Damaging Hard Drives with an Ultrasonic Attack

Playing a sound over the speakers can cause computers to crash and possibly even physically damage the hard drive.

Academic paper.

Posted on June 1, 2018 at 11:14 AM • 26 Comments

Comments

markJune 1, 2018 11:30 AM

Right, what good is this attack? You need to be physically close to the actual HDD. I have doubts that it would work at, say, 60'.

ramriotJune 1, 2018 11:35 AM

@mark:

If its a laptop then its own speakers are pretty close to the drive.

DataWranlgerJune 1, 2018 12:31 PM

@mark: Focused ultrasonics can put almost any frequency at almost any amplitude pretty much where you want them. Look at LRAD and various ultrasonic suspension systems. I'm not suggesting a magic, sonic-screwdriver but an acoustic sledgehammer would probably be pretty easy. This research shows us that the power needed for success is much, much lower than "sledgehammer". I'm sure this thing could be shrunk down to SciFi compactness after proof-of-concept. (Oh, wait, that's what this paper just did...)

So 60'? Sure, challenge accepted.

PeaceHeadJune 1, 2018 1:55 PM

ZOMG!

I did my senior thesis in college on this type of thing (ultrasonics).
Some of the infos were published in the mid 1990s as if the technology for the speakers was new, but then the bulk was redacted and annexed by mil-int. I remember being at the city library trying to get info on the consumer and prosumer and professional audio uses and accidentally a bunch of radio/sonar/military/so-called non-lethal weaponry stuff came up... a lot of it; I was surprised. And then when I looked deeper, the technology didn't debut in the 1990s like it seemed like initially. It's 1960s technology that surfaces from time to time, but keeps getting redacted and reclassified and reannexed because it can be dangerous and already has a huge variety of mil-int connections. I don't like to talk about it too much, and I won't name any deeper specific terms because I enjoy not being served any NDA's (non-disclosure agreements).

DataWrangler, is quite correct, although I wouldn't know the specific product names aside from what is easily looked up.

I've glanced at some other stuff via patents or military articles or technical dictionaries and other mild stuff and considering the basic principles, it's not surprising that it keeps getting tucked back away decade after decade since the mid 1960s.

Remember those diplomats in Cuba getting electronically sick?
yeah, ish.

Like i decided back then, I'll stick to the music-making and peacefulness.
Thank god I didn't go to MIT. I woulda been so easily accidentlly absorbed into this whole realm, which woulda been tragic.

On another note: May Peacefulness Prevail Within All Realms of Existence.

Byung Kyu ParkJune 1, 2018 2:42 PM

From the article:

The most obvious defense is to use solid state drives (SSDs) instead of HDDs.

This is why I traded a 1TB internal drive for a 500GB SSD drive with same form factor (and double the price). I think with reasonable choice of what to store on your internal drive, SSD is hand-down better than HDD in nearly all circumstances, even after considering the higher price.

Not only are HDDs vulnerable to mechanical attacks like this, they also can't function reliably in reduced atmospheric pressure (like on high mountains or in airplane cabin that has lost cabin pressure).

RealFakeNewsJune 1, 2018 2:52 PM

@Byung Kyu Park:

Hard disks are hermetically sealed. I can't understand why high altitude operation would affect them.

@All:

Weren't SSDs shown to be susceptible to sonic attacks? I'm sure this was discussed previously on this blog.

echoJune 1, 2018 3:02 PM

@RealFakeNews

Hard discs have a vent hole with a filter allowing equalisation of pressure between inside the drive and outside the drive.

Security SamJune 1, 2018 3:23 PM

The degree of ingenuity
If harnessed in this blog
Could rid the perpetuity
Of our intellectual smog.

HmmJune 1, 2018 6:56 PM

Some HD's are sealed and even filled with Helium to reduce turbulence allowing more density.

"Weren't SSDs shown to be susceptible to sonic attacks?"

How do you think that would work anyway, I'm curious?

AnonJune 2, 2018 3:27 AM

Sonic damage in DC's happens all the time due to fire suppression being placed too close to storage arrays. Working for a major vendor, I call that an 'oops' as its followed by a very long lasting legal battle to pay for a multi-million dollar replacement for every disk. The non spinning stuff is almost always OK though.

Clive RobinsonJune 2, 2018 5:22 AM

@ Hmm,

How do you think that would work anyway, I'm curious?

Certain electrical components rely on "mechanical properties". The simplest to see this with is inductors and capacitors, that you especially find in powersupply units.

The point to remember that such components are not just electrical and mechanical but also transducers... The simplest examples to think of are capacitive and inductive microphones, but as importantly they also work the other way as speakers.

Most people have not heard "transformer humm" in years because modern Switch Mode Powersupply Units operate in the sound range above human hearing. Most SMPUs suprise suprise work in the low ultrasonic centimetric through to the sub millimetric microwave range of acoustic wavelengths.

Now the way an SMPU basically works is it rectifies it's input voltage to get 80-250Vdc from mains supply. Whilst this is a fairly ropey waveform, it gets switched on and off onto a "lossless energy storage component network" such as a very low ESR capacitor and/or inductor low pass or similar network. The result is often a network with a highish input impedence and low output impeadence. Whilst SMPUs can be "four quadrant" devices this is generally only true at one part of the circuit.

In theory you could hit the inductor in one part of the SMPU circuit such that "magnetoconstriction" can modulate the DC voltage with a high frequency signal at the sensor sampling rate. Get the phase right and you could move the DC output voltage by say a volt. Not of much concern for a DC motor that will have a 20-50% tolerance at 12Vdc, but some modern logic and analogue circuits work at 3V or less and has a tolerance of only a few percent... Which means there is potential to zap the control board or even read/write signals.

I've not tried it, so I can not say for certain, but I suspect that a few people will be giving it a try just for the laughs...

Security SamJune 2, 2018 8:50 AM

If an output circuit voltage goes over the bar
The output circuit in question uses a crowbar
In case of a short circuit or a ground fault
A current limiter kicks in above the threshold.

echoJune 2, 2018 11:43 AM

@Clive, @Hmm

Or in a fit of boneheaded clumsiness you could short-circuit your "golden sample" motherboard and head crash five hard discs like I did once and be left with a temperamental power supply. At the time I was so clumsy I could miss a doorway and come within 3 mm of smashing my nose into the wall. The funny thing is I can ram on hair perfect make up with my eyes shut. I do not perceive a future as an engineer. That said stuff today is a modern marvel.

Douglas L CoulterJune 2, 2018 3:58 PM

Last I checked absorption of sound in a medium goes up as the square of frequency.
(up to the molecular resonance, often GHz and above, anyway)
Shorter the wavelength, faster it's gone.

Sound at a level to drive significant nonlinearity in air is absorbed far faster, eg the range is very short, and while you could maybe radiate more power up to a point, air saturates on the minus side at "vacuum", you know. While the effect is noticeable at 120db and up - (See Olsen on acoustics about even-order distortion in acoustic horn mouths, or Beranek) - and as a now-recovered audiophool, we built some speakers that used beating of a carrier with a SSB signal to make invisible woofers - Nope, you ain't gonna get range out of this. Laws of physics and all that.

Clive RobinsonJune 2, 2018 4:53 PM

@ Doug,

Last I checked absorption of sound in a medium goes up as the square of frequency.

That is one effect, however things like the density of the transmission medium and any constraint such as a high density medium in a graded or profiled format to act as a channel has an effect.

The most obvious of which people get to meet in real life is knowing a train is approaching due to the twitching of the rails some considerable distance away long long befor any direct sound from the train through low density air happens.

Which brings us onto the notion of "slow wave structures" that is if you coil a higher density material in another lower density channel you can get the radiation from the coil to match propagation speeds with that of the lower density medium along with phase etc, which alows beam forming and energy containment.

Of course the other trick as with explosives is to use a higher density medium that has a propagation speed above the "speed of sound" of the surounding channel medium. Effectively trapping considerable energy into a molecule or two thick barrier similar to a blast wave.

It's a long time since I played with such structures, and we had a tame mathmetician doing the clever stuff which was akin to hydrocodes, that at the time were still considered "classified".

justinacolmenaJune 2, 2018 5:47 PM

FTA: https://arstechnica.com/information-technology/2018/05/attackers-can-send-sounds-to-ddos-video-recorders-and-pcs/

Just 12 seconds of specially designed acoustic interference was all it took to cause video loss in a 720p system made by Ezviz.

They're burglars. They had inside help designing that video system. It was intentionally made vulnerable to that particular "interference." You don't talk about stuff like that when you work at a place like that. It's put up or shut up. The silver and lead system. La ley de plata o plomo. Silver (money) if you cooperate, lead (bullet) if you don't. Very simple, and very effective.

https://www.wsj.com/ad/cocainenomics

https://www.reuters.com/investigates/special-report/mexico-violence-oil/

http://hir.harvard.edu/article/?a=11786

Douglas L CoulterJune 2, 2018 6:12 PM

@Clive,
Well, sure, but I think it wasn't completely stupid to assume range meant "in air"...

Maybe it was...I know of several cases where "air itself" - for example, exhaust gas from a gun or explosion - moves a lot faster than the speed of sound in air - shock waves do that...but if you're going to use bangy stuff, well, the range of the rifles I used in egg shoots (at 1 km) comes to mind (or Class F bench-rest shooting)...If you're not so picky about aim then other options arise...
I thought the point was to be somewhat stealthy...at a range that makes that possible. (Note - "silencers" - don't. The projectile still makes quite the sonic boom if it's moving fast enough)

Things that can do transverse waves are fun - usually quite slow (spring and plate reverbs are a lot smaller than a performance hall) but also fast when not so much in transverse mode (train tracks push most of their energy straight down the track but due to attachments and imbalances, there is mode-coupling - a train puts down a LOT of acoustic power in "all modes"). With seismometers and DSP you can classify some train characteristics from quite a long way (As was shown by a red team on the MX missile program).

I was once tasked with concept checking a design that used sound in steel and magnetostritive sensors to replace the position sensing on some CNC. It was too fast prop time vs the attenuation rate to get any good out of it.

Clive RobinsonJune 2, 2018 6:52 PM

@ Doug,

Well, sure, but I think it wasn't completely stupid to assume range meant "in air"...

If we were not talking about security I would whole hartedly agree with you. However those "assumptions" are what attackers use to their advantage, is kind of what I was getting at.

That is if you can find a way to push the energy down a transmission line and then get it to build in a resonator then it will radiate strongly around the resonator. If the target is in the near field of such a resonator then all bets are off.

Recognising a transmission line and a resonator can be quite difficult at times, especially if you are not actually looking for it...

For instance the acient Chinese supposadly had an earthquake direction finder that was a large metal urn with dragons around it's rim each one holding a metal ball just barely restrained by it's teeth. The urn would resonate in such a way that vibrations only built up under the dragons on one part of the rim. They would drop their balls onto chime plates thus giving both warning and direction.

And before you ask I have no idea if the Chinese ever got it working satisfactorily or not...

The point is we have systems for detecting earthquakes today that work on similar principles, so there is more than a chance the Chinese had something working, and most likely kept the details secret.

Personally I think that whilst it might look like an urn from a distance it was infact a circle of resonating upright tuning forks or similar.

You might want to have a look at these two papers,

https://www.nature.com/articles/ncomms11731

https://www.nature.com/articles/s41598-018-19797-x


Douglas L CoulterJune 2, 2018 7:18 PM

@Clive
Thanks for the links, I'll give them a more detailed look later on. I'm going to guess that in the context of security, if we let bad guys design in meta-materials (or anything else) to our protected structures we're done anyway?

