20 March 2017

THE SONIC CYBER ATTACK: RESEARCHERS DEMONSTRATE THAT SOUND WAVES CAN BE USED TO HACK EVERYTHING FROM PHONES TO FITNESS TRACKERS & MEDICAL DEVICES


As if you needed any more evidence that the Internet of Things (IoT), and our networked devices have many vulnerabilities, this latest technique may well be the tipping point for you to disconnect and join the burgeoning off-the-grid movement. For the overwhelming majority of us, joining the off-the-gridders is not an option; so, we have to assume our devices aren’t ‘clean; but, if we practice best cyber hygiene practices, that will be good enough for many of us. Having said that…….

Mark Prigg writes in the March 14, 2017 edition of the Daily Mail Online, that a groundbreaking research effort at the University of Michigan has shown that “sound waves can be used to hack into critical sensors — in everything from phones, and medical devices, to fitness trackers and cars. The researchers discovered that millions of the gadgets/devices we use every day — have accelerometers, which can be compromised/breached via sound waves. The “researchers found the tiny sensors can be tricked, registering fake movement and, giving hackers a backdoor into these same devices,” Mr. Prigg wrote.

“The fundamental physics of the hardware allowed us to trick sensors into a false reality to the microprocessor,” said Kevin Fu, U-M Associate Professor of Computer Science and Engineering. “Our findings upend widely held assumptions about the security of the underlying hardware.”

Mr. Prigg writes that “the team used a $5 speaker, and precisely tuned acoustic tones to deceive 15 different models of accelerometers into registering movement that never occurred. This approach served as a backdoor into the devices — enabling the researchers to control other aspects of the system,” [device].”

This new discovery “calls into question the longstanding computer science belief that software can automatically trust hardware sensors, which feed autonomous systems with fundamental data to make decisions,” such as a pacemaker implant, Mr. Prigg wrote. “If you look through the lens of computer science, you won’t see this security problem,” referred to in the literature, Professor Fu said.. ‘Only when looking through both lens at the same time, can one see these vulnerabilities. Analog is the new digital when it comes to cyber security. Thousands of everyday devices already contain tiny MEMS accelerometers. Tomorrow’s devices will aggressively rely on sensors to make automated decisions [such as driver-less cars] , with [unexpected] kinetic consequences.”

“Autonomous systems like package delivery drones and self-driving cars,for example, base their decisions on what their sensors tell them,” said Tim Trippel, a doctoral student in computer science and engineering; and, first author of a new paper on the findings, Mr. Prigg noted. 

“Humans have sensors, like eyes, ears, and a nose. We trust our senses and trust them to make decisions,” Mr. Trippel said. “If autonomous systems can’t trust their senses, then the reliability of those systems will fail,” he added.

“The trick Trippel and Fu introduced, exploits the same phenomenon behind the legend of the opera singer breaking the wine glass,” Mr, Prigg writes. “Key to the process is hitting the right note — the glass’ resonant frequency. The researchers identified the resonant frequencies of 20 different accelerometers from five different manufacturers. Then, instead of shattering the chips, they tricked them into decoding sounds as false sensor readings that they then delivered to the microprocessor.”

“Michigan Engineering researchers used a malicious music file to hack into a Galaxy Samsung S5, coaxing its accelerometer to read out the word, WALNUT,” Mr. Prigg explained. “While the attack itself doesn’t sound all that frightening in principal, it revealed a major security hole in certain commonplace hardware sensors. Trippel noticed additional vulnerabilities in these systems, as the analog signal was digitally processed. Digital ‘low pass filters’ that screen out the highest frequencies, as well as amplifiers, haven’t been designed with security in mind,” Mr. Trippel said. “In some cases,they inadvertently cleaned up the sound signal in a way that made it easier for the team to control the system,” Mr,. Prigg wrote.

“The researchers recommend ways to adjust hardware design to eliminate the problems,” Mr. Prigg wrote. “They also developed two, low-cost software defenses that could minimize the vulnerabilities and, they’ve alerted the manufacturers to these issues.”

And, as you might expect, these defenses are not included in Mr. Prigg’s article; and, the researchers/university “is pursuing patent protection for the intellectual property; and, is seeking commercial partners to help bring the technology to the market.”

At this point, is anyone under the illusion that anything connected to the Internet/network — is not hackable by numerous means; and, physical access is not required to do so. The only ‘safe’ device is one that is never used.

No comments: