“People of the world today, are we looking for a better way of life?” sang Janet Jackson on her 1989 hit Rhythm Nation, not knowing that the better way of life she was talking about didn’t include certain hard drives. It’s just been revealed that the song has the power to crash particular models of laptops, and it has now been recognized as a cybersecurity vulnerability.
As reported by The Reg, the strange tale comes from a Microsoft devblog by Raymond Chen. He writes that a colleague shared a story from Windows XP product support about how Jackson’s track would crash certain models of laptops when it was played within proximity of the device.
It was discovered that the effect could be replicated on other laptops from multiple manufacturers, all of which shared a common feature; the same 5,400 RPM hard disk drive was found in the machines, which were popular sometime around 2005, or 16 years after Rhythm Nation just missed out on topping the Billboard Hot 100 chart.
The problem is that the song contains one of the natural resonant frequencies for that particular hard drive model. It caused the HD platters to contact the drive head, resulting in a crash.
The laptop manufacturers addressed the problem by adding a custom filter in the audio pipeline that detected and removed the offending frequencies during audio playback. The phasing out of 5,400 RPM hard drives in laptops and the declining popularity of Jackson’s song likely helped, too.
Nevertheless, the quirk was added to the register of Common Vulnerabilities and Exposures by The Mitre Corporation on August 17 and has been acknowledged by security vendor Tenable. Listed as CVE-2022-38392, it is described as “a certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.”
In April last year, researchers at the Ben Gurion University in Israel demonstrated a technique called AiR-ViBeR that could steal data from air-gapped PCs—systems that are physically isolated with no online access—without being detected.
The proof-of-concept originated from the theory that it’s possible to use vibrations produced by electromechanical components like a CPU, GPU, or case fans in combination with special malware that is able to encode the data to be transmitted through direct manipulation of the fan speed.