Huiling Chen (College of Computer Science and Electronic Engineering, Hunan University, Changsha, China), Wenqiang Jin (College of Computer Science and Electronic Engineering, Hunan University, Changsha, China), Yupeng Hu (College of Computer Science and Electronic Engineering, Hunan University, Changsha, China), Zhenyu Ning (College of Computer Science and Electronic Engineering, Hunan University, Changsha, China), Kenli Li (College of Computer Science and Electronic Engineering, National Supercomputing Center in Changsha, Hunan University), Zheng Qin (College of Computer Science and Electronic Engineering, Hunan University, Changsha, China), Mingxing Duan (College of Computer Science and Electronic Engineering, National Supercomputing Center in Changsha, Hunan University), Yong Xie (Nanjing University of Posts and Telecommunications, Nanjing, China), Daibo Liu (College of Computer Science and Electronic Engineering, Hunan University, Changsha, China), Ming Li (The University of Texas at Arlington, USA)

Audio eavesdropping poses serious threats to user privacy in daily mobile usage scenarios such as phone calls, voice messaging, and confidential meetings. Headphones are thus favored by mobile users as it provide physical sound isolation to protect audio privacy. However, our paper presents the first proof-of-concept system, Periscope, that demonstrates the vulnerabilities of headphone-plugged mobile devices. The system shows that unintentionally leaked electromagnetic radiations (EMR) from mobile devices' audio amplifiers can be exploited as an effective side-channel in recovering victim's audio sounds. Additionally, plugged headphones act as antennas that enhance the EMR strengths, making them easily measurable at long distances. Our feasibility studies and hardware analysis further reveal that EMRs are highly correlated with the device's audio inputs but suffer from signal distortions and ambient noises, making recovering audio sounds extremely challenging. To address this challenge, we develop signal processing techniques with a spectrogram clustering scheme that clears noises and distortions, enabling EMRs to be converted back to audio sounds. Our attack prototype, comparable in size to hidden voice recorders, successfully recovers victims' private audio sounds with a word error rate (WER) as low as 7.44% across 11 mobile devices and 6 headphones. The recovery results are recognizable to natural human hearing and online speech-to-text tools, and the system is robust against a wide range of attack scenario changes. We also reported the Periscope to 6 leading mobile manufacturers.

View More Papers

Compensating Removed Frequency Components: Thwarting Voice Spectrum Reduction Attacks

Shu Wang (George Mason University), Kun Sun (George Mason University), Qi Li (Tsinghua University)

Read More

LoRDMA: A New Low-Rate DoS Attack in RDMA Networks

Shicheng Wang (Tsinghua University), Menghao Zhang (Beihang University & Infrawaves), Yuying Du (Information Engineering University), Ziteng Chen (Southeast University), Zhiliang Wang (Tsinghua University & Zhongguancun Laboratory), Mingwei Xu (Tsinghua University & Zhongguancun Laboratory), Renjie Xie (Tsinghua University), Jiahai Yang (Tsinghua University & Zhongguancun Laboratory)

Read More

Experimental Analyses of the Physical Surveillance Risks in Client-Side...

Ashish Hooda (University of Wisconsin-Madison), Andrey Labunets (UC San Diego), Tadayoshi Kohno (University of Washington), Earlence Fernandes (UC San Diego)

Read More

Don't Interrupt Me – A Large-Scale Study of On-Device...

Marian Harbach (Google), Igor Bilogrevic (Google), Enrico Bacis (Google), Serena Chen (Google), Ravjit Uppal (Google), Andy Paicu (Google), Elias Klim (Google), Meggyn Watkins (Google), Balazs Engedy (Google)

Read More