ULTRASONIC AND SONIC ATTACKS can mess with hard drives and crash operating systems, presenting a new vector of cyber attacks that cross over into the real world.
That's according to boffins from the University of Michigan and Zhejiang University, who in their paper 'Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems' noted that such sounds played over the usually-cheap speakers found in computers can wreak havoc on a system.
Sonic and ultrasonic sounds can disrupt the read and write processes of magnetic hard disk drives, while laptops running Windows or Linux OSes, in some cases at least, required a reboot to work properly after a sonic bombardment.
Audible sonic sounds do this by causing the head stack in a hard disk drive's assembly to vibrate outside of its normal operating parameters which temporarily stop it from writing data. While ultrasonic sounds create false positives in the disk drive's shock sensor and causes the drive to stop using its head, thereby causing it to stop working and disrupt an OSes normal operation.
In one example, the researchers found that it took as little as 45 seconds to force a Dell XPS 15 9550 to become unresponsive after it played audio over its built-in speakers. Two or more minutes of the sound and the computer needed a reboot to get its hard disk drive up and running again.
"The problem poses a challenge for legacy magnetic disks that remain stubbornly common in safety-critical applications such as medical devices and other highly utilized systems difficult to sunset. Thus, we created and modelled a new feedback controller that could be deployed as a firmware update to attenuate the intentional acoustic interference," the researchers said, but they did offer a solution to the problem:
"Our sensor fusion method prevents unnecessary head parking by detecting ultrasonic triggering of the shock sensor."
While sonic attacks could be used against data centres and medical devices if an acrostic signal strong enough to cause errors could be produced nearby, the attacks would likely be ineffective, as the researchers pointed out that people would hear the sounds and take action. So, it would only work if such an attack could be carried out without being noticed, say a malicious webpage triggering a sound when it detects someone isn't browsing it.
Ultrasonic sounds can't be heard by humans so could be more effective, but they'd also need to be strong enough to be problematic and aren't easily created.
As such, it's more feasible to disrupt a computers operations with denial of service attack instead. But the researchers did note that ultrasonic attacks can be difficult to defend against given people can't hear the sounds they produce making if difficult to spot and disable emitters.
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked