[Cryptography] hacked hearing aids ("Code of Silence")

[Henry Baker]

-----Original Message-----
From: Jon Callas <jon at callas.org>
Sent: Aug 18, 2025 3:26 PM
To: <hbaker1 at pipeline.com>
Cc: <cryptography at metzdowd.com>, Jon Callas <jon at callas.org>
Subject: Re: [Cryptography] hacked hearing aids ("Code of Silence")



> On Aug 16, 2025, at 14:34, Henry Baker wrote:
>
> *** spoiler alert ***
> In the 2025 British series "Code of Silence", a key plot point is where the main character's hearing aids are hacked so that they become listening devices.
> https://en.wikipedia.org/wiki/Code_of_Silence_(TV_series)
> Having looked into some of the issues surrounding modern Bluetooth and hearing aids, I have concluded that this hack is not only not far-fetched, but is a very real security issue.

I have a distinct raised eyebrow, while agreeing with you in principle.

The main disagreement is that in the larger space, we have two related, but different devices, namely "headphones" and "headsets." Headsets are a superset of headphones; they have speakers and a microphone while headphones are only speakers. There's not only hardware differences, but there are differences in the networking profiles for the devices.

Hearing aids are a type of headphone, not headset. They don't have a microphone and it is nearly impossible to make that work because the whole BT-hearing aid tech system assumes they are speakers, not microphones.

Having said that, internally, hearing aids are audio processing systems that related to an MiTM in that they take audio in, process it, and then spit it back out again, so while the system boundary for hearing aids is that they're speakers, internally they are a mic -> speaker audio pipeline. You can, brushing away many things, totally rewrite the code and get the input. However, there's likely no network exfiltration pipeline neither in hardware nor protocol. So that's a problem. Moreover, you actually want to take over the hearing aids in a way that the owner does not detect. If you break the hearing aids, then the owner is going to do something. If you slow down the audio processing, the owner will very likely detect it. (I can supply anecdotes, but suffice it to say that low latency is the major selling point on hearing aids.) There's other things like battery life and so on, along with code size, etc.

>From a Movie Plot Security standpoint, you could paper over all these things with a good writer. Like the owner-character says, "Man, ever since I went to Prague, the robot voice in my hearing aids has gotten a lot worse. Musta broken something. I have an appointment with my audiologist for week after next." Boom, now you have a fortnight plot window for the baddies to spy. You could even make it stronger plot wise by having the character complain about battery life and that they're a bit warm now.

I don't buy it in the real world. I especially don't buy it when it would me MUCH easier to hack a pair of cheap BT earbuds. It would be even easier to hack a PC that has a pair of wired headphones plugged in to an audio jack, because remember, all speakers are also microphones, electrically.

>From a plot point this is really cool because humans like esoteric threats better than common ones. Making them be hearing aids as opposed to earbuds means that the writers cut off the objection of why the protagonist is walking around all the time with earbuds in, which is then going to be followed by some ageist mutterings about kids today being no damned good. It also answers why the devices are allowed in a secure environment -- everyone knows no phones in a SCIF so why did they let the earbuds in?

The protagonist has to wear the hearing aids. They can't take them off, so we removed that objection. You can't prove a negative, so the counter-objection to all that I wrote is basically, "well, you admitted it wasn't *impossible*, so therefore it must be inevitable."

Storywise this is also a highly targeted attack, which makes it more interesting as a plot point -- the baddies are hacking Our Protagonist, not doing some off-the-shelf thing. It also makes the protagonist blameless. They didn't screw up, the baddies were just ultra-clever.

> However, I'm currently at a loss for suggestions about what to do, because it's difficult enough to get decent SW/firmware on these *very expensive* devices *at all*, much less after adding additional security requirements that will drive their prices into the stratosphere.

Those are all good points, and at the same time I'll point out that the most scary interface in all devices today is firmware bugs in a NIC. Oh, yeah, it's an issue in hearing aids. My previous models would sometime reboot when audio sources changed and I'd roll my eyes and think, "oh, gawd" because I just know that means there's a bug in the BT NIC.

> Oh, and by the way, I doubt that any of these hearing aids (or their firmware) are built in the U.S., so you can assume that their supply chains are very vulnerable to attack (think exploding Israeli pagers in your ears).

Well. I see your point, but an assertion that US supply chains and engineers are good in ways that (e.g.) Danish ones are not seems a bit presumptuous and more.

> Open source code for open source hearing aid HW would be a good start, but I would imagine that fulfilling that dream would take at least 5 years, so what do we do in the mean time?
...
---

Perhaps I should reveal a bit more about what exactly was hacked in the series "Code of Silence".

The hacker "paired" the lead character's hearing aids with her cellphone, and he then hacked her cellphone;
she claimed that she had previously never "paired" her hearing aids with her cellphone.

You are correct: the classic case of pairing BT hearing aids with cellphones merely transmits any noises and/or
conversations *to* the hearing aids (over BT); there isn't necessarily an audio return path from the hearing aids
back to the cellphone.

That having been said, modern microprocessors are very powerful, and there is plenty of firmware storage
space available to store additional SW capabilities.

Recall what I said: the character had NOT previously paired her hearing aids with her cellphone, so she would
NOT have any previous experience with what the hearing aids would sound like with BT pairing.  *So the hacker
amends the existing hearing aid firmware with the complete "headset" BT protocol, including microphone
capabilities, and trivially disables the "speaker" BT audio protocol*.  He then pairs the hearing aids to the cellphone,
and now the cellphone treats her hearing aids as another microphone, so if her cellphone is also hacked to
grab this microphone audio stream, it can forward that audio to anywhere on the planet.

So the hacker has transformed her hearing aids into a *bug*/remote listening device.  Now why hearing aids would
be any worse than the cellphone itself being a bug?  Hearing aids are a lot closer to important action: one person
whispering in another person's ear; the cellphone itself could be left hundreds of feet from the hearing aids -- which
could be both a plus and a minus, but if the hacker has the choice of *both* microphones, then he's in a much
better position to capture the important information.

---
But so far I've just been talking about the *current* state of the art.

A look at the capabilities of the Apple Watch indicates the direction that HW/SW is going within the next few years
on devices such as earbuds/hearing aids. There's no question that the microphones in hearing aids will eventually
be accessible via a BT "headset" protocol, so your objection will no longer be valid. I can't currently imagine why
one might want GPS in hearing aids, but some future microprocessors might come with GPS HW already built in,
so why not?  After all, I can already "Find my earbuds" thanks to BTLE.

One of the reasons why hearing aids will be able to act as a microphone is that audio processing has become so
sophisticated -- with multiple microphones utilized to "steer" the microphone on the cellphone in the direction of
the sounds it wants to "hear".  Incorporating two more microphones -- those in the L & R earbuds -- into this
processing will additionally improve this ability to "steer".