Researchers have revealed about the usage of sonic and ultrasonic signals to produce physical damage to hard drives. These signals which are inaudible to humans can be played through a target computer’s own built-in speaker or through a speaker near the targeted device.
A team of researchers from Princeton and Purdue University have performed a study last year which demonstrated a denial-of-service (DoS) attack against HDDs by exploiting a physical phenomenon called acoustic resonance.
HDDs are exposed to external vibrations and so specially crafted acoustic signals could cause significant vibrations in HDDs internal components, which could lead to the failure in systems that relies on the HDD.
To prevent head crash from acoustic resonance, modern HDDs make use of shock sensor-driven feedforward controllers that detect such movement and improve the head positioning accuracy while reading and writing the data.
A team of researchers from the University of Michigan and Zhejiang University has published their research, which reads that sonic and ultrasonic sounds causes false positives in the shock sensor, causing a drive to unnecessarily park its head.
Making use of this disk drive vulnerability, researchers explained how hackers perform successful real-world attacks against HDDs found in CCTV (Closed-Circuit Television) systems and desktop computers. They can use the effects from hard disk drive vulnerabilities to launch system level consequences such as crashing Windows on a laptop using the built-in speaker and halting surveillance systems from recording video.
An external speaker or the target system’s own speaker can be used for attacking by misleading the user into playing a malicious sound attached to an email or a web page.
The researchers tested acoustic and ultrasonic interferences against various HDDs from Seagate, Toshiba and Western Digital and found that ultrasonic waves took just 5-8 seconds to induce errors. But, sound interferences that lasted for more than 105 seconds caused the stock Western Digital HDD in the video-surveillance device to stop recording from the beginning of the vibration until the device was restarted.
If a victim is not physically near the system while attacking an adversary can use any frequency to attack the system. The system’s live camera stream does not indicate any attack. Also, the system does not provide any method to learn of audio in the environment.
The researchers were also able to interrupt HDDs in desktops and laptops running both Windows and Linux operating system. When a harmful audio was played over the built-in speaker it took only 45 seconds to cause a Dell XPS 15 9550 laptop to freeze and 125 seconds to crash it.
Some defences were mentioned by the researchers which could be used to detect or prevent such type of attacks, including a new feedback controller that could be deployed as a firmware update to diminish the intentional acoustic interference, a sensor fusion method to prevent unnecessary head parking by detecting ultrasonic triggering of the shock sensor, and noise dampening materials to attenuate the signal.