A team of researchers from the National University of Singapore and Yonsei University have built a Raspberry Pi-powered prototype of a device, which they hope could one day warn users when a nearby microphone is active: TickTock.
"We are witnessing a heightened surge in remote privacy attacks on laptop computers. These attacks often exploit malware to remotely gain access to webcams and microphones in order to spy on the victim users," the researchers claim in the abstract to their paper. "While webcam attacks are somewhat defended with widely available commercial webcam privacy covers, unfortunately, there are no adequate solutions to thwart the attacks on mics despite recent industry efforts."
Their proposed solution: TickTock, a device that aims to detect whether or not an embedded microphone is active or disabled — and without relying on integration with the underlying hardware or a spoofable software toggle.
The prototype TickTock sensor is built around a Raspberry Pi 4 Model B single-board computer running GNU Radio and connected to an SDRPlay RSP-1A software-defined radio (SDR) dongle. Its operation relies on the fact that it's possible to pick up unintended radio-frequency leakage when a laptop's microphone is active — leakage which is not present when the microphone is disabled.
The team's testing proved the concept, though there are a few caveats — only one of which is the work required to miniaturize the technology to the size of a USB flash drive for improved portability. The biggest issue is that of calibration and positioning: the sensor required knowledge of the frequency of the microphone's clock signal as well as where the receiver should be positioned to pick up the weak leakage signals — the microphone connector, cable, or a common ground being ideal positions.
To work around this, the researchers propose three possible solutions: laptop manufacturers could ship a TickTock dongle with their hardware, marking where it should be positioned and the frequency required with one or more stickers attached to the laptop; another possibility is for a "TickTock server" to host user-submitted frequency and position data; and the final, least-tempting, solution is for users to have to scan for the correct frequencies and positions themselves.
"Although our approach works well on 90 per cent of the tested laptops, including all tested models from popular vendors such as Lenovo, Dell, HP, and Asus," the team admits, "TickTock fails to detect the mic clock signals in three laptops, all of which are Apple MacBooks. As part of future work, we hope to utilize TickTock to identify access to other sensors including cameras and inertial measurement unit (IMU) sensors."
A preprint of the team's work is available on Cornell's arXiv.org server.