Security researchers have demonstrated how attackers could cause physical damage to hard drives, and cause PCs to crash, just by playing sounds through a computer’s speaker.
A denial-of-service (DoS) attack against your organisation’s website is bad enough, preventing customers from reaching your online presence and perhaps preventing you from processing new orders – but imagine the chaos that could be caused by a successful DoS attack against your firm’s hard drives…
That’s the threat raised by a group of security researchers who have demonstrated an out-of-the-ordinary method of disrupting an organisation – through sound waves.
Researchers from the University of Michigan and Zhejiang University have demonstrated that it’s possible for attackers to cause physical damage to hard drives, and cause PCs to crash, just by playing sounds through a computer’s speaker.
According to a research paper entitled “Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems”, you don’t need specialist equipment to cause errors on hard disk drives using either human audible or ultrasonic acoustic waves.
With audible sound waves it’s possible to vibrate the read/write head and platters in the magnetic hard disk drives commonly found in desktop and laptop computers. Vibrations beyond outside of operational bounds can lead to both hardware and software being damaged, causing file system corruption and reboots. The researchers even showed that it is possible for an attacker to use a device’s built-in speakers (or nearby speakers) to cause persistent errors.
Meanwhile, ultrasonic waves can have a similar impact on devices, with sounds inaudible to the human ear altering the output of the hard disk drive’s shock sensor, and causing the read/write head to park.
It’s important to recognise, of course, that it’s not just regular desktop or laptop computers that could be impacted via a Blue Note attack.
One ingenious attack scenario demonstrated by the researchers saw them target a digital video security camera.
The surveillance camera contained a DVR that stored footage on a hard disk drive. However, when hit by an acoustic attack the system could no longer write any data to its hard disk drive. The camera continued to try to save video data in its RAM, but within about 12 seconds it ran out of available space, and lost all data until the acoustic attack was stopped.
It’s easy to picture how a criminal could use such a technique to avoid being recorded on security cameras.
This is, of course, not the first time that the public’s attention has been brought to focus on how noise can impact negatively on hard disk drives.
In 2016, for instance, it was reported that a dozens of hard drives at ING Bank’s data centre in Bucharest were damaged after a system designed to extinguish fires made a loud noise when expelling inert gas.
The downtime had an impact on bank services, causing credit card transactions, ATMs, and internet banking to fail.
And ten years’ ago, Sun’s Brendan Gregg made a video that warned of the dangers of “Shouting in the Data Center”:
In his presentation, Connor Bolton of the University of Michigan, proposes that hard drive manufacturers could defend customers by issuing a firmware update to prevent the hard disk drive’s read/write head head from vibrating back and forth. That is, of course, a “could” rather than a “will”. My suspicion is that many vendors will view the threat described by the researchers as interesting theoretically, but perhaps hold their horses on doing anything about it until there’s some evidence of exploitation.
The good news for owners of some more expensive laptops is that solid state drives (SSDs) don’t have any moving parts which means that they’re not going to care if they suffer a shock or vibration. However, that doesn’t alter the fact that many devices could in theory be attacked via this method, as they continue to use a hard drive often because manufacturers found it to be the most cost-effective data storage solution.
written by Graham Cluley, ESET We Live Security