DoS attacks against hard disk drives using acoustic signals
A group of Princeton and Purdue researchers has shown that it’s possible to mount a denial-of-service (DoS) attack against hard disk drives via acoustic signals.
Threat severity
Hard disk drives (HDDs) have become the most commonly-used type of non-volatile storage due to their increased reliability, fault tolerance, storage capacity, and so on.
“These technological advances in HDDs, along with the ever-increasing need for storing the huge amount of data, made them one of the core components of modern computing systems. Indeed, HDDs are now an inevitable part of numerous ubiquitous systems, including, but not limited to, personal computers, cloud servers, medical bedside monitors, closed-circuit television (CCTV) systems, and automated teller machines (ATMs),” the researchers noted.
An effective and easy to pull off DoS attack against HDDs could, therefore, lead to considerable real-world problems for individuals and organizations.
The attack
The effectiveness of the attack hinges on the attacker’s capability to create the acoustic signal close to the target device, in a way that causes significant vibrations in the drives’ internal components.
“The attacker may potentially take advantage of remote software exploitation (for example, remotely controlling the multimedia software in a vehicle or personal device), deceive the user to play a malicious sound attached to an email or a web page, or embed the malicious sound in a widespread multimedia (for example, a TV advertisement),” the researchers explained.
In order for the attack to remain unnoticed and its nature unknown, the signal should be below the human hearing range (20 to 20,000 Hz).
Attack limitations
The researchers demonstrated the viability of the attack by managing to stop the read/write operations of a disk in a CCTV system’s digital video recorder (DVR) device, as well as that in a personal computer. In the latter example, the attack lead to different malfunctions.
But they found that the success of the attacks depended not only on the frequency of the acoustic signal but also heavily on the angle of the speaker towards the hard drive. Thus, the source of the sound can’t be too far from the target.
“The farthest successfully performed attack was at the distance of 71 cm (92.8 dBA) for the 1 TB HDD at 9.1 kHz frequency, and 44 cm (102.6 dbA) for the 4 TB HDD at 8.5 kHz,” they shared.
Also, the attacker must find a way to discover the make and model of the target drives, so he or she can choose the amplitude of the acoustic signal that will trigger the acoustic resonance and affect the drive’s components.
Future, more successful attacks of this kind will depend on attackers finding workable solutions to these problems.