Short Bytes: According to a new research by a team at the University of Michigan, the MEMS accelerometers found on a variety of devices can be fooled to record fictitious data using precisely tuned acoustic waves. This can be done using any low-cost speaker and used to control a smartphone or any other device connected to it.
We can control a smartphone using our voice, why not the hackers? You might have read about voice commands neatly stuffed into YouTube videos can be used to take down a smartphone. They can do it in other different ways going beyond software. And their control powers are not limited to smartphones, but it can include Fitbit, toys, cars, or other things that house an accelerometer sensor.
A team by Kevin Fu at the University of Michigan has devised a way to agitate the spring-suspended capacitive MEMS accelerometer of a device to make it think the device is in motion.
Using correctly curated sound waves emitting from a speaker, they can control any app on the smartphone or another device. During their experiments, they made a FitBit band count steps while it was sitting peacefully at one place. They were also able to make a Galaxy S5 spell out the word WALNUT in the graph readings.
The team compares their method to the breaking of glass due to an opera song. Once the sound matches the resonant frequency of the glass, it breaks. In this case, the researchers don’t concentrate on breaking things but they can trick a device into recording false data and sending it to the processor. They tested around 20 accelerometers from five makers.
However, the creepy hacking process is currently limited as a proof-of-concept. It would be too soon to think about people carrying $5 speakers and hacking our phones on the streets. The researchers have notified the chip makers and suggested some countermeasures including changes to hardware design and software defenses.
The researcher presents their paper titled “WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks” at the IEEE European Symposium on Security and Privacy on April 26.
If you have something to add, drop your thoughts. And don’t forget to tell us your feedback.