Posted: April 22, 2019 by

For years, researchers have been poking holes in our audio output devices in the name of security and privacy. They've found many ways our headphones can be hacked or otherwise compromised. Learn what they discovered, and how you can secure your own.

More than a decade ago, cardiologists from the Beth Israel Medical Center in Boston presented their findings at the American Heart Association (AHA) Scientific Sessions 2008 about MP3 headphones causing disruptions with heart devices—such as the pacemaker and the implantable cardioverter defibrillator (ICD)—when the headphones were placed on their chests, directly over their devices’ location.

These interference can range from preventing a defibrillator from detecting abnormal heart rhythms, deactivating the defibrillator temporarily (and, thus, stopping it from delivering a life-saving shock), forcing a pacemaker to deliver signals to the heart (and, thus, making it beat while disregarding the patient’s current heart rhythm), to fully reprogramming the heart device.

Experts named neodymium magnets, which are common in most headphones, as the culprit to these potentially life-threatening disruptions. Doctors have been repeatedly warned pacemaker and defibrillator patients about the risks of magnets and other devices that would accidentally interrupt their functionalities, but the warnings seem to have fallen on deaf ears.

Headphones, earphones, and headsets were never designed to interfere with heart devices—yet, interfere they did. While the interference was accidental, the curious among us may start to wonder: Can headphones be intentionally messed with to harm their users? What else can headphones do that they weren’t supposed to? Thankfully, the answer to the former is, “Not with life-endangering consequences.” However, audio output devices, including headphones, can pose a security and privacy risk to users, especially when abused by smart people with ill-intent.

Headphones, like webcams, are now suspect

It’s not just the webcam you should mind and secure. For years, researchers have been looking for and poking holes in our audio output devices, in the name of security and privacy. While the potential risks of headphones may be a new subject for our readers, the solutions for securing them are (thankfully) practical and familiar.

In the next few sections, we’ll cover various potential risks and vulnerabilities of headphones and other audio output devices, as well as any tech related to them—including the software that comes with some headphone sets.

From headphones to microphone to risk

YouTube houses a trove of videos on how one can turn their headphones and even ear buds into a microphone. This is possible because the make of the two are identical, meaning they work in much the same way. That makes it easy for anyone to MacGyver a microphone if all they have is a pair of headphones.

Exactly how do users transform their headphones into microphones? By physically plugging their headphone or earphone jack into the audio line in port. Unfortunately, headphones aren’t optimized to be microphones and vice versa, which means the quality won’t be the same.

But can headphones used as a makeshift microphone be a risk to your privacy? Indeed they can, albeit a minor one. If you put one speaker really close to your mouth while pouring your heart out, vulnerabilities in the headphones can enable threat actors to record whatever it is you’re spouting to the mirror or to a room full of tipsy friends.

Spying without spyware

Improvising a microphone with headphones is not the only way to put oneself at risk. As this CNET video shows, headphone software can be used to create a microphone and become subject to attacks as well.

Researchers at Ben Gurion University (BGU) in Israel found a way to automate the physical task of switching the output to the input, and improve the headphones’ ability to capture sounds clearly from across the room in the process.

They did this by introducing a proof-of-concept malware they called SPEAKE(a)R to a Realtek audio sound card, which quietly re-tasked the output channel to an input channel of a headphone set connected to a PC or laptop, and recorded any sounds or conversations happening in the room. You can watch the video recording of the demo in their lab below, or read their paper on the subject here [PDF]:

The SPEAKE(a)R lab demo

In their tests, the researchers used a pair of Sennheiser headphones. This could probably explain the clear quality of the recorded sound even from 20 feet away. We guess that the sound quality is dependent on the quality of headphones, as Sennheiser is one of a handful of brands known for high fidelity headphones.

The only way to make the SPEAKE(a)R malware useless is to not physically attach the headphones to an affected system.

When headphone software opens systems to MITM attacks

Speaking of Sennheiser, the company found itself in security hot water after researchers at Secorvo found a vulnerability not in their headphones, but in their headphone software: HeadSetup.

