When most people think about the security of their devices and gadgets, they think about protecting the software from being hacked. A team of researchers from the University of Michigan (U-M) and the University of South Carolina (U of SC), however, aren’t like most people. Their study of cybersecurity has led them to examine hardware-based vulnerabilities in devices.
“You can think of it as a musical virus.”
In a study they will present at the IEEE European Symposium on Security and Privacy in April, the team explored how sound could be used to hack the accelerometers found in many of today’s gadgets. These instruments are used to measure acceleration, and they are often manufactured as silicon-based chips called microelectromechanical systems (MEMS). Acoustic injection attacks have previously been used to disable MEMS-based gyroscopes, and through their study, these researchers have demonstrated that they can also affect MEMS technologies in motion-drive applications.
“It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words” Kevin Fu, one of the paper’s authors and an associate professor of electrical engineering and computer science at U-M, explained to the New York Times. “You can think of it as a musical virus.”
The team reportedly hacked Fitbit fitness monitoring devices and smartphones by exploiting this flaw, which they found in more than half of the 20 commercial gadget brands from five chip developers they tested. Using targeted acoustic injections, they managed to add steps to a Fitbit’s counter and interfere with a phone’s accelerometer by playing a “malicious” music file from the phone’s speakers. With 75 percent of the devices they tested, the researchers were able to affect information or output. In 65 percent of the devices, they managed to control the output.
Accelerometers are particularly common today, as many modern devices include features designed to assist with navigation or measure distance. It’s such a small piece of hardware, but when hacked, it can be used for very troublesome purposes that extend far beyond adding a few extra steps in your Fitbit.
As technology advances and other hardware vulnerabilities are discovered, we could face many currently unanticipated problems. Imagine someone hacking an autonomous vehicle, automated pacemaker, or insulin pump. Those devices could be compromised not just by a software-based attack but by exploiting hardware vulnerabilities, too. That sort of attack is exactly what Fu and his team of researchers want to prevent.
“Our results call into question the wisdom of allowing microprocessors and embedded systems to blindly trust that hardware abstractions alone will ensure the integrity of sensor outputs,” the team wrote. They hope that their study will result in new measures that strengthen cybersecurity in the future. In their paper, they even suggest possible hardware and software adjustments manufacturers could implement to protect devices against the flaws demonstrated by their study.
As the Internet of Things (IoT) grows, it’s comforting to know people like Fu are working to protect against these vulnerabilities so that we can all benefit from the new era of interconnectivity.