Compromised speakers can be forced to play tones so loud that the speakers start to melt

Originally published at:


Smart speaker malware plays Spinal Tap: film at 11.




Speakers melting? That’s amateur hour. Call me when they can melt faces.


speakers start to melt

Saw that happen at an AC/DC concert, wicked as hell.


If something is capable of overheating in (what is by definition) normal operation, then they’re physically unsafe and probably shouldn’t have a UL / CE approval. But other than that, it doesn’t seem like much of a revelation that malware can make undesirable sound issue from your computer. Especially if you count autoplaying videos as “malware”, which you should.

(I assume the point here is that the logic in the devices themselves can be compromised, which is useful info, but the fact that headphone malware can make noise seems like the least important part. It’d be more interesting to know if, say, infected bluetooth headphones can be used to compromise another device)


People have dreamed of such a thing.


I was mixing a show once where the crossover in the speaker started on fire. From the standpoint of the guy behind the mixer, not so cool. Everyone else, wicked cool.


I may be wrong here… but it seems like the safeguards preventing fires really should do their job without any logic coming into the picture at all. Sort of like what the MCAS * should* have been doing with an aerodynamically sound aircraft. Or a Tesla in autodrive. Malware might be able to brick the device and keep it from starting, but it shouldn’t be able to turn a functioning device into a weapon.


let’s see here

my desktop speakers–

Klipsch B20: Power Handling 85W RMS (350 W Peak)
Sensitivity: 92.5 dB/ 1 W 1m

Presently, they are connected to a 50W stereo amplifier.

so theoretically, with the volume turned all the way up they could produce a 120 dB peak.

(Threshold of pain, thunderclap)

However, the volume knob is turned close to minimum.

On the other hand, my living room reciever is airplay compatible. Was testing it out, from another roome, and learned that main volume is remotely controllable from itunes. Oops… However, those speakers are 88 dB/W, the amplifier is again 50W/channel, and the listening position is 10 ft away.(98.3 peak SPL).


By “melt components” I would assume they are talking about speaker voice coils and/or output transistors. These parts should burn out and open circuit before they catch fire. With the appropriate wave form this can be done with any amplifier/speaker, a common outcome of poorly matched audio components in the trunks of cars in high school parking lots. What is different here is the ability for someone to attack the device remotely.


What is really amazing is how over the past decade or so most consumer speakers have integrated DSP powered algorithms that prevent them from being overdriven while simultaneously allowing them to be safely driven harder than speakers ever could in the past.

For a simple example, speakers today will reduce the relative amount of bass as the volume is increased, so you can get much more mid and high range power out of a driver that would overexcurse otherwise with too much low frequency power. More complicated DSP processing can calculate in real time how much thermal power is being generated and dispersed, even environmental temps, so you can get right up to the limits of the speaker instead of having to use guidelines which will reduce available output. Then there are a whole raft of dsp corrections for driver, enclosure, and even room response. These corrections would otherwise tend to cause clipping in certain bands but again the dsp program can be designed to go right up to but not over the physical limits of the amps and drivers.

This sort of processing is a big reason why you can get decent sound out of little laptop and phone speakers. And why it is rare to hear clipping or serious speaker distortion anymore. It cannot be done without software.


Not a problem. Mine already go to 11.


I agree with the spirit of the comic, but implying that the goddamn treasure that is Shirley Ellis is somehow equivalent to “The Macarena” ain’t right. One of Randall’s rare misses.


Here’s how DEFCON describes the actual talk.

Sound Effects: Exploring Acoustic Cyber-weapons

Matt WixeyCyber Security Research Lead, PwC UK

While recent research has explored the capability of attacks to cause harm by targeting devices – e.g., SCADA systems, vehicles, medical implant devices - little consideration has been given to the concept of attacks affecting psychological and physiological health by targeting humans themselves.

In a first-of-its-kind study, we assessed the capability of several consumer devices to produce sound at high and low frequencies which may be imperceptible to many people, as a result of remote and local attacks, and compared the resulting sound levels to maximum recommended levels. In doing so, we tested their viability as localised acoustic weapons which could cause temporary/permanent hearing damage and/or adverse psychological effects. We examined a number of countermeasures, including a tool to detect specified frequencies above specified thresholds.

In this talk, I will cover the background of malware which has, intentionally or not, caused physical or psychological harm. I will explore previous research on the harmful effects of sound, focusing particularly on high and low frequencies, and some of the guidance which has been proposed to limit exposure to such sound. I will examine the use of imperceptible sound as applied to security research (covert channels, ultrasonic tracking beacons, etc), and will present our experiments and findings, including threat models, methodology, the attacks we developed, and the implications of our results. Finally, I will suggest a number of countermeasures and outline some possible areas for future research.

Maybe the wired reporter was reporting on a interesting sidenote. Maybe Wixey actually spent a lot of time talking about melting a speaker remotely. It’s kind of hard to judge without seeing a video. What’s DEFCon’s policy on posting talks? Is there a months long embargo?

1 Like

All I want is a way to get whatever music I want playing through the speakers of the people who blast music in public spaces.
Say, Mr Thug, won’t you sing along The Sounds of Music? Or worse, of course, but it wouldn’t be nice to name some of the earworms.

If only they had known in the late seventies that there was one louder than eleven even, “on fire”. My shoop skills (ha ha) aren’t up to it. Anyone?

Imagine early man devising ways to compromise another man’s drum log.

“What if I sent over a monkey…”

1 Like

Keep away from cows and pigs? What about the sheep? Ohhh…

1 Like