The tiny size, minimal power consumption, and low cost of micro-electromechanical systems (MEMS) microphones has contributed to them being included in everything from laptop computers to phones and smart speakers. Chances are that there are at least a few MEMS microphones within a couple feet of you right now. These microphones make it easy to connect with your friends and family or interact with your digital devices, but you might feel different about having them around after you hear about a new side-channel attack discovered by researchers at the University of Florida and the University of Electro-Communications.
The exploit uncovered by the team makes it possible to remotely eavesdrop on any conversation that is captured by a MEMS microphone. No modifications to the hardware or software are required — any phone, computer, or other device with this type of microphone is vulnerable right out of the box. And you may not even need to explicitly enable the microphone because certain commonly used apps, such as Spotify, YouTube, Amazon Music, and Google Drive, already turn it on under certain conditions.
An overview of the exploit (📷: A. Onishi et al.)
The attack, named Sound of Interference, takes advantage of the way MEMS microphones handle digital signal processing. These microphones use a method called pulse-density modulation to convert sound into a stream of digital pulses. During this process, unintended electromagnetic (EM) emissions are produced. These emissions, although weak, carry acoustic information that can be captured and decoded by a nearby FM radio receiver.
In the group’s tests, basic equipment costing under $100 was all that was needed to perform the attack. A copper antenna and off-the-shelf FM radio receiver were able to pick up intelligible speech transmitted through concrete walls as thick as 25 centimeters. In one test, ghostly fragments of random phrases like “Glue the sheet to the dark blue background” emerged clearly from the static. It was found that greater than 94% accuracy could be achieved in recognizing spoken digits within a range of two meters.
To better interpret the noisy EM signals, the team used advanced machine learning techniques and commercial transcription tools from companies like OpenAI and Microsoft. These tools, typically designed to handle traditional audio inputs, were nonetheless effective at transcribing the radio-leaked speech with surprisingly low error rates of just 14% in some cases, even without specific training on EM data.
The reconstructed audio was easily recognizable (📷: A. Onishi et al.)
Despite the findings, we do not need to toss MEMS microphones in the trash. Multiple defenses that manufacturers could implement to foil this attack were identified. For instance, relocating microphones closer to the main circuit board would shorten the length of conductive traces, which otherwise act like antennas. Slight protocol changes in the way audio is processed could also make intercepted signals harder to decode. Additionally, a hardware-level countermeasure involving clock randomization was proposed to disrupt the coherence of EM leakage.
For the time being, it remains uncertain whether manufacturers will incorporate these measures into future devices. Until then, users should be aware that the very microphones that help us stay connected may also be quietly broadcasting our conversations to anyone with a simple radio and a little bit of know-how.