Electromagnetic Eavesdropping on Device Microphones
A microphone does not have to be hacked to become useful to an attacker.
That is the practical problem in Sound of Interference, a USENIX Security 2025 paper on electromagnetic eavesdropping against digital MEMS microphones. The researchers showed that some microphones leak electromagnetic signals while processing audio, and those signals can carry enough information to recover speech.
For Those Who Don’t Speak Nerd
This paper shows that some modern microphones can leak sound through electromagnetic signals, even when the device has not been hacked. The attacker does not need malware, microphone permissions, or access to the computer. They need to be physically close with radio equipment.
The practical risk is not someone listening from across town. It is someone in the next room, hallway, or shared office space collecting leakage from a laptop, smart speaker, or certain microphone-equipped devices near a sensitive conversation. Laptops were the strongest target in the research. The tested headset was much weaker, which means the risk depends heavily on device design.
The Case
Now for those who want to delve into the nerdy details. The paper targets modern digital MEMS microphones that transmit audio using pulse density modulation, or PDM.
PDM microphones convert sound into a dense stream of digital pulses. The researchers found that harmonics from those pulses can retain acoustic information. With radio equipment and FM demodulation, they were able to recover audio from the microphone’s unintended electromagnetic emissions.
The tested attack model is simple: place an antenna near the target device, tune into the leaked signal, demodulate it, and reconstruct what the microphone is hearing.
The researchers tested the method against real devices, including laptops, a smart speaker, and a headset. The attack worked best against laptops. It worked less well against the tested headset.
This is not a claim that every headset is now a long-range room bug. The research shows that some microphone designs leak usable signal, and the surrounding device design can make that leakage much easier or harder to collect.
What Was Tested
The researchers tested multiple microphone-equipped devices, including:
Lenovo ThinkPad T480
Lenovo ThinkPad L580
ASUS Chromebook C204MA
Google Home
A redacted laptop
Jabra Evolve2 40 SE headset
They also tested different collection setups. Those included a probe antenna, loop antenna, Yagi antenna, and a low-cost antenna made from copper foil.
The laptop results were the strongest. The researchers reported consistent performance from the tested laptops, with high speaker and digit classification accuracy and usable word error rates. The Google Home and redacted laptop also produced recoverable signal, though with worse transcription performance.
The Jabra Evolve2 40 SE headset was different. The headset showed limited vulnerability in the paper’s generality testing. The reported digit classification was low, speaker classification was low, and word error rate reached 100 percent. The signal still showed some measurable similarity to the original speech, but it was not producing the same practical recovery that the laptops produced.
That is the cleanest way to treat headphones in this paper: headsets with digital MEMS microphones can be part of the affected class, but the tested headset was not the strongest target. Laptops and smart speakers were more useful to the attacker.
The Headphone Question
The vulnerable component is not the headphone speaker. It is the microphone.
A normal pair of headphones with no microphone is not the target here. A headset with a built-in microphone can be relevant if that microphone uses a PDM digital MEMS design and the surrounding electronics leak in a way that can be collected.
The paper’s named headset test was the Jabra Evolve2 40 SE. It was not immune, but it was a weak target compared with the laptops. That likely comes down to physical construction. Laptops can have longer microphone routing, larger internal structures, and layouts that unintentionally help radiate signal. A compact headset may give the attacker less signal to work with.
So the practical exposure is not “all headphones.” It is closer to this:
A headset with a PDM MEMS microphone may leak, but whether that leak is useful depends on the headset design, microphone routing, cable layout, shielding, attacker distance, antenna placement, and background electromagnetic noise.
For a physical attacker, the better targets are still devices with microphones that sit in rooms for long periods: laptops on conference tables, smart speakers, voice assistants, conferencing bars, docking setups, and possibly some headsets left connected during calls.
The Capability
The researchers demonstrated spoken digit recognition at up to 94.2 percent accuracy from 2 meters away against a victim laptop behind a 25 cm concrete wall. They also reported speech recovery from Harvard Sentences with a best transcription error rate of 14 percent using speech-to-text systems not trained on electromagnetic traces.
In another behind-the-wall setup using a plasterboard wall, speaker classification reached 99 percent at 20 cm and 97.3 percent at 25 cm, with a reported 6.5 percent word error rate.
For longer-distance testing with a Yagi antenna, classification accuracy reached 96 percent at 1 meter and 91.6 percent at 2 meters. Beyond 4 meters, recovery dropped significantly.
It should be noted that this is not a substitute for planted recording devices or similar listening devices with either proximity or line of sight (eg laser mic).
How a Physical Attacker Could Use It
The realistic scenario is not someone listening from far away. It is someone close to the target room but outside the room itself.
A laptop sits on a conference table near a shared wall. The attacker gets access to the adjacent office, hallway, hotel room, or service space and places an antenna close to that wall. During the meeting, the laptop’s PDM microphone processes speech and leaks weak electromagnetic signals. The attacker collects those emissions and reconstructs part of the audio.
No malware is installed. No microphone permission is abused. The room is never entered. So consider this as a similar attack to devices that allow for listening through windows or walls … at least for now.
How to Know if Headphones Are Vulnerable
There is no easy consumer check for this. The attack applies to microphone-equipped headsets that use digital MEMS microphones with PDM signaling, but most product pages do not list microphone type or interface.
Even then, using a PDM MEMS microphone (eg any mic commonly used by laptops or headsets) does not automatically mean the headset is a useful target. The paper tested a Jabra Evolve2 40 SE, and it leaked far less useful signal than the laptops. Practical vulnerability depends on the physical design: microphone routing, cable length, shielding, grounding, enclosure, and attacker distance.
The only reliable answer is model-specific testing with RF equipment. For most users, the practical rule is simple: if the headset has a built-in mic, treat it as an unknown microphone-bearing device in sensitive spaces.
Conclusion
Currently this isn’t an attack that is any more effective than any device that can hear through windows or walls or at short distances. However, like other tech, the interesting part of this project is its potential.
Where might this vulnerability be in a year from now? Is it possible to leverage this into something more dangerous ?
Remember it wasn’t to long ago that using wifi to see humans through walls was science fiction and now we can do it at 100 meters away.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Strategic Operations for Lone Operators - Advanced course for those who are interested in learning how to become a one man infiltration team.
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .