Researchers at the University of Michigan have hacked MEMS accelerometers in smartphones and IoT designs using sound waves.
By tuning into the resonant frequencies of the micro-machined sensors, the researchers, led by Kevin Fu, associate professor of computer science and engineering, could deceive 15 different models of accelerometers into registering movement that never occurred.
"The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor," said Fu. "Our findings upend widely held assumptions about the security of the underlying hardware. If you look through the lens of computer science, you won't see this security problem. If you look through the lens of materials science, you won't see this security problem. Only when looking through both lenses at the same time can one see these vulnerabilities."
The researchers performed several proof-of-concept demonstrations: They used a $5 speaker to inject thousands of fictitious steps into a Fitbit. They played a malicious music file from a smartphone's own speaker to control the phone's accelerometer trusted by an Android app to pilot a toy remote control car. They used a different malicious music file to cause a Samsung Galaxy S5's accelerometer to spell out the word "WALNUT" in a graph of its readings.
"Analogue is the new digital when it comes to cybersecurity," said Fu. "Thousands of everyday devices already contain tiny MEMS accelerometers. Tomorrow's devices will aggressively rely on sensors to make automated decisions with kinetic consequences."
Autonomous systems like package delivery drones and self-driving cars, for example, base their decisions on what their sensors tell them, said Timothy Trippel, a doctoral student in computer science and engineering and first author of the paper: WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks.
Trippel noticed additional vulnerabilities in these systems as the analog signal was digitally processed. Digital "low pass filters" that screen out the highest frequencies, as well as amplifiers, haven't been designed with security in mind, he said. In some cases, they inadvertently cleaned up the sound signal in a way that made it easier for the team to control the system.
The researchers recommend ways to adjust hardware design to eliminate the problems. They also developed two low-cost software defenses that could minimize the vulnerabilities, and they've alerted manufacturers to these issues.
The university is pursuing patent protection for the intellectual property and is seeking commercialization partners to help bring the technology to market.