[personal profile] mjg59
So the CIA has tools to snoop on you via your TV and your Echo is testifying in a murder case and yet people are still buying connected devices with microphones in and why are they doing that the world is on fire surely this is terrible?

You're right that the world is terrible, but this isn't really a contributing factor to it. There's a few reasons why. The first is that there's really not any indication that the CIA and MI5 ever turned this into an actual deployable exploit. The development reports[1] describe a project that still didn't know what would happen to their exploit over firmware updates and a "fake off" mode that left a lit LED which wouldn't be there if the TV were actually off, so there's a potential for failed updates and people noticing that there's something wrong. It's certainly possible that development continued and it was turned into a polished and usable exploit, but it really just comes across as a bunch of nerds wanting to show off a neat demo.

But let's say it did get to the stage of being deployable - there's still not a great deal to worry about. No remote infection mechanism is described, so they'd need to do it locally. If someone is in a position to reflash your TV without you noticing, they're also in a position to, uh, just leave an internet connected microphone of their own. So how would they infect you remotely? TVs don't actually consume a huge amount of untrusted content from arbitrary sources[2], so that's much harder than it sounds and probably not worth it because:


Seriously your phone is like eleven billion times easier to infect than your TV is and you carry it everywhere. If the CIA want to spy on you, they'll do it via your phone. If you're paranoid enough to take the battery out of your phone before certain conversations, don't have those conversations in front of a TV with a microphone in it. But, uh, it's actually worse than that.

These days audio hardware usually consists of a very generic codec containing a bunch of digital→analogue converters, some analogue→digital converters and a bunch of io pins that can basically be wired up in arbitrary ways. Hardcoding the roles of these pins makes board layout more annoying and some people want more inputs than outputs and some people vice versa, so it's not uncommon for it to be possible to reconfigure an input as an output or vice versa. From software.

Anyone who's ever plugged a microphone into a speaker jack probably knows where I'm going with this. An attacker can "turn off" your TV, reconfigure the internal speaker output as an input and listen to you on your "microphoneless" TV. Have a nice day, and stop telling people that putting glue in their laptop microphone is any use unless you're telling them to disconnect the internal speakers as well.

If you're in a situation where you have to worry about an intelligence agency monitoring you, your TV is the least of your concerns - any device with speakers is just as bad. So what about Alexa? The summary here is, again, it's probably easier and more practical to just break your phone - it's probably near you whenever you're using an Echo anyway, and they also get to record you the rest of the time. The Echo platform is very restricted in terms of where it gets data[3], so it'd be incredibly hard to compromise without Amazon's cooperation. Amazon's not going to give their cooperation unless someone turns up with a warrant, and then we're back to you already being screwed enough that you should have got rid of all your electronics way earlier in this process. There are reasons to be worried about always listening devices, but intelligence agencies monitoring you shouldn't generally be one of them.

tl;dr: The CIA probably isn't listening to you through your TV, and if they are then you're almost certainly going to have a bad time anyway.

[1] Which I have obviously not read
[2] I look forward to the first person demonstrating code execution through malformed MPEG over terrestrial broadcast TV
[3] You'd need a vulnerability in its compressed audio codecs, and you'd need to convince the target to install a skill that played content from your servers
From: (Anonymous)
"An attacker can "turn off" your TV, reconfigure the internal speaker output as an input and listen to you on your "microphoneless" TV"

Are you actually serious? I don't want to sink to your level of oversimplification, but on very loose terms, generally, a speaker will be driven by an amp, which will in turn be driven by a DAC, i.e. a piece of silicon that makes analogue signals out of bits.

By contrast, a microphone will be feeding an ADC - something that makes bits out of analogue signals. It's pretty much the opposite of the bidirectional data flow you are implying is possible. Sure it might be part of a bigger SoC but it will still be incapable of driving a speaker for sure.

I don't understand what could motivate someone to make this point, other a complete lack of understanding of basic electronic engineering. Look at a phone schematic. Show me some code for an Android phone that allows the speaker to be used a mic. I have respect for you as an author, but this point is stupid, no other way to describe it.

Lastly, even if your absurd point was valid, and it was possible to just start using a speaker as a mic arbitrarily, have you ever tried using a speaker as a mic, sure, it might "work" but the speaker will have very unfavourable audio characteristics when used as a mic, and you will capture sound, but getting meaningful information out of it, e.g. a conversation, is a very different problem, one which you won't be able to solve due to physical limitations of the device.

TLDR: prove that there exist a significant number of devices where the speaker can be reconfigured to act as a mic in practise or GTFO
From: (Anonymous)
OK, here you go:

From: (Anonymous)
FWIW, the paper does point out:

Active Loudspeakers vs. Passive Loudspeakers
Note, however, that the reversibility principle poses a limitation: the speaker must be passive (unpowered), without amplifier transitions. In the case of an active (self-powered) speaker, there is an amplifier between the jack and the speaker, hence the signal won't be passed from the output to the input side [6]. Since most modern loudspeakers have an internal amplifier [7], the threat presented in this paper is primarily relevant to headphones and earphones, and not to the loudspeakers typically connected to a PC.


So... laptop speakers may be less of a threat than your earpods. Still... (Makes me glad my headphones are active-amplified Bose w/ no passthrough.)
From: (Anonymous)
Given that:
- In smartphones and many device using SOC[1], Many of the CODECs[2] used can indeed configure the functions of pins trough software. This is typically done by the Linux kernel.
- In laptops there are microphones too, and the pins can also be reconfigured. This is often called "retasking" for Intel "sound cards".
- Desktop computers falls into the same categories than laptops but have no microphone

Assuming that the user removed all internal microphones of the given device (smartphone or laptop) or has a desktop computer, how is the above relevant?

If we assume that the CODEC or sound card has no special constraint with routing the pins to the function[3], we then can easily test it.

To do that you can either:
- Connect your headphones to the microphone jack and test how much sound level you can record.
- Try to reroute pins, a retasking GUI exists for intel HDA sound cards and try to record.

The issue is then that the volume of the sound you recorded is not the same with headphones than a microphone because of physical constraints: The microphone is physically designed to get sounds transformed as electricity. If the speaker require a lot of power to operate, then you would need in return to shout very loudly to make the membrane vibrate enough to produce electricity...

The question is then how much usable is the recording. Do algorithm exist to isolate voice in that context? Will they exist tomorrow?

[1] System on a chip, the "Processor" of your phone.
[2] A CODEC is the analog part of the "sound card". It is typically connected to the SOC trough PCM.
[3] You will need to check the relevant datasheets to find out.



Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags