Computers typically have two audio jacks: one for sound input when you record something or talk on a Skype call and one for plugging in your headphones to listen to tunes, play games or whatever other noises you’ve got coming from it.
Anybody who’s looked at the YouTube tutorials on how to turn headphones into microphones knows that the microphones in your earbuds or headphones are two-way streets: it’s simple to switch them from devices you listen with into devices that listen to you.
All you have to do is plug the earbuds or headphones into the microphone jack instead of the headphone jack, start up a recording app, and you’re good to go with picking up whatever sounds your earbuds-used-as-mics can hear.
But it turns out that there’s a hack that spares you that whole switching-jacks thing: instead, you can go behind the scenes to switch the audio ports’ function invisibly, by malicious reprogramming.
In this scenario, an eavesdropper doesn’t even need to get at your earbuds: they can switch your output port into an input port and record you even without a mic attached to the PC.
The vulnerability – called “jack retasking”- was reported by researchers at Ben-Gurion University of the Negev’s Cyber Security Research Center.
They’ve dubbed it SPEAKE(a)R. In a paper (PDF), they note that the reprogramming option is available on audio chipsets from Realtek, which are embedded in a wide range of modern PC motherboards.
In fact, the researchers say the RealTek chips are so common that the attack works on practically any desktop computer, whether it runs Windows or MacOS, and most laptops, too, as Wired reports.
It’s not just Realtek, though; other codec manufacturers also support jack retasking.
The researchers managed to use SPEAKE(a)R to retask a computer’s outputs to inputs, then to record audio even when the headphones are in the output-only jack or completely unplugged.
Then, the team recorded audio playing 20 feet across a room, as you can see in their YouTube demonstration:
The researchers also compressed the recording and sent it over the internet, as a hacker would. The quality was good enough to distinguish the words spoken during the recording.
The option to retask, or rejack, isn’t new: it’s in the equipment’s technical specs.
Almost no one seems to know about it, though, as noted by Linux audio developer David Henningsson:
Most of today’s built-in sound cards are to some degree retaskable, which means that they can be used for more than one thing… the kernel exposes an interface that makes it possible to retask your jacks, but almost no one seems to use it, or even know about it.
There are no known attacks in the wild at this point.
It’s an interesting vulnerability to know about, but for now, it’s just a proof of concept.