​Researchers hack accelerometer to fake Fitbit steps, hijack radio-controlled car

  • Liam Tung (CSO Online)
  • 15 March, 2017 05:11

Researchers have demonstrated a new way to hack the accelerometer sensors in millions of smartphones, fitness trackers, medical devices and other connected things.

Computer security researchers from the University of Michigan and University of South Carolina have found that certain acoustic frequencies can be used to spoof acceleration signals in a number of microelectromechanical (MEMS) accelerometers, allowing them to influence or control the sensor's outputs.

The researchers say that a majority of 20 accelerometers from five manufacturers were vulnerable to signal spoofing when exposed to acoustic interference.

Accelerometer vendors that have confirmed the vulnerability include Bosch GmbH, STMicroelectronics, InvenSense Inc., and Analog Devices.

The researchers created demonstration attacks on a Fitbit device and a RC car controlled by a smartphone app to show the potential for their attack on systems that could actually cause harm, such a medical device, or an automated system that relies on accelerometer signals.

They used $5 speaker to inject fake steps into a Fitbit’s counter and were able to inject about 3,000 fake steps per hour using the attack, according to the paper WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks

They also used a music app on an Android phone to hijack another app that relies on the accelerometer to control an RC car. Normally the app lets the user control the RC car by tilting the phone, however the researchers’ malicious music file targeting the phone’s accelerometer allowed them to control the car without tilting the phone.

In a blog post, the researchers note that attackers would need to deliver high intensity interference at close range to the vulnerable sensors.

“With proper knowledge of the algorithms that are utilizing the polluted sensor data, adversaries may be able to control the behavior of a system that relies on the sensor data to make automated decisions,” they write.

Another attack shows that it is possible to rig a music video on YouTube to trick a Samsung Galaxy S5’s accelerometer to output a signal spelling “WALNUT”, the name of the paper.

One way to mitigate an acoustic interference attacks would be to insulate the sensors from sound in foam. The researchers have also developed a data processing algorithms to reject abnormal acceleration signals, allowing manufacturers to retrofit the sensors with protections.