TickTock: Detecting Microphone Status in Laptops Leveraging Electromagnetic Leakage of Clock Signals

We are witnessing a heightened surge in remote privacy attacks on laptop computers. These attacks often exploit malware to remotely gain access to webcams and microphones in order to spy on the victim users. While webcam attacks are somewhat defended with widely available commercial webcam privacy covers, unfortunately, there are no adequate solutions to thwart the attacks on mics despite recent industry efforts. As a first step towards defending against such attacks on laptop mics, we propose TickTock, a novel mic on/off status detection system. To achieve this, TickTock externally probes the electromagnetic (EM) emanations that stem from the connectors and cables of the laptop circuitry carrying mic clock signals. This is possible because the mic clock signals are only input during the mic recording state, causing resulting emanations. We design and implement a proof-of-concept system to demonstrate TickTock's feasibility. Furthermore, we comprehensively evaluate TickTock on a total of 30 popular laptops executing a variety of applications to successfully detect mic status in 27 laptops. Of these, TickTock consistently identifies mic recording with high true positive and negative rates.