Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Crash Your Neighbor's Laptop by Playing Janet Jackson Music (No Kidding!)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Crash Your Neighbor's Laptop by Playing Janet Jackson Music (No Kidding!)

emgemg Veteran
edited August 2022 in News

Play Janet Jackson's song "Rhythm Nation" near a vulnerable laptop, and you can crash its internal drive:
https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994

Yes, this vulnerability was assigned a CVE number:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392

I read a report about this, where the author suggested playing the music at a "Capture the Flag" hacking competition. You might get lucky and take down a competitor's older model "burner laptop" there.

Comments

  • raindog308raindog308 Administrator, Veteran

    The manufacturer discovered the problem and added an audio filter to protect their systems. I wonder if they told the HDD manufacturer or the rest of the industry, or just quietly enjoyed the competitive advantage.

    Heck, I'd be sponsoring TV ads blasting that song at every turn...

    Thanked by 2emg netomx
  • edited August 2022

    I guess you could test this with looping these wav files approximately at the frequency they think triggered the event

    data:audio/x-wav;base64,UklGRv////9XQVZFZm10IBAAAAABAAEAQB8AAP////8BAAgAZGF0Yf////////////////////////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

    or

    data:audio/x-wav;base64,UklGRv////9XQVZFZm10IBAAAAABAAEAQB8AAP////8BAAgAZGF0Yf///////////////////////////////////////////////////////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    And here is an interesting read
    https://everything2.com/title/7+hertz+-+the+resonant+frequency+of+a+chicken%27s+skull

    Thanked by 2that_guy Daniel15
  • wdmgwdmg Member, LIR

    @raindog308 said: Heck, I'd be sponsoring TV ads blasting that song at every turn...

    I would enjoy this a bit too much

  • jarjar Patron Provider, Top Host, Veteran

    This is officially my new favorite thing.

    Thanked by 1emgh
  • emgemg Veteran

    @raindog308 said: Heck, I'd be sponsoring TV ads blasting that song at every turn...

    If I were going to sponsor a TV ad, my audio soundtrack would be: "Alexa, make a $1000 donation on emg's website!"

    Thanked by 1Logano
  • raindog308raindog308 Administrator, Veteran

    @jar said:
    This is officially my new favorite thing.

    More research is needed on this important new technology.

    Imagine a drone blaring Taylor Swift songs that knocks out Iranian nuclear centrifuges…

    And what if Amazon engineers a song that can knock out Azure blob storage?

    Thanked by 3jar emg bulbasaur
  • @raindog308 said:

    @jar said:
    This is officially my new favorite thing.

    More research is needed on this important new technology.

    Imagine a drone blaring Taylor Swift songs that knocks out Iranian nuclear centrifuges…

    And what if Amazon engineers a song that can knock out Azure blob storage?

    STUXNET was distributed through a signed RealTek audio driver. If you can find an underdamped resonant frequency (high quality factor), you can theoretically add energy until it has a catastrophic failure.

    Thanked by 1raindog308
  • raindog308raindog308 Administrator, Veteran

    Life in 2022: I want to hear the song just because it's in the news, but I know if I do, it'll pollute all the algos and I'll have to endure a spate of music recommendations I don't like, so I'm launching a private browser rather than use the convenient app on my phone.

    Also Life in 2022: It wasn't worth the effort.

    Thanked by 1that_guy
  • Back in the day we kids called it janetrolling.

  • Plot twist: the Microsoft blogger's colleague messages him, "dude, I was just fucking with you, I can't believe you believed me".

