Physical attack of the hottest hackers acoustic at

Physical attack of hackers! Sound waves attack the acceleration sensor

speaking of hacker attacks, most people first think of software and network communication level intrusion. Few people will notice that hardware sensors will also be attacked. What is more unexpected is that the attack path is the ubiquitous "sound wave". However, a recent University of Michigan study successfully used sound waves to attack the acceleration sensor, and successfully invaded the smart and smart wearable Fitbit bracelet

research introduction

this research is mainly to simulate acoustic attack on capacitive MEMS acceleration sensors, and achieve the purpose of deceiving sensors by deliberately creating interference. Microprocessors and embedded systems often "blindly trust" the output of these sensors, so that attackers can take advantage of it and artificially enter some values selectively for microprocessors and embedded systems

as the researchers mentioned in the paper, the contribution of this research mainly lies in the following three aspects:

first, physical modeling, mainly aimed at the malicious acoustic interference of MEMS acceleration sensors

second, research on circuit defects. It is precisely because of circuit defects that MEMS acceleration sensors and systems have security vulnerabilities for acoustic intrusion attacks

third, two software defense methods reduce the safety risks of MEMS acceleration sensors

Kevin Fu, an associate professor in the Department of computer science and engineering at the University of Michigan, led the research. The team used accurately tuned ringtones to deceive different types of acceleration sensors. This spoofing attack has become a back door to these devices, so that attackers can use it to launch attacks on devices

for this research, the professor said, "our research subverts the general assumption about the underlying hardware. If you stand in the perspective of computer science, you will not find this security problem. If you stand in the perspective of material science, you will not find this security problem. Only if you stand in the Perspective of computer science and material science, you will find these security vulnerabilities."

acceleration sensor

in this study, the attack method is sound wave, and the attack object is acceleration sensor. Therefore, we will briefly introduce the relevant knowledge and application scenarios of acceleration sensors

acceleration sensor is a sensor that can measure the speed change of objects in three-dimensional space. It is usually composed of mass block, damper, elastic element, sensitive element and adaptive circuit. According to the different sensitive elements of the sensor, common acceleration sensors include capacitive, inductive, strain, piezoresistive, piezoelectric and so on

acceleration sensors are widely used in automotive electronics, whose loading stability is poor, aerospace, medical electronics, unmanned aerial vehicles, intelligence, intelligent hardware, IOT and other industrial and consumer electronics fields. It can collect the acceleration data information of objects and send it to the core. In recent years, new materials and fine chemicals have been listed as the development focus of the chemical industry and embedded systems for analysis and decision-making. Its uses include aircraft navigation, game control, handle vibration and shaking, vehicle brake start detection, seismic inspection, and the size of the pushing force can also be expressed as stratification degree measurement, engineering vibration measurement, geological exploration, vibration testing and analysis, and the machines of our company Jinan new era Gold Testing Instrument Co., Ltd. have passed the strict inspection and security of the state, etc

attack demonstration

in order to demonstrate and imitate these attacks and reveal relevant security vulnerabilities, researchers played white hat hackers and conducted several experiments

Experiment 1: they played different malicious music files, controlled the acceleration sensor, and made the chip output signal of Samsung Galaxy S5 spell out the word "walnut"

Experiment 2: they used a $5 loudspeaker to deceive the acceleration sensor that controls the Fitbit bracelet, so that the Fitbit bracelet, which has not actually moved a step, formed the illusion of false counting

Experiment 3: they played a "malicious virus" music file through intelligent speakers to control Android's acceleration sensor, which is trusted by the application that controls the toy car. They tricked the application into remotely controlling a toy car

(image source: University of Michigan)

attack principle

capacitive MEMS acceleration sensor measures the acceleration value through the perception of mass deviation during the acceleration process. The following figure is the schematic diagram of MEMS acceleration sensor

(image source: University of Michigan)

when subjected to an acceleration force, the perceived quality will change, causing capacitance changes, and then converted into an analog voltage signal. The voltage signal can represent the perceived acceleration

acoustic pressure wave will affect the objects on its propagation path. At resonance frequency, the elastic structure of perceived mass will be affected by acoustic interference, replacing the original mass perception, resulting in false acceleration signals. This process is a bit similar to the voice of a singer who breaks a glass in the process of singing, which is also a resonance phenomenon

this deceived acceleration signal is related to the acoustic interference signal, as shown in the following figure. It is important that the resonant frequency of the elastic structure is related to its physical design characteristics, and the resonant frequency of acoustic interference must match the resonant frequency of the elastic structure, so as to successfully create this false acceleration

(image source: University of Michigan)

therefore, the acoustic attack scheme for MEMS acceleration sensor is very simple:

on the acoustic sinusoidal signal, the amplitude modulation is carried out for the signal that you want the sensor to output, but the frequency of the acoustic signal must be consistent with the resonant frequency of the MEMS sensor

the following figure shows how researchers deceive MEMS acceleration sensors with output signals similar to the letter "walnut"

(image source: University of Michigan)

if a system or device uses this MEMS sensor with security vulnerabilities to make automatic state change decisions, then attackers are likely to use this vulnerability to launch attacks

in order to demonstrate this process, as we mentioned in Experiment 3, researchers showed that using a Samsung Galaxy S5 smart, it is running an application to control toy cars. This application is based on the measurement signal of intelligent MEMS acceleration sensor for the control of toy cars. Under normal circumstances, the user can tilt to different angles to control the direction of car movement. Through acoustic attack, the car can move without moving

(image source: University of Michigan)

affected sensor models

the experiment only measured the signals of 20 different MEMS acceleration sensors from 5 different chip manufacturers. However, in addition to acceleration sensors, other MEMS sensors, such as MEMS gyroscopes, are also vulnerable to this type of attack

the list of sensors with security risks tested by researchers is shown in the figure below. B represents output bias attack, C represents output control attack, and the sensor models marked with B and C represent vulnerability to this type of attack

(image source: University of Michigan)

these sensors will not have security vulnerabilities under all configuration conditions, but at least in one case. The acoustic interference amplitude considered in the experiment is at the sound pressure level of 110 dB, and a lower amplitude can also have a negative impact on various sensors

circuit defects

researchers say that the defects in these systems come from "digital processing of analog signals". The digital "low-pass filter" filters out the highest frequency and amplitude, but does not consider safety factors

in these cases, they inadvertently cleared the sound signal, resulting in security vulnerabilities, so it is more convenient for the team to artificially control the system

coping strategies

how to specifically deal with this attack, you can refer to the research paper in the resources at the end of the article

in short, we can have a variety of technical solutions to achieve the purpose of safely applying sensors. However, there are two common coping strategies:

when deploying MEMS sensors, adopt a way that can limit their exposure to acoustic interference, such as deploying acoustic suppression foam around them

data processing algorithms are used to reject abnormal acceleration signals, especially those with frequency components near the resonant frequency of MEMS sensors

researchers introduced two low-cost software defense schemes in their paper, which can minimize the security vulnerability, and they also reminded manufacturers to deal with these problems