TickTock: Detecting Microphone Status in Laptops Leveraging Electromagnetic Leakage of Clock Signals

We are witnessing a heightened surge in remote privacy attacks on laptop computers. These attacks often exploit malware to remotely gain access to webcams and microphones in order to spy on the victim users. While webcam attacks are somewhat defended with widely available commercial webcam privacy covers, unfortunately, there are no adequate solutions to thwart the attacks on mics despite recent industry efforts. As a first step towards defending against such attacks on laptop mics, we propose TickTock, a novel mic on/off status detection system. To achieve this, TickTock externally probes the electromagnetic (EM) emanations that stem from the connectors and cables of the laptop circuitry carrying mic clock signals. This is possible because the mic clock signals are only input during the mic recording state, causing resulting emanations. We design and implement a proof-of-concept system to demonstrate TickTock's feasibility. Furthermore, we comprehensively evaluate TickTock on a total of 30 popular laptops executing a variety of applications to successfully detect mic status in 27 laptops. Of these, TickTock consistently identifies mic recording with high true positive and negative rates. * This is an extended version of the conference paper in the proceedings of ACM CCS 2022 with the same title. Lenovo Outlet Laptops shipped together with TickTock TickTock Server … Identified Mic Clock Freq Sticker Marking Leakage Location (a) (b) (c) (d) … … … 2 MHz 2 MHz … 2 MHz 2 MHz 3 MHz Figure 3: Bootstrapping scenarios -(a) depicts bootstrapping performed by laptop manufacturers, e.g., Lenovo, who subsequently ship laptops with stickers denoting leakage location, 𝑙 mic , and an accompanying TickTock device set to detect mic clock frequency, 𝑓 mic . (b) depicts a crowd-sourcing scenario where users upload 𝑓 mic , along with an image of 𝑙 mic to TickTock's public server. (c) depicts a scenario where a user locally performs bootstrapping. (d) depicts a deployment scenario, where a user deploys TickTock to detect mic on/off status by placing the TickTock device at the location of the sticker, and by setting the TickTock device to detect 𝑓 mic .