[Cryptography] hacked hearing aids ("Code of Silence")

[Jon Callas]

> On Aug 16, 2025, at 14:34, Henry Baker <hbaker1 at pipeline.com> wrote:
> 
> *** spoiler alert ***
>  In the 2025 British series "Code of Silence", a key plot point is where the main character's hearing aids are hacked so that they become listening devices.
>  https://en.wikipedia.org/wiki/Code_of_Silence_(TV_series)
>  Having looked into some of the issues surrounding modern Bluetooth and hearing aids, I have concluded that this hack is not only not far-fetched, but is a very real security issue.

I have a distinct raised eyebrow, while agreeing with you in principle.

The main disagreement is that in the larger space, we have two related, but different devices, namely "headphones" and "headsets." Headsets are a superset of headphones; they have speakers and a microphone while headphones are only speakers. There's not only hardware differences, but there are differences in the networking profiles for the devices.

Hearing aids are a type of headphone, not headset. They don't have a microphone and it is nearly impossible to make that work because the whole BT-hearing aid tech system assumes they are speakers, not microphones.

Having said that, internally, hearing aids are audio processing systems that related to an MiTM in that they take audio in, process it, and then spit it back out again, so while the system boundary for hearing aids is that they're speakers, internally they are a mic -> speaker audio pipeline. You can, brushing away many things, totally rewrite the code and get the input. However, there's likely no network exfiltration pipeline neither in hardware nor protocol. So that's a problem. Moreover, you actually want to take over the hearing aids in a way that the owner does not detect. If you break the hearing aids, then the owner is going to do something. If you slow down the audio processing, the owner will very likely detect it. (I can supply anecdotes, but suffice it to say that low latency is the major selling point on hearing aids.) There's other things like battery life and so on, along with code size, etc. 

From a Movie Plot Security standpoint, you could paper over all these things with a good writer. Like the owner-character says, "Man, ever since I went to Prague, the robot voice in my hearing aids has gotten a lot worse. Musta broken something. I have an appointment with my audiologist for week after next." Boom, now you have a fortnight plot window for the baddies to spy. You could even make it stronger plot wise by having the character complain about battery life and that they're a bit warm now.

I don't buy it in the real world. I especially don't buy it when it would me MUCH easier to hack a pair of cheap BT earbuds. It would be even easier to hack a PC that has a pair of wired headphones plugged in to an audio jack, because remember, all speakers are also microphones, electrically.

From a plot point this is really cool because humans like esoteric threats better than common ones. Making them be hearing aids as opposed to earbuds means that the writers cut off the objection of why the protagonist is walking around all the time with earbuds in, which is then going to be followed by some ageist mutterings about kids today being no damned good. It also answers why the devices are allowed in a secure environment -- everyone knows no phones in a SCIF so why did they let the earbuds in?  

The protagonist has to wear the hearing aids. They can't take them off, so we removed that objection. You can't prove a negative, so the counter-objection to all that I wrote is basically, "well, you admitted it wasn't *impossible*, so therefore it must be inevitable."

Storywise this is also a highly targeted attack, which makes it more interesting as a plot point -- the baddies are hacking Our Protagonist, not doing some off-the-shelf thing. It also makes the protagonist blameless. They didn't screw up, the baddies were just ultra-clever.

>  However, I'm currently at a loss for suggestions about what to do, because it's difficult enough to get decent SW/firmware on these *very expensive* devices *at all*, much less after adding additional security requirements that will drive their prices into the stratosphere.

Those are all good points, and at the same time I'll point out that the most scary interface in all devices today is firmware bugs in a NIC. Oh, yeah, it's an issue in hearing aids. My previous models would sometime reboot when audio sources changed and I'd roll my eyes and think, "oh, gawd" because I just know that means there's a bug in the BT NIC.

>  Oh, and by the way, I doubt that any of these hearing aids (or their firmware) are built in the U.S., so you can assume that their supply chains are very vulnerable to attack (think exploding Israeli pagers in your ears).

Well. I see your point, but an assertion that US supply chains and engineers are good in ways that (e.g.) Danish ones are not seems a bit presumptuous and more. 

>  Open source code for open source hearing aid HW would be a good start, but I would imagine that fulfilling that dream would take at least 5 years, so what do we do in the mean time?
>  

Well, how about fix this?

https://www.psu.edu/news/engineering/story/conversations-remotely-detected-cellphone-vibrations-researchers-report

  Conversations remotely detected from cellphone vibrations,
  researchers report

  UNIVERSITY PARK, Pa. —  An emerging form of surveillance,
  “wireless-tapping,” explores the possibility of remotely
  deciphering conversations from the tiny vibrations produced by a
  cellphone’s earpiece. With the goal of protecting users’ privacy
  from potential bad actors, a team of computer science researchers
  at Penn State demonstrated that transcriptions of phone calls can
  be generated from radar measurements taken up to three meters, or
  about 10 feet, from a phone. While accuracy remains limited —
  around 60% for a vocabulary of up to 10,000 — the findings raise
  important questions about future privacy risks.

Don't get me wrong -- firmware security on radios is arguably the biggest issue we have, in that it has the most exposed attack surface, but that's everywhere. Everywhere. And any security advance in say, BT firmware all over, flows back into hearing aids. Also, where there are supply chain issues on these things it's usually in the low end devices, because the people selling $18 earbuds are going to cheap out and buy the 9¢ part rather than spurge on the 25¢ part, and the people selling $4000 hearing aids are likely to buy the 35¢ part because it's a better part all around.

Let me turn this on its head and I'll construct you a counter movie-plot security issue:

Our protagonist, young and savvy GenZ Alice, eschews lots of modern tech. They don't do BT anything. They insist on wired headsets only because they don't trust it. They have a phone that's total open source hardware and has an e-paper screen, so it can't do much more than web browsing.

Alice goes into a secret meeting and turn off all radios on the device. But! Alice had gone to a web site that snuck Javascript into some web site, so while all the radios are off, the web page is still running. A few options here:

  1. That malware hooks into the audio subsystem and uses the microphone on the headset
  to listen in to the meeting.

  2. The malware uses headphone software at a low level to play a very soft sound and detect 
  voltage differences on the speaker which improvise a microphone.

  3. The malware uses the accelerometer to use the whole phone as a microphone. This,
  Incidentally is a real world attack from about a decade ago, mitigated these days
  via the ultra-high tech mechanism of rate limiting how fast JS can query the
  accelerometer.

Bottom line -- Yes, yes, like all medical devices have safety issues and BT-enabled assistive devices and prosthetics have special security concerns, but those concerns are basically the concerns of all other software that touches a radio. However, I think the hearing aid issues are a subset of generic headphone issues which are a subset of generic headset issues. 

	Jon