How the Government Hacks You, Chapter 11: Resonance Attacks

What is a Resonance Attack?

A resonance attack is anything that uses vibrations to pick up sound remotely. That could mean a traditional ‘bug’, which either permanently records sound in the area, or transmits sound back to a central location for analysis. But it could also mean a variety of ways to take over existing microphones in a household, or ways to perform frequency analysis on objects and devices that reflect sounds that are happening in their vicinity.

This shouldn’t be confused with physical resonance attacks, which seek to disrupt or destroy a piece of infrastructure by magnifying or manipulating an object’s natural vibration patterns. The attacks we’re referring to are strictly in the realm of observational spycraft, although in some cases an impressive amount of physics and engineering is involved.

Resonance Attacks Via Traditional Microphones

There are two ways that government entities use old-school microphones to spy on someone. The first is by planting a bug or hidden mic somewhere in the vicinity or on the premises. And the other method involves hijacking existing microphones on site, or even on the target’s person.

As to planting bugs, just about everyone reading this will be familiar with the world’s most popular bugging incident: Watergate. In 1972 the President of the United States, Richard Nixon, was caught hiring agents to bug the office of the Democratic National Committee (DNC). At the time, those offices were located in the Watergate complex in Washington, D.C. The agents were caught wiretapping phones and stealing documents, and later the whole thing was tied back to the Oval Office, which forced Nixon to step down before he got impeached.

But the history of bugs stretches back to WW2 and even prior. In the 1940s, the Soviet Union gifted the Great Seal bug to the U.S. It was a passive recording device, only emitting signals when hit with a radio beam. It remained undetected until the early 1950s. If recording devices could be that discrete over 70 years ago, imagine what they must be like now?

But there’s no need to imagine. Incidents of bugging take place all around the world every week, though we only hear about the high-profile ones that get detected. In 2001, the Pakistani embassy building in London was bugged, only discovered two years later. In 2004, a UN meeting room bug was detected. In late 2021, Russia was found to be experimenting with listening devices disguised as rocks.

But the vast majority of bugging is done by law enforcement, rather than traditional spy organizations. The U.K. just reported their use of bugs to take down an English drug gang. Earlier that same year, there was a lawsuit over who would provide bugging and mass surveillance services in the U.K. In the U.S., wiretaps are used regularly in drug cases.

Heck, even the cops are wiretapping the cops in some corruption cases. They even bug ankle bracelets of minors who are awaiting trial. This is just as horrific as it sounds:

"The idea that an adult can turn on a listening device while a child is in the bathroom or in their bedroom is not good." - Sarah Staudt - Lawyer for the Chicago Appleseed Center for Fair Courts and Fund for Justice.

Not even Northern California, seen as the cradle of technological invention and personal freedom in the United States, is immune to the bugging epidemic. In 2016, it was revealed that Bay Area cities were being bugged in various public locations. This included light fixtures and a bus stop outside of an Oakland courthouse.

And that’s just the English-speaking world that has some measure of warrant awareness and a jurisprudence system. We’ve already discussed Russia’s mass warrantless wiretapping program in earlier chapters, and their use of bugs in the past. China used a combination of high-tech data monitoring and low-tech bugging to spy on the African Union HQ.

Private bugging is common as well, and not just by licensed private investigators. In India, bugs are incredibly cheap and they’re used in an array of corporate spying operations, many of them internal. Snooping on rival sports teams is even a thing, as the All Blacks Rugby team knows quite well from their hotel bugging incident in Sydney back in 2016.

The trend of using small listening devices is not limited by any country’s border, any job role, or any government interest level. It should be considered ubiquitous.

But what about taking over an existing microphone? We know that governments around the world have been doing this for years, thanks to the Snowden leaks. The Nosey Smurf attack, pioneered by GCHQ in the U.K., turns any mobile device into a hot mic. Turning the device off doesn’t help, because the Dreamy Smurf attack can just turn it back on while it’s in your pocket or on your desk.

These cute names represent devastating breaches of privacy and public trust. And because GCHQ is part of Five Eyes, this is happening in the United States, the United Kingdom, Australia, Canada, and New Zealand… at minimum. The UKUSA agreement has expanded over the decades. Thanks to the NSA’s Foreign Affairs Directorate, all of the expanded 14 Eyes countries have some level of ‘requested’ access to these hot mic hacks. Other close allies may or may not have ‘request’ access at any given time depending on the political climate. Countries such as Japan, Israel, Singapore, and South Korea need to liaise with the NSA to get such access.

And that’s just in Western nations and their allies. China forces travelers into certain regions to turn their phones over at the border crossing, where spy apps are installed. These apps include camera access, data monitoring, and hot mic capabilities.

Russia’s SORM program, as discussed in previous chapters, can monitor active calls through a carrier, but it’s uncertain if they can turn on a mic remotely. The alternative for them would be to attempt to connect a call to the mobile device without any ringtone. While technically possible, there’s no public evidence of this being used at the time of writing (Q3 2023). Caution is advised.

As far as computer microphones and webcams, of course, there’s all manner of malware and spyware that will allow an attacker to take over those devices. There are thousands of live-leaked hacked cameras streaming at any given point, after all. The level of sophistication is so low, that any government can do it if they can get people to fall for a social engineering trick or two. But what evidence is there that governments are actively hacking computer microphones?

