Presented at
Black Hat USA 2017,
July 27, 2017, 9:45 a.m.
(50 minutes).
MEMS sensors, such as accelerometers and gyroscopes, play non-substitutive roles in modern smart devices. A vulnerability has been revealed that the inside sensing elements will resonate when imposed acoustic wave at the certain frequencies, thus yielding spoiled data. We developed the attack method and achieved data manipulation via precise parameter tuning for both gyroscopes and accelerometers. Also, we invented a joint attack by combining both ones providing hackers with more versatility. We will explore extensively the impact of this vulnerability among several categories of devices with MEMS sensors onboard, including VR devices, self-balancing vehicles, and drones.
Using a home-built ultrasound/sound emitting system, we launch attacks towards prevailing VR products, including smartphones such as iPhone 7 and Galaxy S7. By emitting an ultrasound/sound beam onto devices at resonant frequencies, we are able to manipulate the "virtual world." For example, we can steer the facing direction without the user's movement, trigger quake with different frequencies and amplitudes and so on. It could daze some users as it contradicts with their real feeling, which may cause a fall or even physical injury.
"Shooting" a self-balancing vehicle, we show that it would lose balance as soon as we "pull the trigger." In a realistic circumstance, the user would probably fall and even get injured while riding speedily. We also attack a commercial product of DJI, induced change of its flight state, which could ultimately lead to a crash. These attacks can exclusively deprive users of their control. Moreover, in the cases of the VR device and the self-balancing vehicle, users may get physically injured! We also introduce several countermeasures, on both hardware and software to mitigate the vulnerability. Last but not least, through all these attacks, we call for the attention of related companies to prevent further exploitations.
Presenters:
-
Bo Yang
- Telecommunication Specialist , CAICT
Yang Bo is a telecommunication specialist in the China Telecommunication Technology Labs in CAICT. He has also been worked on ultrasonic transducers and measurements for several years. His main research interests include sensors/transducers, wireless communication, and related measurement technologies.
-
Aimin Pan
- Chief Architect, Mobile Security Team of Alibaba Group
Aimin Pan is the chief architect of the mobile security division within the Alibaba Corporation. He has written and translated many books, including "Understanding the Windows Kernel"(Chinese edition, 2010) and "COM Principles and Applications"(Chinese edition, 1999). Before joining Alibaba, he worked at Peking University (Beijing), Microsoft Research Asia, and Shanda Innovations. Aimin has published more than 30 academic papers, filed 10 USA patents. In recent years, his research focuses on mobile operating systems and security.
-
Wang Kang
- Security Expert, Mobile Security Team of Alibaba Group
Wang Kang is a Security Specialist of the Mobile Security team of Alibaba Group. He is a contributor of Linux Kernel. (TDD-LTE USB Dongle support) as well as a Founder of the Tsinghua University Network Administrators (http://tuna.tsinghua.edu.cn). He has delivered a talk at Black Hat Europe 2015 - "Time and Position Spoofing with Open Source Projects."
-
Zhengbo Wang
- Senior Engineer, Mobile Security Team of Alibaba Group
Zhengbo Wang received his Ph.D degree in Physics from Tsinghua University in China. After years of building atomic clocks, he joined Alibaba as a senior engineer in the department of security in Alibaba group, and is ready to hack ab initio.
-
Shangyuan LI
- Assistant Researcher , Tsinghua University
Shangyuan Li is now an assistant researcher in the Department of Electronic Engineering, Tsinghua University. His research interest focus on the interdisciplinary area among different WAVEs, including microwave, lightwave and soundwave. He has published more than 40 papers.
Links:
Similar Presentations: