对MEMS加速度计声学注入攻击的完整性提出质疑

2017 IEEE European Symposium on Security and Privacy (EuroS&P) Pub Date : 2017-04-26 DOI:10.1109/EuroSP.2017.42

Timothy Trippel, Ofir Weisse, Wenyuan Xu, P. Honeyman, Kevin Fu

{"title":"对MEMS加速度计声学注入攻击的完整性提出质疑","authors":"Timothy Trippel, Ofir Weisse, Wenyuan Xu, P. Honeyman, Kevin Fu","doi":"10.1109/EuroSP.2017.42","DOIUrl":null,"url":null,"abstract":"Cyber-physical systems depend on sensors to make automated decisions. Resonant acoustic injection attacks are already known to cause malfunctions by disabling MEMS-based gyroscopes. However, an open question remains on how to move beyond denial of service attacks to achieve full adversarial control of sensor outputs. Our work investigates how analog acoustic injection attacks can damage the digital integrity of a popular type of sensor: the capacitive MEMS accelerometer. Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems that blindly trust the unvalidated integrity of sensor outputs. Our contributions include (1) modeling the physics of malicious acoustic interference on MEMS accelerometers, (2) discovering the circuit-level security flaws that cause the vulnerabilities by measuring acoustic injection attacks on MEMS accelerometers as well as systems that employ on these sensors, and (3) two software-only defenses that mitigate many of the risks to the integrity of MEMS accelerometer outputs. We characterize two classes of acoustic injection attacks with increasing levels of adversarial control: output biasing and output control. We test these attacks against 20 models of capacitive MEMS accelerometers from 5 different manufacturers. Our experiments find that 75% are vulnerable to output biasing, and 65% are vulnerable to output control. To illustrate end-to-end implications, we show how to inject fake steps into a Fitbit with a $5 speaker. In our self-stimulating attack, we play a malicious music file from a smartphone's speaker to control the on-board MEMS accelerometer trusted by a local app to pilot a toy RC car. In addition to offering hardware design suggestions to eliminate the root causes of insecure amplification and filtering, we introduce two low-cost software defenses that mitigate output biasing attacks: randomized sampling and 180 degree out-of-phase sampling. These software-only approaches mitigate attacks by exploiting the periodic and predictable nature of the malicious acoustic interference signal. Our results call into question the wisdom of allowing microprocessors and embedded systems to blindly trust that hardware abstractions alone will ensure the integrity of sensor outputs.","PeriodicalId":233564,"journal":{"name":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"215","resultStr":"{\"title\":\"WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks\",\"authors\":\"Timothy Trippel, Ofir Weisse, Wenyuan Xu, P. Honeyman, Kevin Fu\",\"doi\":\"10.1109/EuroSP.2017.42\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cyber-physical systems depend on sensors to make automated decisions. Resonant acoustic injection attacks are already known to cause malfunctions by disabling MEMS-based gyroscopes. However, an open question remains on how to move beyond denial of service attacks to achieve full adversarial control of sensor outputs. Our work investigates how analog acoustic injection attacks can damage the digital integrity of a popular type of sensor: the capacitive MEMS accelerometer. Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems that blindly trust the unvalidated integrity of sensor outputs. Our contributions include (1) modeling the physics of malicious acoustic interference on MEMS accelerometers, (2) discovering the circuit-level security flaws that cause the vulnerabilities by measuring acoustic injection attacks on MEMS accelerometers as well as systems that employ on these sensors, and (3) two software-only defenses that mitigate many of the risks to the integrity of MEMS accelerometer outputs. We characterize two classes of acoustic injection attacks with increasing levels of adversarial control: output biasing and output control. We test these attacks against 20 models of capacitive MEMS accelerometers from 5 different manufacturers. Our experiments find that 75% are vulnerable to output biasing, and 65% are vulnerable to output control. To illustrate end-to-end implications, we show how to inject fake steps into a Fitbit with a $5 speaker. In our self-stimulating attack, we play a malicious music file from a smartphone's speaker to control the on-board MEMS accelerometer trusted by a local app to pilot a toy RC car. In addition to offering hardware design suggestions to eliminate the root causes of insecure amplification and filtering, we introduce two low-cost software defenses that mitigate output biasing attacks: randomized sampling and 180 degree out-of-phase sampling. These software-only approaches mitigate attacks by exploiting the periodic and predictable nature of the malicious acoustic interference signal. Our results call into question the wisdom of allowing microprocessors and embedded systems to blindly trust that hardware abstractions alone will ensure the integrity of sensor outputs.\",\"PeriodicalId\":233564,\"journal\":{\"name\":\"2017 IEEE European Symposium on Security and Privacy (EuroS&P)\",\"volume\":\"19 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-04-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"215\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE European Symposium on Security and Privacy (EuroS&P)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/EuroSP.2017.42\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EuroSP.2017.42","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 215

摘要

网络物理系统依赖传感器来做出自动决策。众所周知，共振声注入攻击可以通过禁用基于mems的陀螺仪导致故障。然而，一个悬而未决的问题仍然是如何超越拒绝服务攻击，以实现对传感器输出的完全对抗性控制。我们的工作研究了模拟声注入攻击如何破坏一种流行类型的传感器的数字完整性:电容式MEMS加速度计。通过故意的声音干扰来欺骗这些传感器，攻击者可以通过不规范的途径将选定的数字值传递给微处理器和嵌入式系统，这些系统盲目地相信未经验证的传感器输出的完整性。我们的贡献包括(1)对MEMS加速度计上恶意声学干扰的物理建模，(2)通过测量对MEMS加速度计以及这些传感器上使用的系统的声学注入攻击来发现导致漏洞的电路级安全漏洞，以及(3)两个仅限软件的防御措施，减轻了MEMS加速度计输出完整性的许多风险。我们描述了两类声波注入攻击与对抗控制水平的增加:输出偏置和输出控制。我们针对来自5个不同制造商的20种电容式MEMS加速度计测试了这些攻击。我们的实验发现75%易受输出偏置的影响，65%易受输出控制的影响。为了说明端到端的含义，我们展示了如何将假步骤注入带有5美元扬声器的Fitbit。在我们的自我刺激攻击中，我们从智能手机的扬声器中播放恶意音乐文件，以控制由本地应用程序信任的车载MEMS加速度计，以驾驶玩具RC汽车。除了提供硬件设计建议以消除不安全放大和滤波的根本原因外，我们还介绍了两种低成本的软件防御，以减轻输出偏置攻击:随机采样和180度反相采样。这些纯软件方法通过利用恶意声学干扰信号的周期性和可预测性来减轻攻击。我们的结果对允许微处理器和嵌入式系统盲目地相信硬件抽象将确保传感器输出的完整性的智慧提出了质疑。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks

Cyber-physical systems depend on sensors to make automated decisions. Resonant acoustic injection attacks are already known to cause malfunctions by disabling MEMS-based gyroscopes. However, an open question remains on how to move beyond denial of service attacks to achieve full adversarial control of sensor outputs. Our work investigates how analog acoustic injection attacks can damage the digital integrity of a popular type of sensor: the capacitive MEMS accelerometer. Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems that blindly trust the unvalidated integrity of sensor outputs. Our contributions include (1) modeling the physics of malicious acoustic interference on MEMS accelerometers, (2) discovering the circuit-level security flaws that cause the vulnerabilities by measuring acoustic injection attacks on MEMS accelerometers as well as systems that employ on these sensors, and (3) two software-only defenses that mitigate many of the risks to the integrity of MEMS accelerometer outputs. We characterize two classes of acoustic injection attacks with increasing levels of adversarial control: output biasing and output control. We test these attacks against 20 models of capacitive MEMS accelerometers from 5 different manufacturers. Our experiments find that 75% are vulnerable to output biasing, and 65% are vulnerable to output control. To illustrate end-to-end implications, we show how to inject fake steps into a Fitbit with a $5 speaker. In our self-stimulating attack, we play a malicious music file from a smartphone's speaker to control the on-board MEMS accelerometer trusted by a local app to pilot a toy RC car. In addition to offering hardware design suggestions to eliminate the root causes of insecure amplification and filtering, we introduce two low-cost software defenses that mitigate output biasing attacks: randomized sampling and 180 degree out-of-phase sampling. These software-only approaches mitigate attacks by exploiting the periodic and predictable nature of the malicious acoustic interference signal. Our results call into question the wisdom of allowing microprocessors and embedded systems to blindly trust that hardware abstractions alone will ensure the integrity of sensor outputs.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2017 IEEE European Symposium on Security and Privacy (EuroS&P)

自引率

0.00%

发文量