Injected and Delivered: Fabricating Implicit Control over Actuation Systems by Spoofing Inertial Sensors

Inertial sensors provide crucial feedback for control systems to determine motional status and make timely, automated decisions. Prior efforts tried to control the output of inertial sensors with acoustic signals. However, their approaches did not consider sample rate drifts in analog-to-digital converters as well as many other realistic factors. As a result, few attacks demonstrated effective control over inertial sensors embedded in real systems. This work studies the out-of-band signal injection methods to deliver adversarial control to embedded MEMS inertial sensors and evaluates consequent vulnerabilities exposed in control systems relying on them. Acoustic signals injected into inertial sensors are out-of-band analog signals. Consequently, slight sample rate drifts could be amplified and cause deviations in the frequency of digital signals. Such deviations result in fluctuating sensor output; nevertheless, we characterize two methods to control the output: digital amplitude adjusting and phase pacing. Based on our analysis, we devise non-invasive attacks to manipulate the sensor output as well as the derived inertial information to deceive control systems. We test 25 devices equipped with MEMS inertial sensors and find that 17 of them could be implicitly controlled by our attacks. Furthermore, we investigate the generalizability of our methods and show the possibility to manipulate the digital output through signals with relatively low frequencies in the sensing channel.

[1]  Tao Tang,et al.  Application of MEMS Accelerometers and Gyroscopes in Fast Steering Mirror Control Systems , 2016, Sensors.

[2]  Chen Yan Can You Trust Autonomous Vehicles : Contactless Attacks against Sensors of Self-driving Vehicle , 2016 .

[3]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[4]  Tuton Chandra Mallick,et al.  Gyro-accelerometer based control of a robotic Arm using AVR microcontroller , 2014, 2014 9th International Forum on Strategic Technology (IFOST).

[5]  Xiangyu Liu,et al.  When Good Becomes Evil: Keystroke Inference with Smartwatch , 2015, CCS.

[6]  Wenyuan Xu,et al.  Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  George T. Flowers,et al.  Sound attenuation using microelectromechanical systems fabricated acoustic metamaterials , 2013 .

[8]  Yuqiong Sun,et al.  AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings , 2017, USENIX Security Symposium.

[9]  Eliza Strickland,et al.  Future vision , 2012, IEEE Spectrum.

[10]  Tadayoshi Kohno,et al.  Towards Security and Privacy for Multi-user Augmented Reality: Foundations with End Users , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[11]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[12]  Yongdae Kim,et al.  Illusion and Dazzle: Adversarial Optical Channel Exploits Against Lidars for Automotive Applications , 2017, CHES.

[13]  Hao Chen,et al.  On the Practicality of Motion Based Keystroke Inference Attack , 2012, TRUST.

[14]  Wenyuan Xu,et al.  WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[15]  Guevara Noubir,et al.  An autonomic and permissionless Android covert channel , 2017, WISEC.

[16]  Jürgen Altmann,et al.  Acoustic weapons ‐ a prospective assessment , 2001 .

[17]  Yossef Oren,et al.  How to Phone Home with Someone Else's Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors , 2016, WOOT.

[18]  S. Nasiri A Critical Review of MEMS Gyroscopes Technology and Commercialization Status , 2005 .

[19]  David Brumley,et al.  GPS software attacks , 2012, CCS.

[20]  George T. Flowers,et al.  A Characterization of the Performance of a MEMS Gyroscope in Acoustically Harsh Environments , 2011, IEEE Transactions on Industrial Electronics.

[21]  He Wang,et al.  MoLe: Motion Leaks through Smartwatch Sensors , 2015, MobiCom.

[22]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[23]  Todd E. Humphreys,et al.  GNSS Spoofing Detection Using Two-Antenna Differential Carrier Phase , 2014 .

[24]  Juan A. Gallego-Juárez,et al.  An ultrasonic transducer for high power applications in gases , 1978 .

[25]  Yan Wang,et al.  Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN , 2016, AsiaCCS.

[26]  George T. Flowers,et al.  Environmentally Isolating Packaging for MEMS Sensors , 2017 .

[27]  Nitesh Saxena,et al.  Speechless: Analyzing the Threat to Speech Privacy from Smartphone Motion Sensors , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[28]  M. Kupnik,et al.  50 kHz capacitive micromachined ultrasonic transducers for generation of highly directional sound with parametric arrays , 2009, IEEE Transactions on Ultrasonics, Ferroelectrics and Frequency Control.

[29]  Chen Chao,et al.  Micromachined thick film piezoelectric ultrasonic transducer array , 2005, The 13th International Conference on Solid-State Sensors, Actuators and Microsystems, 2005. Digest of Technical Papers. TRANSDUCERS '05..

[30]  Hao Wu,et al.  Controlling UAVs with Sensor Input Spoofing Attacks , 2016, WOOT.

[31]  G.T. Flowers,et al.  On the Degradation of MEMS Gyroscope Performance in the Presence of High Power Acoustic Noise , 2007, 2007 IEEE International Symposium on Industrial Electronics.

[32]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[33]  George T. Flowers,et al.  Influence of Acoustic Noise on the Dynamic Performance of MEMS Gyroscopes , 2007 .

[34]  Yongdae Kim,et al.  This Ain't Your Dose: Sensor Spoofing Attack on Medical Infusion Pump , 2016, WOOT.

[35]  George T. Flowers,et al.  Mitigation of the Effects of High Levels of High-Frequency Noise on MEMS Gyroscopes Using Microfibrous Cloth , 2013 .

[36]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[37]  George T. Flowers,et al.  Microfibrous metallic cloth for acoustic isolation of a MEMS gyroscope , 2011, Smart Structures and Materials + Nondestructive Evaluation and Health Monitoring.

[38]  Vittorio M. N. Passaro,et al.  Gyroscope Technology and Applications: A Review in the Industrial Perspective , 2017, Sensors.

[39]  Roberto Oboe,et al.  MEMS Gyroscopes for Consumers and Industrial Applications , 2011 .

[40]  George T. Flowers,et al.  The Underwater Effects of High Power, High Frequency Acoustic Noise on MEMS Gyroscopes , 2011 .

[41]  Tadayoshi Kohno,et al.  Securing Augmented Reality Output , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[42]  Wenyuan Xu,et al.  DolphinAttack: Inaudible Voice Commands , 2017, CCS.

[43]  Ikuharu Morioka,et al.  Age variation in the upper limit of hearing , 1988, European Journal of Applied Physiology and Occupational Physiology.

[44]  Amit Kumar Sikder,et al.  6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices , 2017, USENIX Security Symposium.