Surreptitious Audio Eavesdropping

Vulnerability Description

Brief Description: The microphone on early Sun workstations enables users to eavesdrop on those in the room where the microphone is located.

Detailed Description: The microphone on Sun workstations is connedted to a file corresponding to the audio device. If the device permissions allow read access to this device, any user who can read the device can read the input from the microphone. Hence they can hear anything that the microphone can pick up.

Component(s): microphone, /dev/audio, /dev/audioctl, /dev/mic, audioplay(8)

Version(s): All versions

Operating System(s): Sun workstations with microphones (unverified), SunOS 4.1.x, 5.x (unverified), audioplay

Other Information: You must have access to the system to which the microphone is connected.

Effects:Your private conversations may be overheard

Detecting the Vulnerability:

* If all the following conditions are met, you have the hole.

1. Check the permissions on the device corresponding to microphone input. This is usually /dev/ audio or /dev/mic. If the permissions do not allow reading, you are not vulnerable.

2. Check the physical microphone device. If it is not connected to the system, or if it is turned off, you are not vulnerable.

Fixing the Vulnerability:

* Switch off or unplug the microphone.

* Change the permissions of the relevant files. The following fragment makes them accessible only to the user audiouser:

chmod 600 /dev/audio*

chown audiouser /dev/audio

* In SunOS 4.1.x, set /etc/fbtab allow only the console user to access the /dev/audio device, by adding:

/dev/console 0600 /dev/audio

/dev/console 0600 /dev/audioctl

* In Solaris 2.3, set /etc/logindevperm to allow only the console user to access /dev/audio.


Keywords:microphone, audio, eavesdropping


Attack Methods or Tools: (exploit/

Related Information

Advisories and Other Alerts: Cert Advisory CA-93:15 (CA-93:15), SUN#00122 (SUN#00122)


First Report We Know Of: by unknown, date unknown, in unknown

Revisions of Database Record

1. Mike Dilger(1/1/97): From the old database

2. Matt Bishop(7/8/98): Converted to new format