Accelerometers, Present In
Most Smartphones, Can Be Controlled By This `Musical Virus'
A security loophole that
would allow someone to add extra steps to the counter on your Fitbit
monitor might seem harmless. But researchers say it points to the
broader risks that come with technology's embedding into the nooks of
our lives. This week, a group of computer security researchers at the
University of Michigan and the University of South Carolina will
demonstrate that they have found a vulnerability that allows them to
take control of or surreptitiously influence devices through the tiny
accelerometers that are standard components in
consumer products like smartphones, fitness monitors and even
automobiles.
In their paper, the researchers describe how they added fake steps to a Fitbit fitness monitor and played a “malicious“ music file from the speaker of a smartphone to control the phone's accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car.
“It's like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words“ and enter commands rather than just shut down the phone, said Kevin Fu, an author of the paper, who is also an associ ate professor of electrical engineering and computer science at the University of Michigan and the chief executive of Virta Labs, a company that focuses on cybersecurity in health care. “You can think of it as a musical virus.“ The researchers found the flaw in more than half of the 20 commercial brands from five chip makers they tested. With dozens of start-ups and large transportation companies pushing to develop self-driving cars and trucks, undetected vulnerabilities that might allow an attacker to remotely control vehicles are an unnerving possibility. Still, computer security researchers said the discovery was not a sky-is-falling bug but rather a revealing window into the cybersecurity challenges inherent in complex systems in which analog and digital components can interact in unexpected ways.
“The whole world of security is about unintended interactions,“ said Paul Kocher, a cryptographer and a former executive at the chip company Rambus. In the case of the toy car, the researchers controlled the car by forcing the accelerometer to produce false readings. They exploited the fact that a smartphone application relies on the accelerometer to control the car.
While toy cars might seem like trivial examples, there are other, darker possibilities. Dr. Fu has researched the cybersecurity risks of medical devices, including a demonstration of the potential to wirelessly introduce fatal heart rhythms into a pacemaker. The paper also documents changes manufacturers could make to protect against these flaws.
http://epaperbeta.timesofindia.com/Article.aspx?eid=31812&articlexml=Your-phone-can-be-hacked-via-sound-waves-15032017017032
In their paper, the researchers describe how they added fake steps to a Fitbit fitness monitor and played a “malicious“ music file from the speaker of a smartphone to control the phone's accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car.
“It's like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words“ and enter commands rather than just shut down the phone, said Kevin Fu, an author of the paper, who is also an associ ate professor of electrical engineering and computer science at the University of Michigan and the chief executive of Virta Labs, a company that focuses on cybersecurity in health care. “You can think of it as a musical virus.“ The researchers found the flaw in more than half of the 20 commercial brands from five chip makers they tested. With dozens of start-ups and large transportation companies pushing to develop self-driving cars and trucks, undetected vulnerabilities that might allow an attacker to remotely control vehicles are an unnerving possibility. Still, computer security researchers said the discovery was not a sky-is-falling bug but rather a revealing window into the cybersecurity challenges inherent in complex systems in which analog and digital components can interact in unexpected ways.
“The whole world of security is about unintended interactions,“ said Paul Kocher, a cryptographer and a former executive at the chip company Rambus. In the case of the toy car, the researchers controlled the car by forcing the accelerometer to produce false readings. They exploited the fact that a smartphone application relies on the accelerometer to control the car.
While toy cars might seem like trivial examples, there are other, darker possibilities. Dr. Fu has researched the cybersecurity risks of medical devices, including a demonstration of the potential to wirelessly introduce fatal heart rhythms into a pacemaker. The paper also documents changes manufacturers could make to protect against these flaws.
http://epaperbeta.timesofindia.com/Article.aspx?eid=31812&articlexml=Your-phone-can-be-hacked-via-sound-waves-15032017017032