Your Mic Leaks Too Much: A Double-Edged Sword for Security

Microphones are an integral part of a wide range of devices owing to their utility in communication and voice-controlled assistance. However, the downside to microphones' ubiquity is the increase in eavesdropping that lead to inference attacks, such as recovering passwords by merely recording ambient sounds. To overcome such attacks, researchers have proposed several microphone detection and deterrence methods. However, existing methods have several disadvantages such as lacking generalizability and requiring hardware modifications. In this paper, I examine the microphone security space by taking two past works as examples. Specifically, I demonstrate an attack that enables recreation of physical keys to unlock doors from recordings of sound of key insertion into the keyhole. Subsequently, I propose an eavesdropping detection technique utilizing electromagnetic leakage signals from microphone hardware which is generalizable across devices without requiring hardware changes. Finally, I present several open problems and their challenges towards achieving microphone security.


INTRODUCTION
Microphones are everywhere.While their purpose was for voice telephony when they were invented over a century ago, today, due to their small form-factor, as well as the boom of Internet-of-Things (IoT), their utility has vastly expanded.They are part of many commodity devices including smartphones, baby monitors, and mixed reality headsets for applications such as communication, monitoring and spatial mapping.Microphones capture speech which can reveal several private information about users such as their identity, emotional state as well as sociopolitical views.Apart from speech, they also capture ambient or background sounds such as keystroke taps from keyboards, power supply noise from laptops and subtle noises from computer screens, all of which can also surprisingly leak private information about users such as their login credentials, cryptographic keys and screen content respectively [2,3,5].Hence, the ubiquity of microphones combined with their ability to capture wide range of audio makes them a suitable target for eavesdropping.
There have been several real-world instances of eavesdropping, especially in the form of stalkerwares where abusive partners and employers surveil by installing malicious apps for recording audio on victim-owned devices [1].In addition, there have also been malicious dual-purpose apps on the Google Play Store, e.g., iRecorder, a benign-seeming screen-recording app, which also captured ambient audio from the user's phone every few minutes without the user's awareness [9].In extreme cases, nation-state attackers have launched remote, zero-day, zero-click malware, which can record audio without leaving any trace on victim's devices [4].
In light of such real-world attacks, I investigate the area of eavesdropping security.First, I examine the space of audio attacks through two works, SpiKey and Keynergy, that propose an audiobased physical key inference [7,8].These works demonstrate how the sound of key insertion can be utilized for inferring the key's secret, or its keycode, thereby enabling key duplication and physical security compromise.
Second, I discuss a defense solution for detecting eavesdropping, TickTock, which leverages leaked electromagnetic (EM) signals.TickTock captures the EM signals from the exterior of the device without requiring any modifications.Specifically, I focus on external detection methods that do not require hardware/software changes for the following reasons -(1) hardware updates are cumbersome and cannot be rolled out in user-owned devices, (2) software updates can be circumvented by powerful adversaries or can be controlled by adversarial parties (e.g., employers), and (3) external solutions can generalize across heterogeneous device types with varied hardware and software features such as smartphones, laptops and voice assistants.Finally, I conclude by presenting challenges and opportunities for open problems in the space of microphone security.

AUDIO-BASED PHYSICAL KEY INFERENCE
Existing works in audio eavesdropping thus far look into compromising the digital security (i.e., inferring cryptographic keys, passwords that breach online security).Hence, we questioned if audio can also compromise our physical security (e.g., provide access to private spaces), specifically -"can we infer the keycode to a physical door lock (of a victim's home) by recording the sound of their key insertion?".We answer this question in the affirmative by proposing an audio-based physical key inference attack that leverages the sound produced during insertion of a key into a lock to infer its keycode, that is necessary for reconstruction of the key (Figure 1(a)).Key insertion produces audible click sounds due to the mechanical contact between the key and the internals of the lock.In SpiKey, we establish, through physical modeling and simulation, the relationship between the keycode and the time intervals between the different click sounds, assuming a constant key insertion speed [7].Subsequently, we developed Keynergy, a proof-of-concept system for inferring the keycode from human key insertion, accounting for the high as well as inconsistent insertion speed [8].The system was evaluated using sound captured from high fidelity microphones as well as smartphone mics [8].Our analyses revealed that audio carries sufficient information regarding the keycode and complements the visual domain signal for achieving key inference.
This work shows how subtle sounds that are unnoticed by humans can not only be captured by microphones, but also lead to (physical) security compromises.In general, most systems, be they mechanical, electrical or electromagnetic, inevitably produce vibrations due to resonance, piezoelectric, or photoacoustic effects, respectively, that can be picked up by microphones.In addition, the high sampling rate of microphones enables them to record both high frequency (in kHz) as well as rapidly time varying signals (in sub-ms), making them a lucrative target for eavesdropping.Hence, we need methods to curb unwarranted microphone access.

MICROPHONE STATUS DETECTION
An important step towards addressing eavesdropping as described above is to robustly detect microphone's on/off status on user devices.While several operating system level indicators exist, e.g., Android and Apple have microphone indicators, these are devicespecific and are susceptible to compromises by remote attackers [4,9].Hence, we posed the following question -"can we propose a robust microphone status detection system that does not require hardware modifications and is robust to remote adversaries?".Tick-Tock addresses this by proposing a microphone recording detection (Figure 1(b)) system that leverages the electromagnetic (EM) leakage signals emanated from the microphone's circuitry [6].TickTock utilizes the leakage from clock signals that are input to the microphones only when it is active (i.e., while recording), and withdrawn otherwise.By identifying the clock frequency as well as the EM leakage location through a bootstrapping phase, our prototype can identify microphone status in real-time from the exterior of the device.TickTock achieves robust detection in over 25 laptops, as well as promising results across other device types containing digital microphones, including smartphones, smart speakers and web cameras.In this way, TickTock demonstrates how re-purposing leakage signals in mobile systems can aid in detecting microphone status.

CONCLUSIONS AND FUTURE WORK
In this paper, I shed light on the negative (attacks) and positive (defenses) effects of leakage signals captured/produced by microphones.Given the amount of ambient audio around us, audio inference attacks are here to stay.However, by systematically identifying them, we can enable effective solutions to secure systems.In the case of physical locks, I hope that our work underscores the need for designing secure lock systems that consider their acoustic leakage.
With respect to defenses, TickTock takes the first step towards identifying microphone status from EM signals.TickTock showcases the utility of leakage signals for securing systems.Despite the best efforts of hardware designers to eliminate emissions from clock and other digital signals, EM leakage can only be reduced due to design imperfections.However, this can be a silver lining for security as it enables detecting attacks in spite of highly capable attackers.
We've only scratched the surface when it comes to curbing eavesdropping.I highlight two open problems and their challenges -(1) Distant Microphone Detection -While TickTock detects microphone status from device's exterior in close proximity, EM leakage signals attenuate rapidly with distance in accordance to inverse square law.Hence, detecting recording mics at a distance, in the presence of multiple devices (e.g., in meeting rooms with multiple smartphones) would be crucial.(2) Disabling Microphones -Beyond detection, we need ways to 'switch-off' mics to deter recording.Unlike cameras that can be disabled by sliding a plastic cover, microphones cannot be even if covered with dampeners such as acoustic foam, due to diffraction.Hence, there's a need for effective solutions to disable microphones in devices without requiring hardware modifications.

Figure 1 :
Figure 1: Figure (a) depicts an attack that utilizes the sound of key insertion captured by a spying smartphone to infer the secret of a physical key (i.e., keycode), and (b) depicts defense for detecting eavesdropping by leveraging electromagnetic (EM) leakage signals from the laptop microphone's clock.