Sound Effects: Exploring Acoustic Cyber-weapons

The presentation discusses the potential risks of high and low frequency noise attacks on various devices and the availability of countermeasures.

• More research is needed on the risk of high and low frequency noise attacks on a wider range of equipment
• The lack of consensus around adequate safety guidelines is a challenge
• Countermeasures are available and effective
• The attacks are viable on a minority of devices and require specific conditions to succeed
• Limiting the frequency range of speakers and visibly alerting users when speakers are in use are some of the applicable countermeasures

The presentation explains that an attacker could potentially inject tones into a conversation using IP phones or launch a worm attack against multiple laptops in a soundproofed environment. The speaker also notes that while the attacks developed were trivial, there are many variables that make extrapolation to real-world effects challenging. Additionally, the presentation highlights the potential risks of using headphones at high volumes, which could be exploited by attackers to deliver malware. However, the attacks require victims to be susceptible to the adverse effects of the sound and exposed to it for a certain amount of time.

While recent research has explored the capability of attacks to cause harm by targeting devices – e.g., SCADA systems, vehicles, medical implant devices - little consideration has been given to the concept of attacks affecting psychological and physiological health by targeting humans themselves. In a first-of-its-kind study, we assessed the capability of several consumer devices to produce sound at high and low frequencies which may be imperceptible to many people, as a result of remote and local attacks, and compared the resulting sound levels to maximum recommended levels. In doing so, we tested their viability as localised acoustic weapons which could cause temporary/permanent hearing damage and/or adverse psychological effects. We examined a number of countermeasures, including a tool to detect specified frequencies above specified thresholds. In this talk, I will cover the background of malware which has, intentionally or not, caused physical or psychological harm. I will explore previous research on the harmful effects of sound, focusing particularly on high and low frequencies, and some of the guidance which has been proposed to limit exposure to such sound. I will examine the use of imperceptible sound as applied to security research (covert channels, ultrasonic tracking beacons, etc), and will present our experiments and findings, including threat models, methodology, the attacks we developed, and the implications of our results. Finally, I will suggest a number of countermeasures and outline some possible areas for future research.