MEMS sensors, such as accelerometers and gyroscopes, play non-substitutive roles in modern smart devices. A vulnerability has been revealed that the inside sensing elements will resonate when imposed acoustic wave at the certain frequencies, thus yielding spoiled data. We developed the attack method and achieved data manipulation via precise parameter tuning for both gyroscopes and accelerometers. Also, we invented a joint attack by combining both ones providing hackers with more versatility. We will explore extensively the impact of this vulnerability among several categories of devices with MEMS sensors onboard, including VR devices, self-balancing vehicles, and drones.

Using a home-built ultrasound/sound emitting system, we launch attacks towards prevailing VR products, including smartphones such as iPhone 7 and Galaxy S7. By emitting an ultrasound/sound beam onto devices at resonant frequencies, we are able to manipulate the “virtual world.” For example, we can steer the facing direction without the user’s movement, trigger quake with different frequencies and amplitudes and so on. It could daze some users as it contradicts with their real feeling, which may cause a fall or even physical injury.

“Shooting” a self-balancing vehicle, we show that it would lose balance as soon as we “pull the trigger.” In a realistic circumstance, the user would probably fall and even get injured while riding speedily. We also attack a commercial product of DJI, induced change of its flight state, which could ultimately lead to a crash. These attacks can exclusively deprive users of their control. Moreover, in the cases of the VR device and the self-balancing vehicle, users may get physically injured! We also introduce several countermeasures, on both hardware and software to mitigate the vulnerability. Last but not least, through all these attacks, we call for the attention of related companies to prevent further exploitations.

Slides

• Black Hat USA 2017 Briefings
• Slides

Authors

Zhengbo Wang | Kang Wang | Bo Yang | Shangyuan Li | Aimin Pan

Acknowledgement

Yinan Sun | Ke Li

Media Coverage

International Media

Forbes | Wired | 01net (France Media) | VRScout | Ars Technica | PcMag | PcMag: The best | MacObserver | YouOptions.eu | APlayground | FieldServiceDemand | TechGroundNews | WebGuyz.nyc | Tech2 | Abilk | 3dvrcentral | TechSwitch | CRN | FollowNews | dospara.co.jp | SecurityDaily.org | FoxNews | SecNews24 | CryptoInsider | TeenSkepChick | TuxMachines.org | FindLaw | DailyTechInfo.org (Russian) | Аргумент

Chinese Media

新华网 | 36Kr | Solidot | cnBeta | Sina | FreeBuf | 阿里技术 | 财经天下周刊 | AI财经 | 环球网 | 东方头条 | 新浪科技 | 科技头版 | 人民政协网 | 光明网 | 贵州卫视（非常完美） | 江苏网络广播电视台 | 中国光学期刊网 | 未来网 | VR资讯网 | 天下网商 | CNET科技资讯网 | 飞象网 | 至顶网 | 苏州都市网 | IT168 | E科网 | 科技讯 | 安卓网 | 驱动中国 | 智能公号 | 嘶吼 | AR 大世界 | 中国信息安全

2018/05/02 西安1374驾无人机表演时被干扰 阿里巴巴研究人员演示如何攻击无人机

Black Hat USA 2017

flickr

Youtube

Video Demo

Hoverboard:

• Mi Ninebot:
  • Inside Without PA
  • Outside Without PA
  • Outside With PA
• MiTu Toy Robot
• DIY Self Balancing Vehicle (Accelerometer)

DJI:

• DJI Phantom3 Standard Gyroscope
• DJI Phantom3 Standard Camera
• DJI Osmo

VR:

• Oculus | HTC Vive Controller | HoloLens | HTC Vive

iPhone 7:

• iPhone7 | Facebook VR with doppler | Compass.app

Overview:

• Low-power Interference Ultrasound
• Finger Spinner - For the love of physics
• Bonus: Another usage of hoverboard

• Full Playlist on Youtube

References

1. Man, Kin F. “MEMS reliability for space applications by elimination of potential failure modes through testing and analysis.” MEMS Reliability for Critical and Space Applications. Vol. 3880. 1999.
2. Dean, Robert N., et al. “On the degradation of MEMS gyroscope performance in the presence of high power acoustic noise.” Industrial Electronics, 2007. ISIE 2007. IEEE International Symposium on. IEEE, 2007.
3. Castro, Simon, et al. “Influence of acoustic noise on the dynamic performance of MEMS gyroscopes.” ASME 2007 International Mechanical Engineering Congress and Exposition. American Society of Mechanical Engineers, 2007.
4. Son, Yunmok, et al. “Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors.” USENIX Security. 2015.
5. Trippel, Timothy, et al. “WALNUT: Waging doubt on the integrity of mems accelerometers with acoustic injection attacks.” IEEE European Symposium on Security and Privacy, 2017.
6. Mikko Saukoski. System and circuit design for a capacitive mems gyroscope, Doctoral Dissertation, 2008.
7. Serrano D E, et al. Environmentally-robust high-performance tri-axial bulk acoustic wave gyroscopes. Position, Location and Navigation Symposium (PLANS), 2016.
8. Farshteindiker, Benyamin, et al. “How to Phone Home with Someone Else’s Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors.” WOOT. 2016.

See Also

1. http://tardis.wikia.com/wiki/Sonic_screwdriver

Referenced by

1. Y. Tu, Z. Lin, I. Lee, and X. Hei, “Injected and Delivered: Fabricating Implicit Control over Actuation Systems by Spoofing Inertial Sensors,” in 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, 2018, pp. 1545–1562.