Boffins Rickroll smartphone by tickling its accelerometer
Phones blindly trust what their sensors tell them. So they're open to spoofing. Sigh
Smartphone vendors might be learning to mistrust software, but what about the hardware? University of Michigan boffins have put this question to the world by sending unauthorised data to a Samsung turns-out-to-be-not-so-smartphone by buzzing its accelerometer.
The problem highlighted in this paper is that systems “blindly trust the unvalidated integrity of sensor inputs”.
MEMS (micro-electrical mechanical systems)-based accelerometers can be hosed by lots of loud, random noise, but Timothy Trippel, Ofir Weisse, Peter Honeyman and Kevin Fu of the University of Michigan and Wenyuan Xu of the University of South Carolina wanted to go further, and use modulated sound to push signals into the target (for their demonstration, a Samsung Galaxy S5).
“Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems”, they write.
As you can see in the video below, the group kept their attack simple, merely tricking the Galaxy S5 into displaying the word WALNUT on its screen.
The MEMS detects movement of the phone by the movement of a tiny mass inside the component, which changes its capacitance; this is amplified, fed to an analogue-digital converter (ADC), and presented to the processor as a digital value.
Attacking the sensor isn't trivial – as they write, it's not a “lunch-time attack” – but since the accelerometers are common chips, it's not hard to get a device and model its response to vibrations.
Since a victim is bound to notice if you aim a loudspeaker at their phone, so there's another nifty angle to the WALNUT attack: it's carried in audio played on the target device. That way, an attack could be embedded in what seems like a harmless music file (the researchers call this a “drive-by ditty”).
Having identified the resonant frequency of the target accelerometer – for example, an ADXL337 from Analog Devices resonates at 2.9 kHz – it's a cinch to embed control signals into a music video.
Warning: it's a Rickroll. Of course it is
As another level of difficulty, the Trippel's team also attacked an RC car's control app using the accelerometer, as well as spoofing thousands of steps on a FitBit app.
The attack takes advantage of aliasing in the ADC's sampler, and either amplitude modulation or phase modulation can create signals the phone will misinterpret.
The researchers characterised sensors from Bosch, STMicroelectronics, InvenSense, Analog Devcies and Murata, and only three devices (all from Murata) were immune to attack.
The paper notes that there are two software defences available: software can randomise the sampling at the ADC, which blocks the biasing attack because it depends on predictable sampling intervals; and adjusting the sampling phase by 180°, because this attenuates signals at the resonant frequency. ®