Janet Jackson Music as an Attack Payload
CVE-2022-38392 is hilarious. Here is what you need to know about it:
Vulnerability Classification:
Novel attack vector named by researchers as resonant frequency denial of service.
Vulnerable Systems:
Older laptops, using 5,400rpm hard disk drives.
Attack Vector:
The victim is phished into playing an attack payload through the target system’s audio.
Attack Payload:
The official music video of the song Rhythm Nation by Janet Jackson.
Effect on Target:
The read-write head of the target system’s HDD is adversely affected by resonance, causing a full system crash.
Recommended Mitigation:
To alter vulnerable systems’ audio channels, to prevent the offending note from being played. This has the effect of making the music go quiet for a moment when Janet hits that high note.
Alternative Attack Vectors:
There is a workaround for which there is no known mitigation. The alternative attack vector is for an attacker’s system to broadcast the attack payload loudly while the target system is within earshot, and the hard drive is in use.
History of CVE-2022-38392
The vulnerability came to light in 2022, when Microsoft engineer Raymond Chen wrote about resonant frequency denial of service. More information was provided by Chen’s later post, and the CVE number CVE-2022-38392 was granted.
In truth, the issue was known about in 2005, when researchers initially suspected the audio drivers were causing some Windows XP laptops to crash. The truth was only discovered when music being played by one laptop crashed another in laboratory conditions.
Why Rhythm Nation?
Rhythm Nation’s music video uses what Raymond Chen referred to as ’non-standard tuning’. Instead of the standard A=440, Rhythm Nation uses A=450, producing frequencies not heard in most music. 130Hz happens to be the resonant frequency of the read-write spindle on some hard drives.
More on the Mitigation
Regarding the Audio Filter (APO): the vendor shipped a kernel‑mode Audio Processing Object that notches out the narrow 130Hz band during playback. Microsoft later required that APO’s be user‑disabled, but the OEM won an exception because disabling the filter could re‑introduce the crash risk.
The Payload…
Let’s hear from Janet herself. This is the attack payload for CVE-2022-38392. Do not play this on a 20 year old laptop…