber weapons attacks could potentially be done on a much larger scale by using something like arena audio systems or commercial PA systems in office buildings. "
" Physics makes sense. And certainly, it could potentially be dangerous. "
Ang Cui, Red Balloon
Other Internet of Things device researchers have also stumbled upon similar findings in their work, whether they originally intended to study acoustic emanations or only realized the potential through studying consumer electronics. Last year reported a group of researchers found at the Crypto 201[ads1]8 conference in Santa Barbara, California that ultrasound radiation from the internal components of computer screens could reveal the information depicted on the screen.
Vasilios Mavroudis, a doctoral researcher at University College London, also found in his research at ultrasound tracking that most commercial speakers are capable of producing at least "almost ultrasound" frequencies – sounds that are inaudible to humans but technically do not qualify as ultrasonic – if not more.  And Ang Cui, who founded the built-in device security company Red Balloon, published research in 2015 using malware to broadcast then remove from a printer by crushing the internal components of the printer to create sounds that could be picked up and interpreted by an antenna.
"I'm not at all surprised that speakers can be manipulated this way," Cui says. Think about it – if there are no limits or filters in place, things that make sounds can be forced to make very loud or intense sounds. Physics makes sense. And certainly, it can potentially be dangerous. "
Wixey proposes a number of countermeasures that can be incorporated into both hardware and software to reduce the risk of acoustic attacks. Crucially, manufacturers can physically limit the frequency range of speakers so that they are unable to emit audible sounds. Desktop and mobile operating systems can alert users when their speakers are in use or give alerts when applications request permission to control the speaker volume.
Speakers or operating systems may also have digital defenses in place to filter digital audio inputs that will produce high and low frequency sounds. And antivirus vendors can even integrate specific detections into the scanners to monitor for suspicious audio input activity. Environmental noise monitoring for high-frequency and low-frequency noise would also capture potential cyber-acoustic attacks.
Although acoustic weapons are certainly not an all-offensive offensive tool, Wixey points out that one of the most insidious things about this potential class attack is that in many cases you have no idea that they are in progress. "You never really know, unless you walk around with an audio meter, what you're exposed to," he says.