fully functional TickTock prototype, consisting of different stacked components
A group of researchers from the National University of Singapore and Yonsei University (Korea) recently released, who have developed a method to detect the activation of a microphone hidden in a laptop.
To demonstrate the operation of method based on the Raspberry Pi 4 board, amplifier and transceiver (SDR), a prototype called TickTock was assembled, which allows detecting the activation of the microphone by malware or spyware to listen to the user.
The passive detection technique the inclusion of a microphone is relevant, since, in the case of a webcam, the user can block the recording simply by sticking the camera, then turning off the built-in microphone is problematic and it is not clear when it is active and when it is not.
The method is based on the fact that when the microphone is working, the circuits that transmit clock signals to the analog to digital converter start to emit a specific background signal that can be captured and separated from the noise caused by the operation of other systems by the presence of specific electromagnetic radiation from the microphone, it can be concluded that recording is taking place.
The device requires adaptation for different laptop models, as the nature of the emitted signal largely depends on the sound chip used. To correctly determine the activity of the microphone, it was also necessary to solve the problem of filtering noise from other electrical circuits and taking into account the change in the signal depending on the connection.
"First, these solutions require users to trust the laptop manufacturers' implementation or operating systems, which have been compromised by attackers multiple times in the past or which the manufacturers themselves could be malicious," they state in their document. . "Second, these solutions are built into only a small fraction of devices, so most laptops today don't have a way to detect/prevent eavesdropping."
At the end, the researchers were able to adapt their device to reliably detect activation from the microphone in 27 of the 30 models of tested laptops made by Lenovo, Fujitsu, Toshiba, Samsung, HP, Asus and Dell.
The three devices the method did not work with were the 2014, 2017 and 2019 Apple MacBook models (it was suggested that the signal leakage could not be detected due to the shielded aluminum case and the use of short flex cables).
“The emanation comes from the cables and connectors that carry the clock signals to the microphone hardware, ultimately to operate its analog-to-digital converter (ADC),” they explain. "TickTock captures this leak to identify the on/off status of the laptop's microphone."
The researchers also tried to adapt the method for other classes of devices, such as smartphones, tablets, smart speakers and USB cameras, but the efficiency turned out to be noticeably lower: of the 40 devices tested, only 21 were detected, which is explained by the use of analog microphones instead of digital ones, other connection circuits and shorter conductors that emit an electromagnetic signal.
The end result was quite successful, other than Apple hardware.
“Although our approach works well on 90 percent of tested laptops, including all tested models from popular vendors such as Lenovo, Dell, HP, and Asus, TickTock fails to detect microphone clock signals on three laptops, all which are Apple MacBooks, » the brainiacs claim in their article.
They speculate that of the devices that were impossible to detect, it may be due to the MacBook's aluminum cases and short flex cables attenuating EM leakage to the point that no signal can be detected.
As for smartphones, it may be due to analog rather than digital microphones on some phone models, a lack of power constraints on connected microphone-equipped hardware, such as smart speakers.
Finally if you are interested in knowing more about it, you can check the details In the following link.