Security researchers from the University of Michigan and Zhejiang University in China have demonstrated a new and unusual DDoS attack method that uses sound waves to cause physical damage to hard drives and cause PCs to crash, without the usage of any special, advanced equipment.
Researchers demonstrated this attack method last week at the IEEE symposium on Security and privacy in San Francisco in which they targeted a digital video security camera that contained a DVR which stored footage on a hard disk drive. When hit by the acoustic attack, the camera could no longer save the video data to the RAM.
In about 12 seconds the camera ran out of available space and lost all data until the attack stopped.
“Adversaries without special-purpose equipment can cause errors in the hard disk drive using either audible or ultrasonic acoustic waves. Audible waves vibrate the read/write head and platters; ultrasonic waves alter the output of the HDD’s shock sensor, intentionally causing the head to park,” according to the research paper entitled- "Blue Note - How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems."
However, this type of attack can result in corruption of OS, application level problems and hard disk data corruption causing the system reboot or even cause the dreaded Blue Screen of Death.
“Our experiments show that audible sound causes the head stack assembly to vibrate outside of operational bounds; ultrasonic sound causes false positives in the shock sensor, which is designed to prevent a head crash,” the research paper read. “For self-stimulation attacks, the victim accesses the adversary’s website — perhaps through a phishing attack or a link within a malicious email.
“The site then plays malicious audio without permission over the system’s built-in speaker to attack the HDD. The frequency response of a built-in speaker may limit the ability for an adversary to deliver ultrasonic attacks, but some speakers may be able to deliver ultrasonic or near ultrasonic tones.”
Proof-of-concept tests were conducted on three different HDD manufacturers: Western Digital, Toshiba, and Seagate. Attack scenarios also involved vibrations created by ultrasonic tones at a frequency higher than can be heard by humans (20 kHz and higher).
The test on the Toshiba HDD resulted in possible damage to the head controller, researchers said. Testing the Western Digital Blue WD5000LPVX HHD with the internal HP DC7600U speaker resulted in the freezing of the HP Elite Minitower desktop PC in which the HDD was equipped.
“The operating system does not seem to handle this error correctly, leading to UNEXPECTED_STORE_EXCEPTION. This indicates that the memory manager required data from the disk, but was unable to write into memory because of an in-page I/O error,” researchers said.
According to researchers, older systems that still use legacy magnetic HDD technology are highly vulnerable to these attacks. This technology is usually found in medical devices and other legacy systems that are difficult to retire such as the CCTV surveillance camera storage.
“Defenses include mitigating attacks in vulnerable frequency bands with attenuation controllers, using sensor fusion to detect attacks, and noise dampening materials to attenuate the signal.” the research paper noted.