Why you can not scream at your HDD
At the Ekoparty 2017 computer security conference in Buenos Aires, the Argentine hacker Alfredo Ortega showed a very interesting development - a system for covert wiretapping of premises without using a microphone. Sound is recorded directly by the hard disk !
The HDD picks up mainly low-frequency sounds of high intensity, steps and other vibrations. It is not yet possible to recognize human speech, although scientists are conducting research in this direction (speech recognition by low-frequency vibrations, which are removed, for example, from a gyroscope or HDD).
Sound is the vibrations of air or another medium. A person perceives them through the eardrum, which transfers vibrations to the inner ear. The microphone is arranged approximately like an ear - here, too, vibrations are recorded by a thin membrane that excites an electrical impulse. The hard disk, of course, is also subject to microscopic vibrations due to fluctuations in the surrounding air. This is even known by the technical characteristics of the HDD: manufacturers usually indicate the maximum permissible level of vibration, and the hard disk itself is often tried to be placed in a container protected from vibration made of rubber or other insulating material. From this it is easy to conclude that using the HDD you can register sounds. It remains only to figure out how.
Alfredo Ortega proposed a peculiar version of a side-channel attack, namely a time attack. This attack is based on the assumption that various operations are performed on the device at different times, depending on the input data. In this case, the “input data" are the vibrations of the read head and the HDD plate, which correlate with environmental vibrations, that is, with sound. Thus, by measuring the calculation time and performing a statistical analysis of the data, one can measure the vibrations of the head / plate and, consequently, the vibrations of the medium. The greater the delay in reading data, the stronger the fluctuations of the HDD and, therefore, the louder the sound.
How to measure hard disk vibrations? Very simple: just launch a system call
read ()- and register the time for which it is running. Modern operating systems allow you to read the timing of system calls accurate to the nanosecond.
The speed of reading information from the sector depends on the position of the head and plate, which correlates with the vibrations of the HDD enclosure. That's all.
Statistical analysis is carried out using a simple utility Kscope. As they say, all ingenious is simple.
Kscope utility (stat () syscall)
Kscope is a small utility for visualizing tiny differences in the execution time of system calls. The source code is published on GitHub .
In a separate hdd-time repositorythe utility version is configured to attack the hard disk in time, that is, configured to analyze the system call
Demonstration of sound recording using the HDD, the operation of the Kscope utility
Of course, the speech can not be disassembled in this way, but as a vibration sensor, the HDD is quite suitable. For example, you can register if a person in hard shoes or barefoot walked into the computer room (it is likely that if the attacker is wearing soft sneakers or a thick carpet is laid on the floor, the HDD will not be able to register vibrations - this is worth checking). A computer is able to register broken glass or another incident with strong sound intensity. That is, the hard disk can serve as a kind of system for detecting unauthorized intrusions.
By the way, a similar technique can be used to disable hard drives. Only here we do not remove vibrations from the HDD, but rather, we generate vibrations that are fed to the HDD. If you play sound from a speaker at a frequency that resonates with the frequency of the HDD, the system will soon turn off the device with an I / O error (the Linux kernel completely turns off the HDD after 120 seconds). The hard drive itself may receive permanent damage.
The Linux kernel disconnected the hard drive after 120 seconds of delivering sound at a resonating frequency through the speaker of the Edifier r19u USB speaker. The speaker is turned on by about a quarter of the power (less than 100 mW) and is located 20 cm from the HDD, aimed at the table to enhance vibration. Frame from a video demonstrating the operation of the HDD killer
It is curious that such “attacks” on the HDD sometimes happen quite by accident in ordinary life. For example, in September 2016, the ING Bank data center was forced to suspend operations 10 hours after the fire drill. Dozens of hard drives have failed due to the loud sound of inert gas being released from the cylinders under high pressure. The sound was very loud (more than 130 dB), but you can’t even shout at hard drives - this increases the delay in accessing the HDD.
Demonstration of a human cry for hard drives in a data center. Delay measurement
To generate resonant sound, Alfredo Ortega wrote a python script called hdd-killer ( video demo ).
The script of the HDD killer is very small so you can publish it in its entirety here.
"""PyAudio hdd-killer: Generate sound and interfere with HDD """ """Alfredo Ortega @ortegaalfredo""" """Usage: hdd-killer /dev/sdX""" """Where /dev/sdX is a spinning hard-disk drive""" """Turn the volume to the max for better results""" """Requires: pyaudio. Install with 'sudo pip install pyaudio' or 'sudo apt-get install python-pyaudio'""" import pyaudio import time import sys import math import random RATE=48000 FREQ=50 # validation. If a disk hasn't been specified, exit. if len(sys.argv) < 2: print "hdd-killer: Attempt to interfere with a hard disk, using sound.\n\n" +\ "The disk will be opened as read-only.\n" + \ "Warning: It might cause damage to HDD.\n" +\ "Usage: %s /dev/sdX" % sys.argv sys.exit(-1) # instantiate PyAudio (1) p = pyaudio.PyAudio() x1=0 NEWFREQ=FREQ # define audio synt callback (2) def callback(in_data, frame_count, time_info, status): global x1,FREQ,NEWFREQ data='' sample=0 for x in xrange(frame_count): oldsample=sample sample=chr(int(math.sin(x1*((2*math.pi)/(RATE/FREQ)))*127)+128) data = data+sample # continous frequency change if (NEWFREQ!=FREQ) and (sample==chr(128)) and (oldsample