Laptop denial-of-service via music: the 1980s R&B song with a CVE!
Credit to Author: Paul Ducklin| Date: Mon, 22 Aug 2022 16:03:07 +0000
You’ve probably heard the old joke: “Humour in the public service? It’s no laughing matter!”
But the thing with downbeat, blanket judgements of this sort is that it only takes a single counter-example to disprove them.
Something cannot universally be true if it is ever false, even for a single moment.
So, wouldn’t it be nice if the public service could be upbeat once in a while…
…as upbeat, in fact, as the catchy Janet Jackson dance number Rhythm Nation, released in 1989 (yes, it really was that long ago)?
This was the era of shoulder pads, MTV, big-budget dance videos, and the sort of in-your-ears-and-in-your-face lyrical musicality that even YouTube’s contemporary auto-transcription system renders at times simply as:
Bass, bass, bass, bass ♪ (Upbeat R&B Music) ♪ Dance beat, dance beat
Well, as Microsoft superblogger Raymond Chen pointed out last week, this very song was apparently implicated in an astonishing system crash vulnerability in the early 2000s.
According to Chen, a major laptop maker of the day (he didn’t say which one) complained that Windows was prone to crashing when certain music was played through the laptop speaker.
The crashes, it seems were not limited to the laptop playing the song, but could also be provoked on nearby laptops that were exposed to the “vulnerability-triggering” music, and even on laptops from other vendors.
Resonance considered harmful
Apparently, the ultimate conclusion was that Rhythm Nation just happened to include beats of the right pitch, repeated at the right rate, that provoked a phenomenon known as resonance in the laptop disk drives of the day.
Loosely speaking, this resonance caused the natural vibrations in the hard disk devices (which really did contain hard disks back then, made of steel or glass and spinning at 5400rpm) to be amplified and exaggerated to the point that they would crash, bringing down Windows XP along with them.
Resonance, as you may know, is the name given to the phenomenon by which singers can shatter wine glasses by producing the right note for long enough to vibrate the glass to pieces.
Once they’ve locked the frequency of the note they’re singing onto the natural frequency at which the glass like to vibrate, their singing continually boosts the amplitude of the vibration until it’s too much for the glass to take.
It’s also what lets you quickly build up height and momentum on a swing.
If you time your kicks or thrusts randomly, sometimes they boost your motion by acting in harmony with the swing, but at other times they work against the swing and slow you down instead, leaving you joggling around unsatifactorily.
But if you time your energy input so it always exactly matches the frequency of the swing, you consistently increase the amout of energy in the system, and thus your swings increase in amplitude, and you gain height rapidly.
A skilled swingineer (on a properly designed, well-mounted, “solid-arm” swing, where the seat isn’t connected to the pivot by flexible ropes or chains – don’t try this at the park!) can send a swing right over the top in a 360-degree arc with just a few pumps…
…and by deliberately timing their pumps out-of-sequence so as to counteract the swing’s motion, can bring it to a complete stop again just as quickly.
Proof-of-concept
We’re guessing that there were probably many other popular songs that could have provoked this hard-disk resonance to the point of failure, but Rhythm Nation was the proof-of-concept that showed this vulnerability could actively be exploited.
Chen reports that the laptop vendor added a frequency filter to the laptop’s own audio system in order to remove the frequency bands that tended to produce the problem, thus leaving the sound audibly unchanged but acoustically harmless.
By filtering the frequencies all the time, instead of trying to recognise Janet Jackson’s song specifically, this electronic countermeasure became a generic and proactive cybersecurity fix, not just a patch specific to one tune.
Well, to return to the issue of humour in the public service…
…it turns out that someone at MITRE in the US, where CVE bug numbers are co-ordinated, has assigned this issue an official bug number, as follows:
CVE-2022-38392: Denial of service (device malfunction and system crash):
A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.
Even in a world where solid-state drives (SSDs, often still referred to as disks, even though they don’t have circular parts, let alone rotating ones) are widespread, you can still buy old-school hard disks with moving parts, typically running at 5400rpm, 7200rpm and even 10,000rpm.
Old-school hard drives generally offer much higher capacity for a much lower price than SSDs, but they’re rarely found in business-class laptops these days, because they’re slower, generally require more power, and aren’t as shock-proof as their transistorised cousins.
What to do?
Whether SSDs are, in turn, vulnerable to music that focuses on other frequency ranges or amplitudes, we can’t say.
Whereas R&B might have been the Achilles heel of rotating-media storage devices in the early 2000s, perhaps louder but lower-tuned, sludgy, old-school “coding music” might ultimately prove to be too much for fully digital solid-state laptop storage?
We don’t expect fans of bands such as Melvins, Sleep, Monolord and the like to take needless experimental risks with their own laptops.
But if anyone knows of any heavy-duty riffs that can be turned into exploits…
…they may be eligible for CVE numbers, though we have no idea where vulnerabilities of this sort would fit into the MITRE ATT&CK Tools, Tips and Procedures framework.
Suggestions in the comments, please!