The recent distributed denial of service (DDoS) attacks that crippled parts of the internet—including PayPal, Twitter, Amazon, Netflix, Spotify and many others—opened the eyes of many to how unprotected the devices we use every day can be used against us.
Now researchers at Israel’s Ben-Gurion University of the Negev (BGU) have demonstrated a scarier reality for consumers in malware that can turn computers into perpetual eavesdropping devices, even without a microphone. The malware does this by covertly transforming headphones into a pair of microphones that can then be used to exploit the public.
“The fact that headphones, earphones and speakers are physically built like microphones and that an audio port’s role in the PC can be reprogrammed from output to input creates a vulnerability that can be abused by hackers,” says professor Yuval Elovici, director of the BGU Cyber Security Research Center and member of BGU's Department of Information Systems Engineering.
In a typical computer, a number of audio jacks are present in the front panel, rear panel or both. Each jack is used for input or output, and the audio chipsets in modern motherboards and sound cards include an option for changing the function of an audio port with software. Malware can reconfigure the headphone jack from a line-out jack to a microphone jack, turning the headphones function into recoding microphones or an eavesdropping device. This works even if the computer does not have a microphone, researchers say.
So how do you avoid having this happen? While it may be possible to tape up the microphone and webcam, it is far more difficult to tape the headphones or speakers. One way would be to completely disable the audio hardware and use an HD audio driver to alert users when microphones are being accessed. Another way would be to use a strict re-jacking policy regarding audio jacks. Anti-malware and intrusion-detection systems could also be used to monitor and detect unauthorized speaker-to-microphone re-tasking operations and block them.