According to Secorvo’s 16-page report [PDF], this flaw can affect users of both Windows and macOS systems who are using or have used the headphones software. The flaw stems from the way the software creates an encrypted Web Socket (a communications protocol) with the browser: It installs a self-signed TLS certificate in the OS’s Trusted Root CA certificate store (for Windows) and the macOS Trust Store (for macOS).

Since all TLS certificates and their associated keys are identical for all installation instances of the headphone software, threat actors who use HeadSetup can potentially access the key and use it to forge certificates. This automatically confirms fake sites, which can be used to perform Man-in-the-Middle (MITM) attacks against target users. Yikes.

Sennheiser users can update the HeadSetup software to the latest version to protect themselves from future attacks.

Exploited USB headphone port in Nexus 9 can lead to data exfiltration

Aleph Security researchers, inspired by the work of Michael Ossmann and Kyle Osborn on multiplexed wired attack surfaces [PDF], experimented on and later discovered that the headphone jack of the Nexus 9 can be used to access and interact with its FIQ (Fast Interrupt Request) Debugger. The Debugger is a developer tool that is shipped with Google Nexus devices. The researchers were able to access it using a Universal Asynchronous Receiver/Transmitter (UART) debug cable that they built themselves.

More unfortunate still, the FIQ Debugger for the Nexus 9 could respond to commands that those with ill-intent may find especially useful. This includes the unauthorized access of sensitive information in the Android OS via the stack canary value, registry, and process list, and other functionalities, such as bootloader, that could force the device to do a factory reset.

FIQ Debugger interface with a list of help commands (Source: Aleph Security)

Fortunately, Google has fully patched flaws the researchers reported.

Risks surrounding Bluetooth headphones, earphones, and headsets

BlueBorne is the name used to describe an attack method that uses Bluetooth technology to infiltrate and control Bluetooth-enabled devices. Since many wireless headphones, ear buds, and stream services use Bluetooth tech, they are susceptible to this attack.

Discovered in 2017 by IoT security company Armis, BlueBorne consists of eight related zero-day vulnerabilities that can compromise major OS platforms. Affected devices can cause all sorts of security problems to their users, including malware propagation, espionage, and information theft, to name a few.

Anyone can eavesdrop on users via Bluetooth-enabled headsets, even if they’re not in discoverable mode. All one needs is the known default PIN code of the headset, which for most is “0000” (without quotation marks), an external antenna (to extend the Bluetooth range), and a device to control it remotely. SANS Senior Instructor Joshua Wright showed how this can be done in the video “Eavesdropping on Bluetooth Headsets.”

Users can avoid falling victims to BlueBorne attacks and eavesdropping by ensuring that their device’s firmware is up-to-date and turning off their device’s Bluetooth when not in use.

From audiophile to…paranoiac?

Covering your laptop’s built-in webcam is a common and effective security practice to deter potential voyeurs from clandestinely watching you without your knowledge. This is also the reason why users are recommended to disconnect external cameras from desktop computers when not being used.

In terms of headphones, headsets, and earphones, another set of approaches are needed. While securing webcams is easy, securing audio inputs is not. In fact, putting a tape over a laptop’s microphone input—even a thick piece doubled up à la Mark Zuckerberg—simply wouldn’t work. Securing audio inputs takes knowledge of how your device’s audio technology works, a bit of patience, and, in extreme cases, destroying a good pair of ear plugs.

If you’re worried that your headphones, earphones, or headset could be used to invade your privacy, you don’t have to go to extremes. Applying basic cybersecurity hygiene to how you use your audio listening devices, such as updating all software and hardware, including firmware and the apps you use with the device, is a good place to start.

But if you absolutely and undoubtedly don’t want your headphones snooping on you in any way, here’s a simple, low-cost way of doing it: disconnect them from your computing or mobile device.

Happy, and safe, listening!

Other resources: