The vulnerability, recorded as CVE-2022-38392, points to the music video of Janet Jackson’s 1989 classic Rhythm Nation as bringing down a specific model of hard disks. Yet, the MITRE Corporation, which helps identify and categorize vulnerabilities in software, only recently decided to list it as an issue. Although the bug isn’t new, it came into the limelight after Microsoft principal software engineer Raymond Chen blogged about it recently. “While new systems are coming out with SSDs, older hardware and software has a way of staying around well past its prime,” Chris Goettl, VP of Product Management for security products at Ivanti, told Lifewire over email. “Microsoft would only be spending time and effort to [register it as a vulnerability] and make customers aware if there were a lot of devices still in circulation that could be impacted and enough occurrences for it to be of concern.”
A Broken Record
Chen’s blog post attributed the bug’s discovery to an unnamed “major computer manufacturer,” which found that some of their computers were crashing when trying to play the song in question. “One discovery during the investigation is that playing the music video also crashed some of their competitors’ laptops,” wrote Chen. “And then they discovered something extremely weird: Playing the music video on one laptop caused a laptop sitting nearby to crash, even though that other laptop wasn’t playing the video!” Chen says the company eventually worked out that the song had a certain sound that resonated with the hard disk in the affected laptop. Resonance is the physical phenomenon that causes sound produced by one object to vibrate at the same frequency as the natural frequency of another object, resulting in dangerous outcomes. It’s exactly because of this reason, why soldiers break stride when marching on a bridge. In the case of the crashing computers, the manufacturer discovered the sound waves coming from the computer’s speakers while playing the Janet Jackson song, would vibrate at the same frequency as the hard drive inside it, causing it to crash. To overcome the issue, the manufacturer devised a way to detect and remove the offending frequencies from any audio played on the computer, wrote Chen. Interestingly, Chen hinted the bug dates back to the days of Windows XP. While it might seem like a bygone era for most of us, from a security lens, it doesn’t appear very distant, which is why this bug could probably still be very exploitable. “This is at the outer edge of the age of what is still exploitable on the market, but certainly not the oldest we have seen,” said Goettl. He points to the Known Exploited Vulnerabilities Catalog maintained by the Cybersecurity and Infrastructure Agency (CISA) that tracks bugs the agency thinks might still be used by hackers to compromise computers. In addition to the more recent bugs, the catalog also lists vulnerabilities dating all the way back to 2002 affecting computers running Windows 2000. “CISA would not have taken the time to mention a vulnerability this old unless it were still being targeted by threat actors,” said Goettl.
Striking a Chord
Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, acknowledged that while the bug in question is peculiar, it isn’t the first, nor the only one of its kind. Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, agrees. Writing in the SANS weekly newsletter, he explained that the impact of hard disks suffering performance penalties in loud environments that cause high vibrations is well documented. In his post, Chen linked to a video from 2009 that shows a data center engineer screaming at hard disks, causing them to malfunction. Grimes added that hackers have also employed the phenomenon of vibrations leading to crashes to bring down computers deliberately. “Most consumers will not have to worry about this vulnerability, and if they do, what are the odds of someone playing [the Janet Jackson song] near the devices,” Goettl asked rhetorically. “Probably pretty slim, but considering the song was popular at the same time as the hardware was, maybe it isn’t so slim of a chance after all.”