I do like Bruce's long ago stated principle of defense in depth...I do have backups and not all on site, for example. A malefactor probably wouldn't find out about them all. Not hard to arrange for things to "disappear" if an attack on one is apparent and saving the info is important. But them I'm not google or something, just a retired engineer/physicist.

While I agree in principle, anything you call a resonator that also resonates has low 'Q' and therefor not much of a resonance (think radiation loss from an antenna - little circulating energy). The power won't build up slowly and then dump fast and hard (like a hammer or a capacitor or Q-switched laser can be used) unless you can somehow change it from a resonator to a radiator remotely.

I was just trying to point out that ultrasonics in air are kinda pukey to move much energy over much distance. Short range, fine...but even in water lower frequencies rule (sonar etc). That real high stuff, MHz for pics of wombs - inches and that's with real power and through what's basically a liquid (not many wavelengths as sound is faster there than air).

Clive RobinsonJune 3, 2018 4:00 AM

@ Doug,

I'm going to guess that in the context of security, if we let bad guys design in meta-materials (or anything else) to our protected structures we're done anyway?

To quote a bit of Shakespeare,

    The evil that men do lives after them...

As for "designed in" as you are aware you can make almost any support structure a transmission line and a chosen cross member a radiator at some frequency whilst another identical looking cross member radiate at a different frequency or not at all. Quite a few people have seen a simillar problem when doing "home plumbing" when water flow makes a pipe resonate sometimes painfully loud when a tap is turned on or a "ball cock" in a tank or cistern activates.

Years ago just inside of living memory aircraft fell out of the sky due to such effects, and a couple of decades later legs came off of oil rigs that then turned over again due to such effects. We now know more about resonance effects in structures but unless an object is viewed as "life threatening" such analysis is rarely done.

I know of a company that supplies 19" rack equipment, they had no idea that a wind tunnel added to improve air flow out of one type of high power equipment had inaudible resonance effects. Which is why the fans failed frequently in only that type of equipment and not other equipment that used exactly the same components but without the air tunnel. You can imagine how long it took to track that problem down.

We have computer models these days that would enable such effects to be deliberately "designed in". We also know tampering with equipment "in the supply chain" happens with the likes of certain US and other Western IC entities[1] as "standard practice (interdiction).

Thus the question arises of have they put the two together?

Well we know that the UK MI5 discovered that resonance and similar acoustic effects could be used as a side channel to leak key information from mechanical cipher machines back in the 1950's and that this was passed to GCHQ as well as the CIA and NSA under "the special relationship". Because much to Margaret Thatcher's ire it became public knowledge from a book that was published by an Ex MI5 Scientific Advisor.

We also now know that a supposadly independent manufacturer of crypto equipment in Switzerland was taking design advice from the NSA about "designing in" special defects into mechanical cipher equipment to make not just covert channels that leak key info but also to weaken them in other ways.

Thus I would be very supprised if quite a few IC entities had not put the two together and taken such action.

In fact there is evidence that suggests they might well have done so. If you think back to the Iranian Centrifuge issue, they had a secret test facility that found out what resonance effects to exploit to destroy the equipment. You don't usually build a "one off" test facillity, once you have a capability, you not only keep it you develop it further. In fact we know they did with the demonstration to the utility industries of what a cyber attack could do to a generator set or similar piece of industrial equipment. It's even been claimed that the CIA did something similar with a Russian gas pipline[2]. Whilst others have suggested that the CIA also had a hand in the Chernobyl disaster[3] (though the old saw about stupidity and malice suggests otherwise)...

Back in the Obama terms in office the subject of "Kill Switches" to the Internet came up. As I and others pointed out at the time, a kill switch is pointless with APT attacks already having taken place. Because the malware would already be there, and it would only require the most minor of changes to a payload activation code to get it to trigger if a "keep alive" signal or similar stopped.

So I put the probability that certain western IC agencies interdict equipment and add deliberate self destructive flaws or trigerable payloads in it or similar as highly probable. Which realy only leaves questions about which laws of physics they use and how they implement them for their "methods".

