It’s bad enough that our devices can listen to us, whether it’s to use ultrasound to track us (even if we’re on an anonymous network) or whether it’s voice assistants picking up on our private conversations (including with human contractors listening in).

Now, PricewaterhouseCoopers (PwC) security researcher Matt Wixey brings us news of attacks that can make our devices’ embedded speakers scream at us, be it at inaudible, high-intensity frequencies or audible sounds at hearing-damaging volumes.

On Sunday at the Defcon security conference, he presented a talk on what he calls acoustic cyber-weapons.

Wixey, head of research at PwC’s cyber security practice, said that his experiments were done as part of his PhD research at University College London, where he delves into what he calls “unconventional” uses of sound as applied to security – including digital/physical crossover attacks that use malware to create physical and/or acoustic harm.


If you aren’t already aware of how much damage given sounds can cause, in his slideshow for the Defcon talk, Wixey annotated a decibel chart from Survival Life to show what level of sound will cause…

  1. Your eyes to twitch – 100 dB, or somewhere between a chainsaw and a lawnmower.
  2. Your lungs to collapse/death imminent – 188 dB.
  3. Your bones to shatter and your internal organs to rupture – 194 dB.
  4. Instant death – 200 dB, or the sound of Windows XP starting up*.

(*I’m fairly sure the Windows XP reference is just a joke. But if you want to see what level of noise will cause your eardrums to rupture, check out this training manual from Purdue University.)

Wixey talked about how inflicting “aural barrages” can cause both psychological and physiological effects, from neurasthenia, cardiac neurosis, hypotension, bradycardia, nausea, fatigue, headaches, tinnitus, ear pain and far more.

Wired quoted him:

I’ve always been interested in malware that can make that leap between the digital world and the physical world. We wondered if an attacker could develop malware or attacks to emit noise exceeding maximum permissible level guidelines, and therefore potentially cause adverse effects to users or people around.

If you keep melting your speakers, we won’t buy you more toys

Wixey told the BBC that he and his team used custom-made viruses, known vulnerabilities and other exploits to force a collection of devices to emit dangerous sounds for long periods of time.

Wixey didn’t specify which name brands they preyed on, but the devices included a $1,000 laptop upon which the team inflicted malware (remote and local), a $200 mobile phone that also got the remote and local malware treatment, a $50 Bluetooth speaker, a $200 smart speaker for which they exploited a known control-audio vulnerability, $400 headphones that were susceptible to multiple attack vectors, and other, even cheaper gadgets with embedded speakers.

It doesn’t really matter which brand names are susceptible to catching on fire or burning a hole in your eardrums, since their susceptibility was pretty agnostic, Wixey said. Though we don’t know the brand names, we do know that many consumer devices do all sorts of things via ultrasound.