Sonic cyberattack
Hardware security remains so poor that this $5 speaker is enough to hack the accelerometer sensors on smartphones, automobiles and Internet of Things-enabled devicesJoseph Xu / University of Michigan

Computer scientists from the University of Michigan and the University of South Carolina have devised a way to instantly hack into connected devices like smartphones, automobiles and Internet of Things (IoT)-enabled devices using sound and a cheap portable speaker.

The researchers have discovered a major security vulnerability that makes it possible to trick hardware sensors, located in all of these devices, using sound waves. The sensors in question are capacitive MEMS accelerometers that measure inertia – simply put the rate of change in an object's speed in three dimensions.

It seems that all through the years, as the IT industry programmed software, it was assumed as an established fact that software should automatically trust hardware sensors without question. However, no protections have been put in place to make sure that an attacker can't hack into a device through its sensors.

The researchers tested our 20 different types of accelerometers from five manufacturers, namely Bosch, ST Microelectronics, Analog Devices, InvenSense and Murata, and were able to deceive 17 of the sensors into believing that movement was occurring when it wasn't.

Accelerometers have an analog core – a mass suspended on springs – that moves as the object the accelerometer is embedded in picks up speed or changes direction.

Sensor Manufacturer Sensor Model Vulnerable to acoustic
interference at 110 db SPL
Bosch BMA222E Yes
STMicroelectronics MIS2DH Yes
STMicroelectronics IIS2DH Yes
STMicroelectronics LIS3DSH Yes
STMicroelectronics LIS344ALH Yes
STMicroelectronics H3LIS331DL Yes
InvenSense MPU6050 Yes
InvenSense MPU6500 Yes
InvenSense ICM20601 Yes
Analog Devices ADXL312 Yes
Analog Devices ADXL337 Yes
Analog Devices ADXL345 Yes
Analog Devices ADXL346 Yes
Analog Devices ADXL350 Yes
Analog Devices ADXL362 Yes
Murata SCA610 No
Murata SCA820 Yes
Murata SCA1000 No
Murata SCA2100 No
Murata SCA3100 Yes

When movement is detected, the digital components in the accelerometer send a signal to the other circuits, including the microprocessor. This is known as resonant frequency – it's the same phenomenon as when an opera singer hits a particularly high note and causes glass to break.

If you can figure out what the resonant frequency is on each accelerometer, then you can trick them into decoding each sound as a false-sensor reading that is delivered to the microprocessor. Once you can trick the device, the sensors become a handy backdoor so you can take over the rest of the system.

For example, the researchers used a $5 (£4) speaker to create noise that tricked a Fitbit into thinking that the user had walked thousands more steps than in reality. They also created malicious music files to hijack smartphone accelerometers, which then let them hijack an Android app and gain control over a remote-controlled toy car.

The computer scientists also noticed other security flaws – it is possible to hijack the digital "low pass filters" that govern how analog signals are digitally processed to screen out the highest frequencies, as some filters clean up the audio signal in such a way that it makes it much easier to hijack the system.

Aside from highlighting security bugs in hardware sensors, the researchers have also developed two affordable patent-pending software defensive shield solutions that they are now seeking to commercialise. They have also made the manufacturers aware of the accelerometer problems.

The open access paper, entitled "WALNUT: Acoustic Attacks on MEMS Sensors", will be presented at the IEEE European Symposium on Security and Privacy on 26 April in Paris.