Sonic cyberattack
Hardware security remains so poor that this $5 speaker is enough to hack the accelerometer sensors on smartphones, automobiles and Internet of Things-enabled devices Joseph Xu / University of Michigan

Computer scientists from the University of Michigan and the University of South Carolina have devised a way to instantly hack into connected devices like smartphones, automobiles and Internet of Things (IoT)-enabled devices using sound and a cheap portable speaker.

The researchers have discovered a major security vulnerability that makes it possible to trick hardware sensors, located in all of these devices, using sound waves. The sensors in question are capacitive MEMS accelerometers that measure inertia – simply put the rate of change in an object's speed in three dimensions.

It seems that all through the years, as the IT industry programmed software, it was assumed as an established fact that software should automatically trust hardware sensors without question. However, no protections have been put in place to make sure that an attacker can't hack into a device through its sensors.

The researchers tested our 20 different types of accelerometers from five manufacturers, namely Bosch, ST Microelectronics, Analog Devices, InvenSense and Murata, and were able to deceive 17 of the sensors into believing that movement was occurring when it wasn't.

Accelerometers have an analog core – a mass suspended on springs – that moves as the object the accelerometer is embedded in picks up speed or changes direction.

Sensor ManufacturerSensor ModelVulnerable to acoustic
interference at 110 db SPL
BoschBMA222EYes
STMicroelectronicsMIS2DHYes
STMicroelectronicsIIS2DHYes
STMicroelectronicsLIS3DSHYes
STMicroelectronicsLIS344ALHYes
STMicroelectronicsH3LIS331DLYes
InvenSenseMPU6050Yes
InvenSenseMPU6500Yes
InvenSenseICM20601Yes
Analog DevicesADXL312Yes
Analog DevicesADXL337Yes
Analog DevicesADXL345Yes
Analog DevicesADXL346Yes
Analog DevicesADXL350Yes
Analog DevicesADXL362Yes
MurataSCA610No
MurataSCA820Yes
MurataSCA1000No
MurataSCA2100No
MurataSCA3100Yes

When movement is detected, the digital components in the accelerometer send a signal to the other circuits, including the microprocessor. This is known as resonant frequency – it's the same phenomenon as when an opera singer hits a particularly high note and causes glass to break.

If you can figure out what the resonant frequency is on each accelerometer, then you can trick them into decoding each sound as a false-sensor reading that is delivered to the microprocessor. Once you can trick the device, the sensors become a handy backdoor so you can take over the rest of the system.

For example, the researchers used a $5 (£4) speaker to create noise that tricked a Fitbit into thinking that the user had walked thousands more steps than in reality. They also created malicious music files to hijack smartphone accelerometers, which then let them hijack an Android app and gain control over a remote-controlled toy car.

The computer scientists also noticed other security flaws – it is possible to hijack the digital "low pass filters" that govern how analog signals are digitally processed to screen out the highest frequencies, as some filters clean up the audio signal in such a way that it makes it much easier to hijack the system.

Aside from highlighting security bugs in hardware sensors, the researchers have also developed two affordable patent-pending software defensive shield solutions that they are now seeking to commercialise. They have also made the manufacturers aware of the accelerometer problems.

The open access paper, entitled "WALNUT: Acoustic Attacks on MEMS Sensors", will be presented at the IEEE European Symposium on Security and Privacy on 26 April in Paris.