The Motion Sensor Western: The Good (Automatic Functionality Support), the Bad (Security Risks to Devices), and the Ugly (Privacy Risks to Individuals)

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 2:20 p.m. (40 minutes)

<span>In the last decade, motion sensors (accelerometers, gyroscopes) have become more and more ubiquitous in various IoT devices (e.g., smartphones, smartwatches, fitness trackers, headphones, etc). They provide the accuracy required to: (1) support automatic functions such as temporal gesture detection and progressive/ongoing health monitoring, and (2) provide optimized UX for gaming, etc. While the opportunities that motion sensors create for developers are widely known, much less is known about the opportunities that motion sensors create for attackers to violate the (1) integrity, availability, and confidentiality of a device, and (2) privacy of a user. <br><br>In this talk, we will discuss security and privacy risks posed by motion sensors. We will start by explaining the security risks associated with attacks on motion sensors and their implications on various IoT devices (e.g., crashing drones, spoofing the daily number of steps in fitness trackers, creating covert channels in smartphones). We will continue by examining the privacy risks associated with the insights that can be derived from motion sensor data and the implications on individuals' privacy (eavesdropping on user's speech, keylogging a user's password/PIN code, remote identification of a user, and user tracking). <br><br>We will then focus on a user study that we conducted which demonstrates how data obtained from motion sensors can be used to violate a user's privacy. We show that a user's intoxication, a condition that is forbidden in some countries around the world, can be detected by analyzing eight seconds of motion sensor data from a specific time of interest with high accuracy (without the need to perform a blood/breath test). Finally, we will analyze the current challenges associated with deriving insights that violate a user's privacy from motion sensor's data and explain why we believe that external processes (e.g., deployment of 5G, integration of eSIM, scientific progress) will significantly increase the risks that motion sensors pose to individual's privacy in the near future. </span>

Presenters:

• Ben Nassi - PhD Student &#38; Cyber Security Researcher, Ben-Gurion University of the Negev
  Ben Nassi is a PhD student at Ben-Gurion University of the Negev (BGU) and a former Google employee. His research interests are security and privacy with a specific focus on drones, advanced driving assistance systems, smart irrigation systems, wearable technology, and other cool topics. His research has been presented at top academic conferences (S&P, CCS, UbiComp) and published in journals (TIFS), and was also covered by international media (Wired, ArsTechnica, Motherboard, Washington Post, Bloomberg, Business Insider). Ben has spoken at prestigious conferences including Black Hat USA, SecTor, RSAC USA, CodeBlue, CyberTech TLV, and IoT Village at DEF CON 26.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#the-motion-sensor-western-the-good-automatic-functionality-support-the-bad-security-risks-to-devices-and-the-ugly-privacy-risks-to-individuals-21795

Similar Presentations:

• DEF CON 17 (2009) / Good Vibrations: Hacking Motion Sickness on the Cheap
• Black Hat USA 2019 / Sensor and Process Fingerprinting in Industrial Control Systems
• The Circle Of HOPE (2018) / Sensors Everywhere! What's Available, How They Work, and How You Can Use Them