    Thanked by 2bulbasaur netomx
  • @emg said: Yes, this vulnerability was assigned a CVE number:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392

    Why does it have a 2022 CVE number when it happened a long time ago? Since a hardware manufacturer implemented a workaround, this would have been known well before Raymond Chen's post. 🤔

  • ralfralf Member

    @Daniel15 said:

    @emg said: Yes, this vulnerability was assigned a CVE number:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392

    Why does it have a 2022 CVE number when it happened a long time ago? Since a hardware manufacturer implemented a workaround, this would have been known well before Raymond Chen's post. 🤔

    Just clicking on your own link:

    Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

  • @ralf said:

    @Daniel15 said:

    @emg said: Yes, this vulnerability was assigned a CVE number:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392

    Why does it have a 2022 CVE number when it happened a long time ago? Since a hardware manufacturer implemented a workaround, this would have been known well before Raymond Chen's post. 🤔

    Just clicking on your own link:

    Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

    I saw that... I guess I meant why was the CVE number allocated or reserved in 2022?

  • ralfralf Member
    edited August 2022

    At a guess, the drive manufacturer may have known about it, the laptop manufacturer may have known about it, Microsoft may have known about it (if they support the audio driver), but none of them might announce it publicly due to NDAs or worry that it would affect reputation, or even actually increase awareness of this so that other people could target affected PCs remotely.

    The fix described only stops a machine destroying itself, if the resonant frequency can also be a problem with external sources, short of a massive product recall, there's no real fix, so in the case where there's no workaround, it's probably best not to make the vulnerability public knowledge.

    Also publicly announcing it could open them up to a class action lawsuit, but if they keep quiet and it's never discovered then very few of those drives will ever die from this cause.

  • edited August 2022

    so theoretically this should work with Windows XP and below
    rundll32.exe Kernel32.dll,Beep 83,20000
    or
    rundll32.exe Kernel32.dll,Beep 82,20000

  • @raindog308 said:
    Imagine a drone blaring Taylor Swift songs that knocks out Iranian nuclear centrifuges…

    This, but something gayer.

  • TimboJonesTimboJones Member
    edited August 2022

    @Daniel15 said:

    @ralf said:

    @Daniel15 said:

    @emg said: Yes, this vulnerability was assigned a CVE number:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392

    Why does it have a 2022 CVE number when it happened a long time ago? Since a hardware manufacturer implemented a workaround, this would have been known well before Raymond Chen's post. 🤔

    Just clicking on your own link:

    Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

    I saw that... I guess I meant why was the CVE number allocated or reserved in 2022?

    As others have pointed out in more serious discussion, this is all bullshit. The CVE references the blog which references the CVE. Circular circle jerk. No laptop manufacturer, no hard drive manufacturer, no resonant frequency or details other than the blog making vague second hand info, which is also silly. It's like an April fools joke that escaped the 1st.

    I don't have the link on my phone, but there's a good twitter post showing the audio levels (> 105db pressure) and length of time to cause an issue (45+ seconds) as done in proper studies, let alone catastrophic damage.

    I understand why people are ignoring the half dozen red flags and just going for the Janet lulz, but it's disappointing when people buy this.

    The obvious thing to anyone who's worked in a large company would know the laptop manufacturer wouldn't redesign their product to filter out said frequency on playback (that doesn't solve the problem as described that just being exposed to the songs caused it to happen). It's a hard drive defect if it can't handle the vibration/shock specs. That's the HDD MFG's problem to deal with. If the laptop is exceeding those vibration specs (which would be a problem for any HDD), then the laptop MFG would add rubber dampeners OR JUST CHANGE THE HDD MODEL. It's literally that simple. We don't even need to get into human hearing vs mics and speakers or that 2000's laptop speakers will typically be garbage. A Janet filter? Jesus Christ, Chen, stick to software.

    Anyway, someday there will be a blog update saying, "sorry guys, as thousands have messaged me, my colleague was probably joking with me".

    Edit: fuck it, I found it. https://mobile.twitter.com/thebigfatj/status/1560353265652580352

  • So theoretically a piezo electric speaker affixed to the motherboard/chassis could affect read/write throughput.

    https://www.ic.unicamp.br/~celio/mc404s102/pcspeaker/InternalSpeaker.htm

  • raindog308raindog308 Administrator, Veteran

    Turns out that just yelling at your servers (assuming spinning disk) can cause issues:

    Thanked by 1ralf
Sign In or Register to comment.