FacebookTwitterLinkedIn

Acoustic Attacks on HDD Sabotage PCs

Researchers based at Princeton University and Purdue University have released research detailing how they conducted acoustic attacks on four Western Digital branded hard drives. These attacks could be used to create both a temporary or permanent denial-of-service (DoS) attack. In the examples provided, the group proved that such an attack could be used to prevent CCTV systems from recording video footage or freeze computers dealing with critical operations. The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD's data-storage platters. If this sound is played at a specific frequency it will result in a resonance effect that further results in an increased vibration effect. As hard drives store vast amounts of data on relatively small sections of the platter, they are programmed to stop all read/write operations during the time a platter vibrates. This is done to prevent the scratching of the disks that could result in permanent damage.

While the idea behind the research is by no means new, the team from Princeton and Purdue expanded on what has been previously thought possible when attempting to interrupt HDD operations using sounds at certain frequencies. The idea of attacking HDDs using acoustics was theorized over a decade ago. Since then current Joyent CTO Brandon Gregg showed how loud sounds induce read/write errors for a data center's hard drives, in the now infamous "Shouting in a datacenter" video in 2008. Earlier this year an Argentinian researcher demoed how he made a hard drive temporarily stop responding to OS commands by playing a 130Hz tone.

acoustic attacks on hdd drives

The latest research illustrates the practicalities of conducting such an attack, included in the research is the team's practical experiments providing firm proof of concept illustrations. The team used a specially crafted test rig to blast audio waves at a hard drive from different angles, recording results to determine the sound frequency, attack time, distance from the hard drive, and sound wave angle at which the HDD stopped working. Unfortunately for hard drive manufacturers, the team had no trouble determining the optimum attack frequency ranges for the four Western Digital hard drives they used for their experiments. As they did not struggle to find the optimum frequencies they argued that a sufficiently motivated attacker would not either. Such a styled attack would mean that the attacker needs to generate an acoustic signal within the vicinity of HDD storage systems leaving both companies and lone individuals susceptible to attack.

The research team contends that the attack could be done in the following ways:

The attacker can either apply the signal by using an external speaker or exploit a speaker near the target. Toward this end, the attacker may potentially take advantage of remote software exploitation (for example, remotely controlling the multimedia software in a vehicle or personal device), deceive the user to play a malicious sound attached to an email or a web page, or embed the malicious sound in a widespread multimedia (for example, a TV advertisement).

Such an attack will depend on achieving a certain set of conditions, with no one size fits all approach available. Factors that require consideration include the closer the speaker is to the hard drive, the less time is needed to carry out the attack. The longer the attack lasts, the more chances are that it will cause a permanent denial of service that requires a device restart, instead of a temporary issue from which the device can recover by itself. To further complicate the matters attackers need to pay special attention that no human operators are in sight, as the attacks are in the audible range of the human ear.

DVR Devices Susceptible

In the team’s research, they found that desktops running Windows 10, Ubuntu 16, and Fedora 27 could be attacked in such a way. A very interesting aspect of their research included tests conducted on Digital Video Recording (DVR) devices used to record video on CCTV (Closed-Circuit Television) systems. In the experiments conducted by the team, they managed to cause a hard disk error in a system 230 seconds after the attack began. Once the attack was concluded they attempted to replay the recorded video and discovered that it had indeed being interrupted. In order to correct the problem the DVR needed to be restarted, however, the video footage was permanently lost.

It is hoped that the research conducted by the team might lead to hard drive manufacturers including some kind of acoustic protection in their products. Although the attacks relied on generating an acoustic signal at close distances, this inhibiting factor can be made irrelevant by using a more powerful sound source. The researchers contend that “The security of HDDs has been overlooked despite their critical role in computing systems. HDDs hold essential software components (e.g., the operating system) and various forms of sensitive information (e.g., camera footage in CCTVs), and thus, can be an appealing target for a plethora of attackers,”

Are Mass Exploits a Reality?

Given the number of conditions that need to be met to conduct a successful attack, it is unlikely that such an attack method will be used in a mass exploit campaign. The researchers feel that such attacks are inherently suitable for targeted attacks against carefully selected critical systems. Such attacks could then be used by nation-state threat actors to aid with physical intrusions into secure systems, corrupt or sabotage forensics collection. There is the potential to cause loss of life with such attacks if they are used to attack HDDs linked to medical devices for instance.

A scenario not explored in the research paper, but has been suggested by other researchers is the potential to use an acoustic attack to attack ATMs. The acoustic attack could be leveraged with a fileless malware executes in the ATM's RAM. The acoustic attack would be used to stop the ATM from collecting forensic evidence for a period. The malware would then be used to dispense cash from the machine.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal