Don't assume you can trust the hardware sensors in your phone and other connected devices, researchers warn.
Project lead Kevin Fu: "Our findings upend widely held assumptions about the security of the underlying hardware."
Image: Joseph Xu, Michigan Engineering
Researchers have shown that a malicious music file can trick an accelerometer into giving false readings.
Researchers from the University of Michigan and the University of South Carolina have revealed a handful of sonic hacks on sensors that might not seem dangerous today, but do show one more way that hackers could use the Internet of Things to cause physical harm.
The researchers demonstrated that acoustic signals at the right frequency can apply enough pressure on an accelerometer's sensing mechanism, a mass buoyed on springs, that it can spoof acceleration signals.
The study focused on capacitive MEMS accelerometers, which measure acceleration in three dimensions. The sensor helps ensure the rotation of a smartphone's screen is always positioned the right way up, counts steps in fitness trackers, and assists positioning in autonomous vehicles.
One attack demonstrated tricking a Fitbit into counting thousands of false steps. While the researchers admit this technique doesn't represent a significant security risk, the work more broadly highlights issues with trusting hardware sensors whose outputs can influence autonomous systems by giving false readings to a device's microprocessors.
Fitbit pointed out that the hack does not involve a compromise of its users' data and what the researchers are describing is simply a way to game the system. "We continue to explore solutions that help mitigate the potential for this type of behavior," the company said.
Another example presented by the researchers targeted a remote-control car that can be driven by a smartphone app that uses the phone's accelerometer for steering.
Normally, tilting the phone in a certain direction should steer the car in that same direction, but the researchers were able to use a music player app installed on a Galaxy S5 to trick its accelerometer into steering the RC car without tilting the phone.
They also used another malicious music file to force a Samsung Galaxy S5's accelerometer to spell out the word 'walnut' in a graph of its readings.
The group were able to trick 15 of the 20 accelerometers they tested from five different vendors, including Bosch, STMicroelectronics, InvenSense, Analog Devices, and Murata. The list of affected accelerators includes STMicroelectronics' MIS2DH, which is aimed at the market for implantable medical devices.
The hacks highlight new ways to backdoor IoT devices that use sensors to trigger actuators, like those used in robots and other machinery to set components in motion. Such weaknesses might be missed by a classic computer penetration test.
"The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor. Our findings upend widely held assumptions about the security of the underlying hardware," said Kevin Fu, the project's lead and associate professor of computer science and engineering.
"If you look through the lens of computer science, you won't see this security problem. If you look through the lens of materials science, you won't see this security problem. Only when looking through both lenses at the same time can one see these vulnerabilities."
Fu, who is known for his work on medical device security, has previously called for the US government to establish a national facility to test the security of all IoT devices.
At a hearing last October, in the wake of the attacks on Dyn, he suggested the facility could undertake premarket testing, post-attack testing, survivability and destruction testing.