Of course, the most high-profile spyware that can hijack a phone’s camera and microphone is Pegasus from the NSO group. It was used in the murder of reporter Jamal Khashoggi by Saudi crown prince Mohammed bin Salman. It was used to target and attack journalists in India. It was used to spy on politicians and journalists in Mexico. Rwanda used it to hunt down enemies of the state and citizen protestors. The Pegasus payload controls and monitors a mobile device completely; not only acting as a hot mic but also skimming data and monitoring all E-mail and chat activity.

There are dozens of variants on companies like NSO and products like Pegasus, but it was only because of a data leak that we got to see the incredibly evasive, destructive, and in some cases murderous results of this kind of software.

But let’s not pretend that only the highest level of software sophistication has features that include microphone hijacking. Publicly available ‘off the shelf’ spyware can hijack a microphone with no problems. For under $100, any police organization, private company, or individual can get in on the action. They just need access after they buy a license, which is easily done via a no-knock raid, a ‘wellness check’, or whatever excuse is most convenient in their country or state.

Resonance attacks via traditional microphones are, to be blunt, easy. They’re the low-hanging fruit. Microphones available for hijacking are located everywhere… in every cell phone, every laptop, every home assistant, and most PCs. Failing that, bugs are cheap and they’re incredibly easy to plant if one has physical access.

But let’s assume that something more sophisticated is required because the target is security-conscious or has significant home or business monitoring and good anti-spyware habits. What’s the next step?

Resonance Attacks Via Synesthesia

To be clear, when we say ‘synesthesia’, we aren’t talking about the medical phenomena that involve the intermingling or interaction of neural pathways between the senses. In the hacking world, synesthesia refers to the translation of a visual input to an audio output or vice versa.

The first type of side channel attack in this category involves using a webcam microphone to detect a monitor’s coil whine, giving a rough visual representation of what a user is looking at. Although this form of synesthesia attack is frightening, it also requires the microphone to already be hacked, so it only applies if the spyware methods above were previously successful.

Of more direct interest to our topic is the opposite form of input transformation: The ability to turn visual inputs into sound. In particular, the vibration of objects in the vicinity.

We’ve already spoken about the ability of a spy to turn a window pane into a microphone in prior chapters. And we discussed the lampphone attack and the glowworm attack as well. All of these can be used for personal spying as well as corporate, falling under the visual-to-audio synesthesia hack umbrella.

Remembering the rule of thumb, it will probably take government agencies around a year or two to foolproof the methods discovered above, so that any random agent can make use of them in the field. That means by the end of 2023, you can assume that most of these methods will be available to government entities if they aren’t already.

All of these attacks require a direct line of sight to the target of their frequency analysis, however. There are a couple of low-tech countermeasures that can be applied to just about every home, and they’re leveraged by government and law enforcement agencies all the time. Thick curtains, air gapping, and breaking line of sight to work and private areas can all help increase your privacy greatly.

Resonance Attacks Via Utility Access and Easements

Utility access is exactly what it sounds like: Utility companies are being given the expected access to lay and in some cases maintain things like wires and pipes so that residences on the property are in what most people would consider livable condition.

An easement is an allowance that we make for the property owner and others to enjoy the expected utilities on a property, or to allow an adjacent property to access what they need to live.

These sorts of arrangements cover hookups, poles, and meters for utilities such as water, natural gas, sewer, and electricity. They might exist underground, along the building’s foundation, or in the case of easements for access - out on the border of the property.

Of particular interest to our topic is access to water and sewer lines.

Posing as a utility worker or tradesman is nothing new to spies or undercover cops and has been well documented. As recently as 2020, a pair of Russian spies posed as plumbers as they attempted to install surveillance equipment at the World Economic Forum. In 2019, U.S. cops in Georgia posed as construction workers to sting people who were texting and driving. In 2017, a German turncoat electrician was caught providing floor plans and electrical plans to Russia. In 2015, an undercover cop posed as a construction worker to monitor union activities in the U.K.

Posing as someone innocuous who has unusual amounts of access to a location has been happening since the Cold War, and is an activity that’s undertaken by just about every government on the planet. If someone is setting up cones and working on the water or sewer system just up the road, it’s quite unlikely that anyone has gone up to them and asked for proper identification.

This means, with minimal cooperation from the real utility companies, running a thin line up a sewer pipe or down a water pipe is a trivial task. The bugs used at the end of those lines need to be small and waterproof, but that’s a trivial set of requirements to meet when IPX7 and IPX8 mics exist.

So without ever stepping onto the property, without ever installing anything permanent, and without using any wireless transmission or signal, there are dozens of potential listening targets in any given home. The best ones would have an air gap, remain dry most of the day, and avoid particularly harsh chemicals or hot oils. That makes toilet cisterns, shower drains, and bathroom sinks premium targets.

Other utility easement attacks involve climbing utility poles and bugging/wiretapping landline phones. But landline use is becoming far more rare in today’s world. Snaking a listening device in from existing pipes and conduit is far more useful.

Conclusion

Possible resonance attacks ranging from old-school bugging, to spyware and malware microphone hijacking, to laser listening devices are all in common use today. The more primitive methods might have been around since World War II, but they’re still effective tools in the modern law enforcement and government surveillance toolbox.