Is it possible to kill a person by hacking a speaker?
Science fiction has set this scenario on multiple times: A scientist develops a machine that generates sounds capable of controlling minds, altering moods, or even physically harming a person. What’s really intriguing about this narrative is the possibility of translating this idea into reality, so it’s worth questioning, could a sound be able to kill someone? Cybersecurity specialists argue that yes, it is completely possible.
On previous occasions experts have attempted to apply the use of audio waves for Internet user tracking purposes. However, the application of sound waves of different frequencies has reached disconcerting levels as a group of experts claim that it is possible, and relatively easy, to design malware capable of producing frequencies inaudible to the human ear in virtually any speaker system; these frequencies could damage the victim’s hearing, cause general physical discomfort or, at worst, trigger undesirable psychological effects.
Cybersecurity experts claim that such malware could be functional to reproduce these frequencies using the embedded speakers of any device, such as laptops, smartphones, hearing aids, Bluetooth speakers, smart speakers, alarm systems on the cities and more. In addition to malicious code, an attacker would only require access to the target devices or systems.
Matt Wixey, expert in charge of the research, placed some devices with built-in speakers in a sound-proof vessel known as an ‘anti echo chamber’, along with a sound level meter and thermometer to record metrics before and after the experiment. The cybersecurity expert found that, using this malware, the smart speaker, hearing aids, plus a single speaker, managed to emit frequencies so high that they exceeded the average frequency audible to people by various points. On the other hand, the Bluetooth speaker, a pair of noise-cancelling headphones and the smart speaker managed to emit frequencies so low that they exceeded the standard recommendations.
Another interesting finding is that the heat generated by the smart speaker during the experiment reached the point where the internal components of the device began to melt, leaving it completely useless. “We even notified the device manufacturer, who decided to release a patch against this malware,” the researcher said, without mentioning the company’s name. Wixey also refrained from disclosing further details about the malware he designed, stating that the experiment was not tested on humans; “It should be enough to know that these kinds of attacks are actually possible,” he concluded.
When it comes to the harmful potential of sound waves, some general aspects of people’s hearing ability need to be considered. Sound intensity is measured in decibels (dB); a regular conversation is known to record between 50 and 60 dB, while heavy machinery reaches about 120 dB, which are still resistible for the human ear. If a person could be actually harmed using only sound waves, it would require around 250 dB, a sound intensity virtually impossible to reach, even in enclosed spaces.
As for the frequency of sound waves, measured in Hertz (Hz), a human only perceives sounds between 20 and 20k Hz, however, the waves that we do not perceive can have greater effects. If a person is exposed to a frequency less than 19 Hz, even if they don’t hear anything, their hearing system will still be sensitive to vibrations, which could cause serious damage to the hearing, even harming other body functions.
The cybersecurity of embedded devices has not gone completely unnoticed. In 2015, security firm Red Balloon revealed a study in which malware was used to transmit sounds according to the activities of devices such as scanners and printers; thanks to sound patterns, it was possible to infer the data that passed through these devices, so the sound waves not only have malicious applications harmful to health, but can also be used for information theft.
In this regard, experts from the International Institute of Cyber Security (IICS) mention that the main prevention measure is in the hands of manufacturers; establishing a frequency limit in the manufacturing process, or integrating an alert system could be useful measures for preventing the use of sound waves for malicious purposes.
Originally published at https://www.securitynewspaper.com on August 12, 2019.