Speakers and Mics hacked to turn Music Into Surveillance Tool

University of Washington’s Paul G. Allen School of Computer Science & Engineering research team has concluded that it is possible to use music for tracking body movements. This means hackers and emissaries may not need specific surveillance equipment for tracking our movements or location.

This is achieved through exploiting the smartphone’s speakers and microphones; these can be turned into surveillance tools for collecting information about the movements and body position of any nearby person or the phone’s user. The findings will be presented in September at the Ubicomp 2017. Researchers claim that by hijacking smart devices remotely and set them to function in a way that these play music with repeating pulses it is possible to track the position, body movements and actions of anyone using the device.

More: Malware can Convert your Headphones into Microphone for Hackers

UW’s research team identified that CovertBand software could be used to transform harmless smart devices into active sonar systems since the software can exploit built-in speakers and microphones and can be controlled remotely.

Speakers and Mics hacked to turn Music Into Surveillance Trojan Horse
Samsung Galaxy S4 device with portable speaker used by researchers to test CovertBand (Image Credit: Dennis Wise – University of Washington)

Perhaps this is the very first time any researcher has showed that it is possible to convert smartphones, smart TVs, and other smart devices into spying tools through music. According to Shyam Gollakota, associate professor at the UW computer science and engineering school and senior author, “the physical information CovertBand can gather — even through walls — is sufficiently detailed for an attacker to know what the user is doing, as well as other people nearby.”

But how can CovertBand track body movements? This is possible because it uses the active sonar principles to collect information. Active sonar systems can be found on submarines and are installed to identify the position of an object through sending out acoustic pulse. When the sound waves hit the objects in their path a deflection effect is created which is then picked up by a receiver. This is how the position, shape, and distance of an object is determined.

CovertBand can use a smart device’s speaker to send out the repeating pulse of sound waves, which happen to be in 18 to 20 kHz range. Just like the sonar system on a submarine, the sound waves encounter objects that come in their path and get reflected as a result; the built-in microphones collect the sound waves’ reflection.

The information is transferred to the attacker who can be residing at an entirely different corner of the world or a few feet distance. As per the findings of the research team, the technology can detect a variety of movements including “arm-pumping, walking or pelvic tilts to a range of up to six meters from the smartphone” while CovertBand developers say that movements can be identified much quickly with sufficient data and machine-learning algorithms.

Speakers and Mics hacked to turn Music Into Surveillance Trojan Horse
Researchers behind the test – Image Credit: University of Washington)

The purpose of this study was to determine the flaws in the everyday use smart devices, and the findings have been published in an official press release. It is claimed that CovertBand can track movement right across the wall, which is rather alarming because even your neighbors can use music to spy on you. It would become tough to understand if someone is listening to music or carrying out a surveillance act.

Researchers believe that jamming signals, sound-proofing or disabling the speaker and microphone of the device can help to some extent but these options aren’t very realistic. They have urged that scientists develop countermeasures that are much more practical. As Tadayoshi Kohno, co-author of the study stated:

“We always want to stay one step ahead of the bad guys — of attackers who are trying to collect this information about users. We’re providing education about what is possible and what capabilities the general public might not know about so that people can be aware and can build defenses against this.”

More: BugDrop Malware Campaign Obtains Data by Compromising PC Microphones

Watch how it’s done

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.