Beware the Sonic cyberattack: Your smartphone and car can now be hacked using sound waves
Researchers used a $5 speaker to trick hardware sensors in phones, automobiles and Internet of Things devices.
Computer scientists from the University of Michigan and the University of South Carolina have devised a way to instantly hack into connected devices like smartphones, automobiles and Internet of Things (IoT)-enabled devices using sound and a cheap portable speaker.
The researchers have discovered a major security vulnerability that makes it possible to trick hardware sensors, located in all of these devices, using sound waves. The sensors in question are capacitive MEMS accelerometers that measure inertia – simply put the rate of change in an object's speed in three dimensions.
It seems that all through the years, as the IT industry programmed software, it was assumed as an established fact that software should automatically trust hardware sensors without question. However, no protections have been put in place to make sure that an attacker can't hack into a device through its sensors.
The researchers tested our 20 different types of accelerometers from five manufacturers, namely Bosch, ST Microelectronics, Analog Devices, InvenSense and Murata, and were able to deceive 17 of the sensors into believing that movement was occurring when it wasn't.
Accelerometers have an analog core – a mass suspended on springs – that moves as the object the accelerometer is embedded in picks up speed or changes direction.
Sensor Manufacturer | Sensor Model | Vulnerable to acoustic interference at 110 db SPL |
Bosch | BMA222E | Yes |
STMicroelectronics | MIS2DH | Yes |
STMicroelectronics | IIS2DH | Yes |
STMicroelectronics | LIS3DSH | Yes |
STMicroelectronics | LIS344ALH | Yes |
STMicroelectronics | H3LIS331DL | Yes |
InvenSense | MPU6050 | Yes |
InvenSense | MPU6500 | Yes |
InvenSense | ICM20601 | Yes |
Analog Devices | ADXL312 | Yes |
Analog Devices | ADXL337 | Yes |
Analog Devices | ADXL345 | Yes |
Analog Devices | ADXL346 | Yes |
Analog Devices | ADXL350 | Yes |
Analog Devices | ADXL362 | Yes |
Murata | SCA610 | No |
Murata | SCA820 | Yes |
Murata | SCA1000 | No |
Murata | SCA2100 | No |
Murata | SCA3100 | Yes |
When movement is detected, the digital components in the accelerometer send a signal to the other circuits, including the microprocessor. This is known as resonant frequency – it's the same phenomenon as when an opera singer hits a particularly high note and causes glass to break.
If you can figure out what the resonant frequency is on each accelerometer, then you can trick them into decoding each sound as a false-sensor reading that is delivered to the microprocessor. Once you can trick the device, the sensors become a handy backdoor so you can take over the rest of the system.
For example, the researchers used a $5 (£4) speaker to create noise that tricked a Fitbit into thinking that the user had walked thousands more steps than in reality. They also created malicious music files to hijack smartphone accelerometers, which then let them hijack an Android app and gain control over a remote-controlled toy car.
The computer scientists also noticed other security flaws – it is possible to hijack the digital "low pass filters" that govern how analog signals are digitally processed to screen out the highest frequencies, as some filters clean up the audio signal in such a way that it makes it much easier to hijack the system.
Aside from highlighting security bugs in hardware sensors, the researchers have also developed two affordable patent-pending software defensive shield solutions that they are now seeking to commercialise. They have also made the manufacturers aware of the accelerometer problems.
The open access paper, entitled "WALNUT: Acoustic Attacks on MEMS Sensors", will be presented at the IEEE European Symposium on Security and Privacy on 26 April in Paris.
© Copyright IBTimes 2024. All rights reserved.