Not only can your computer or phone camera be hijacked, but your microphone as well. Computers typically have two audio jacks: one for sound input when you record something or talk on a Skype call, and one for plugging in your headphones to listen to music or play games.
The microphones in your earbuds or headphones are two-way streets: it’s simple to switch them from devices you listen with into devices that listen to you. All you have to do is plug the earbuds or headphones into the microphone jack instead of the headphone jack, start up a recording app, and you can capture whatever sounds your earbuds-used-as-mics can hear.
There’s a hack that lets you switch jacks. An eavesdropper doesn’t even need to get at your earbuds: they can switch your output port into an input port and record you even without a mic attached to the PC. The vulnerability – called “jack retasking” – was reported by researchers at Ben-Gurion University of the Negev’s Cyber Security Research Center. They’ve dubbed it SPEAKE(a)R. Read PDF
They note that the reprogramming option is available on audio chipsets from Realtek, which are embedded in a wide range of modern PC motherboards. In fact, the researchers say the Realtek chips are so common that the attack works on practically any desktop computer, whether it runs Windows or MacOS, and most laptops, too, as Wired, a monthly tech magazine reports.
It’s not just Realtek, though; other codec manufacturers also support jack retasking. The researchers managed to use SPEAKE(a)R to retask a computer’s outputs to inputs, then to record audio even when the headphones are in the output-only jack or completely unplugged. After doing this, the team of researchers was able to record audio playing 20 feet across a room. The quality was good enough to distinguish the words spoken during the recording.
For more information, see YouTube tutorials on how to turn headphones into microphones and
Retasking or rejacking is not new. It is in the equipment’s technical specs. Most of today’s built-in sound cards can be used for more than one thing. Fortunately, almost no one seems to use it, or even know about it. There are no known attacks in the wild as of this writing.
For BBB tips for safer online computing, visit bbb.org/evansville where you can Start With Trust®.