I know the above might make me sound paranoid, but look at it the other way, it is something I would certainly do if I was in their position. Simply because it's hard to fight a war if all your weapons and equipment suddenly start to fail, when you need them the most.

Likewise if all the kitchen appliances in your citizens homes stop working or become irratic in operation, ill health and demoralizing effects will follow. As I've mentioned before Issac Asimov put that idea in his early foundation series books thus the idea will have been read by many way way back.

As a long term friend has pointed out to me we both have a chearfully pessimistic view, in that when we walk into a new room or see a new system we look at ways it can fail and how to exploit them... Something that goes back to our childhoods and "mischief making" at school etc. You could call it the serious / business side of practical joking, our host @Bruce calls it "thinking hinky"...

[1] https://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden

[2] https://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html

[3] https://m.huffpost.com/us/entry/us_59a6c24ae4b0d81379a81c77

JG4June 3, 2018 7:17 AM


@Rachel - Glad to see your name again. Begging forgiveness for straying off-topic into health security and air security. I've been thinking about inflammation lately and stumbled into why cetyl myristoleate had settled down some tendonitis a decade ago. Unfortunately, somewhat after the handfuls of aspirin and iboprofen made me hypertensive. The bitterness and diabetes came later.

http://blogs.sciencemag.org/pipeline/archives/2018/05/07/stop-ignoring-the-sugars

It's pretty clear that a lot of disease processes involve inflammation caused by undesirable elements in the gut biome, as well as endocrine disruptors and other environmental toxins. Can't recall if I pointed out that internal combustion engines and vehicles cause brain damage. Not to put too fine a point on it, but we are killing ourselves and the planet. It should be possible to trap iron nanoparticles with magnets, but that won't stop soot or polycyclic aromatics. It is wise to invest in strong magnets. Did I post the content about how leaded gasoline shaved 7 IQ points off the US average? Coincidentally, I think that is the same number provided by breastfeeding, but in the good direction. Lead in gasoline also contributed to the crime wave of the 1970's. It's the anti-lithium.

How we discovered a possible link between car exhausts and Alzheimer’s
https://theconversation.com/how-we-discovered-a-possible-link-between-car-exhausts-and-alzheimers-64779
...
Iron is known to be toxic to brain cells, and tiny magnetic iron
particles (magnetite) are thought to be involved in the development of
neurological disorders. Now, for the first time, we have identified
the abundant presence of these highly reactive particles in human
brains.

Previous studies have suggested that there are increased amounts of
magnetite in Alzheimer’s-affected brains, and that these particles may
be linked with the development of the disease. We wondered if this
increased brain magnetite might come from inhaling polluted air.

Very small, round particles made out of magnetite (called magnetite
nanospheres) are abundant in city air pollution. They are formed at
high temperatures and condense as iron-rich droplets as they cool.
These particles range in diameter from less than 5nm (nanometres) to
more than 100nm (for comparison an HIV is 120nm in diameter) and are
often found together with pollution particles made out of other
metals.

Vehicles are a major source of these magnetite nanospheres. They are
created by fuel combustion (especially diesel), iron wear from the
engine block and frictional heating from brake pads. In addition to
some occupational settings, high concentrations of magnetite pollution
nanoparticles may be produced indoors by open fires or poorly-sealed
stoves used for cooking or heating.
...

Air pollution actually messes with your genes
http://grist.org/living/air-pollution-actually-messes-with-your-genes/

Polluted Air Leads to Disease by Promoting Widespread Inflammation
http://www.sciencedaily.com/releases/2011/04/110414131834.htm

Air pollution in towns and cities ‘ages brains of over-50s by three years’
http://www.dailymail.co.uk/health/article-2234239/Air-pollution-towns-cities-ages-brains-50s-years.html

Clive RobinsonJune 3, 2018 9:05 AM

@ JG4,

With regards sugars. It's been known for some time there is a tie up with them and rheumatoid arthritis. The link was found via young women stricken with it having it leave them compleatly during pregnancy. It was discovered in the late 1980's if my aging noddle serves me well.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.