Researchers have demonstrated that attackers can listen in on users via headphones connected to their PCs – even if no microphone is present.
The research, published by Cyber Security Research Center at Ben Gurion University in Beer-Sheva, in the Negev desert, focuses on systems where no microphone is built-in or connected, or where it has been muted, taped or turned off – systems with active microphones would be much more straightforward to turn into listening devices, they said.
Headphones include the same components as microphones, however, meaning they can capture sounds when plugged into a computer’s microphone jack.
And since the audio chipsets found in most computers allow such jacks to be repurposed using software, attackers who have gained access to a system can reconfigure a headphone port to record audio from a line-out plugged into it, the researchers found.
“The fact that headphones and earphones are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically from output to input, creates a vulnerability which can be abused by hackers,” they wrote.
They said certain types of loudspeakers are also vulnerable. Most current PCs and laptops are susceptible to this type of attack. Such an exploit could be carried out through malware that infects a system through various means, such as an infected email attachment.
The researchers demonstrated that the attack worked using a pair of off-the-shelf Sennheiser headphones with no microphone, and that intelligible conversations could be recorded from up to 20 feet away.
The team recommended that chipset makers modify their firmware to disable software jack retasking.
Other workarounds include leaving speakers, headphones and earphones unplugged or using audio jammers or white noise emitters to stop computers from recording audio.
Users can also disable a computer’s audio component in its BIOS, which would also block the use of sound for any other purpose on the system.
The government recently banned the use of smart watches such as the Apple Watch from cabinet meetings due to concern they could be hacked and used as listening devices.
Do you know all about security in 2016? Try our quiz!
After axing 31 percent of its workforce when it failed to be acquired by Amazon,…
Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…
Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…
New AI assurance platform from UK government will help businesses ensure they can safely develop…
Protecting kids? Australian government confirms plan to implement restriction on social media for children under…
Canada ordered China's TikTok business in the country to be dissolved over national security risks,…