Boffins Rickroll smartphone by tickling its accelerometer

Phones blindly trust what their sensors tell them. So they're open to spoofing. Sigh


Smartphone vendors might be learning to mistrust software, but what about the hardware? University of Michigan boffins have put this question to the world by sending unauthorised data to a Samsung turns-out-to-be-not-so-smartphone by buzzing its accelerometer.

The problem highlighted in this paper is that systems “blindly trust the unvalidated integrity of sensor inputs”.

MEMS (micro-electrical mechanical systems)-based accelerometers can be hosed by lots of loud, random noise, but Timothy Trippel, Ofir Weisse, Peter Honeyman and Kevin Fu of the University of Michigan and Wenyuan Xu of the University of South Carolina wanted to go further, and use modulated sound to push signals into the target (for their demonstration, a Samsung Galaxy S5).

“Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems”, they write.

As you can see in the video below, the group kept their attack simple, merely tricking the Galaxy S5 into displaying the word WALNUT on its screen.

The MEMS detects movement of the phone by the movement of a tiny mass inside the component, which changes its capacitance; this is amplified, fed to an analogue-digital converter (ADC), and presented to the processor as a digital value.

Attacking the sensor isn't trivial – as they write, it's not a “lunch-time attack” – but since the accelerometers are common chips, it's not hard to get a device and model its response to vibrations.

Since a victim is bound to notice if you aim a loudspeaker at their phone, so there's another nifty angle to the WALNUT attack: it's carried in audio played on the target device. That way, an attack could be embedded in what seems like a harmless music file (the researchers call this a “drive-by ditty”).

Having identified the resonant frequency of the target accelerometer – for example, an ADXL337 from Analog Devices resonates at 2.9 kHz – it's a cinch to embed control signals into a music video.

Warning: it's a Rickroll. Of course it is

Youtube Video

As another level of difficulty, the Trippel's team also attacked an RC car's control app using the accelerometer, as well as spoofing thousands of steps on a FitBit app.

Rickroll-free

Youtube Video

The attack takes advantage of aliasing in the ADC's sampler, and either amplitude modulation or phase modulation can create signals the phone will misinterpret.

The researchers characterised sensors from Bosch, STMicroelectronics, InvenSense, Analog Devcies and Murata, and only three devices (all from Murata) were immune to attack.

The paper notes that there are two software defences available: software can randomise the sampling at the ADC, which blocks the biasing attack because it depends on predictable sampling intervals; and adjusting the sampling phase by 180°, because this attenuates signals at the resonant frequency. ®

Similar topics

Broader topics


Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head engineer weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022