Acoustic Eavesdropping through Wireless Vibrometry Teng Wei, Shu Wang, Anfu Zhou and Xinyu Zhang University of Wisconsin – Madison Chinese Academy of Sciences Institute of Computing Technology Chinese Academy of Sciences

Image wireless can pick up the sound and leak private information Acoustic Eavesdropping through Wireless Loudspeaker and Wi-Fi are widely used in the conference and home environment Image wireless can pick up the sound and leak private information

Threat Models Reflective Emissive Attacker Victim Wall Attacker Victim Tx Rx Victim Wall Attacker Victim Wall Rx AP

Acoustic-Radio Transformation (ART) How Possible? Translate acoustic vibration into radio signal fluctuation Acoustic-Radio Transformation (ART)

Pros and Cons: Technique Review Widely used in espionage and newsgathering Highly directional and sensitive Laser-based Microphone Directional Microphones Fail in the sound-proof environment Require unobstructed line-of-sight between the subject and laser Penetrate sound-proof material and unblocked by obstacles Microwave-based Microphone

Understand Basic ART Physical Model RSS-based ART Phase-based ART Taylor expansion Audio signal component High-order harmonics DC component 𝑅𝑆𝑆= 𝜎 𝐴 2 𝑑 0 + 𝑑 =𝜎[ 𝐴 2 𝑑 0 +2𝐴 𝑑 0 𝐴 ′ 𝑑 0 𝑑 +…] Radio pathloss 𝑃ℎ𝑎𝑠𝑒= 2𝜋( 𝑑 0 +2 𝑑 ) 𝜆 0 Micro Doppler Audio signal component DC component Audio Decoding of ART Frequency domain analysis Estimate Channel RSS/Phase Assemble audio signals Modulate a known sequence Passband filter Radio sampling frequency >> Audio sampling frequency

Validating Feasibility Setup Rx Tx 2m 0.5m Channel 14 2.485GHz CW 5MHz Result Piano sound 440Hz, 493.88Hz, 554.37Hz High-order harmonics Diversity

> Influence of Multipath Wireless signal is broadcasting in natural Background Reflection Path Loudspeaker Wireless signal is broadcasting in natural Tx Rx I Q Sl S Sc Multipath affects eavesdropping quality Received signal Loudspeaker reflection Background reflection I Q Sl S Sc Quality’ > Good multipath profile = 𝑆 𝑙 ⊥ 2 𝑆 𝑐 ⊥ 2 Quality

Role-switching Beamform Enhanced 1: Spatial Diversity I Q Sl S Sc × 𝒘 𝟏 + × 𝒘 𝟐 = Antenna 1 Antenna 2 Beamform Improved eavesdropping quality Basic Idea Problem: no channel training Weight Searching Solution: blind beamforming algorithm Rx Tx Radio 1 Radio 2 Role-switch Rx weight search 2 Role-switching Beamform Rx weight search 1 Problem: how to find Tx beamforming weights?

Enhanced 2: Frequency Diversity Sl S Sc Channel 1 Channel 7 Basic Idea Alter angles of multipath profile Avoid interference Validation Interference Diversity gain

Enhanced Emissive ART AP Audio Recovery (WiFi decoding) Attacker Rx AP STF LTF Header Payload Audio Recovery (WiFi decoding) Packet detection CSI estimation Audio assembling ① ② ③ Problem 1: Non-uniform packet arrival time Problem 2: Inaccurate signal amplitude estimation LTF Payload 2 OFDM symbols 100+ OFDM symbols Solution: audio sample re-interpolation Solution: RSS estimation and amplification

Interfering Mechanical Vibrations Counter Measure: Reflective ART Drywall 2.4 GHz Safety Distance Free space model 12dB antenna gain Typical WiFi Hardware Interfering Mechanical Vibrations Human movement Rotating fan …

Transmission Power Randomization Counter Measure: Emissive ART Uplink WiFi packets time Original power of packets Power Randomized power of packets Transmission Power Randomization

Implementation and Testbed Software Implementation 802.11g/n-compliant communication library Reflective ART decoder WARP FPGA modification WARP and WURC SDR testbed Altec Lansing Multimedia Computer Speakers Testing Loudspeakers

Distance to antenna: 1 ~ 5m Experiment Setup Conference Room Diversity gain Distance to antenna: 1 ~ 5m Sound-proof Room

Penetrate wall and conventional sound isolator Reflective Eavesdropping Beamforming Human Impact Environment Penetrate wall and conventional sound isolator

Emissive Eavesdropping Victim: Moto X XT1053 AP: Belkin N150 Protocol: IEEE 802.11g Running application: Iperf, TCP transferring at 10Mbps Experiment Setup Human Perception Accuracy Good eavesdropping despite low sound volume

Effectiveness of Counter Measures Validating Transmission Power Randomization (TPR) Trace-driven simulation Collect WiFi packet trace (1900pkt/s) Enforce TPR on each of the collected packet 21dB more than 2 orders of magnitude reduction

Conclusion First to thoroughly investigate vibrometry on wireless devices and practical attack models Distill key factors that enable highly sensitive WiFi vibrometry Basic ART Enhanced reflective ART Enhanced emissive ART Extensive experiments using COTS smartphone, WiFi access point, and software-radio eavesdropper Pose alarming challenges to securing acoustic in formation

Questions? Thank you