SecurityWorkspace

Hackers ‘Can Eavesdrop Via Earphones’ By Re-Working Built-In Jacks

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Attackers can record sound from hacked systems, even when microphones are muted, switched off or unplugged, finds a study

Researchers have demonstrated that attackers can listen in on users via headphones connected to their PCs – even if no microphone is present.

The research, published by Cyber Security Research Center at Ben Gurion University in Beer-Sheva, in the Negev desert, focuses on systems where no microphone is built-in or connected, or where it has been muted, taped or turned off – systems with active microphones would be much more straightforward to turn into listening devices, they said.

google

Jacks repurposed

Headphones include the same components as microphones, however, meaning they can capture sounds when plugged into a computer’s microphone jack.

And since the audio chipsets found in most computers allow such jacks to be repurposed using software, attackers who have gained access to a system can reconfigure a headphone port to record audio from a line-out plugged into it, the researchers found.

“The fact that headphones and earphones are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically from output to input, creates a vulnerability which can be abused by hackers,” they wrote.

They said certain types of loudspeakers are also vulnerable. Most current PCs and laptops are susceptible to this type of attack. Such an exploit could be carried out through malware that infects a system through various means, such as an infected email attachment.

Off-the-shelf headphones

The researchers demonstrated that the attack worked using a pair of off-the-shelf Sennheiser headphones with no microphone, and that intelligible conversations could be recorded from up to 20 feet away.

The team recommended that chipset makers modify their firmware to disable software jack retasking.

Other workarounds include leaving speakers, headphones and earphones unplugged or using audio jammers or white noise emitters to stop computers from recording audio.

Users can also disable a computer’s audio component in its BIOS, which would also block the use of sound for any other purpose on the system.

The government recently banned the use of smart watches such as the Apple Watch from cabinet meetings due to concern they could be hacked and used as listening devices.

Do you know all about security in 2016? Try our quiz!