CIS 700/002: Special Topics: Acoustic Injection Attacks on MEMS Accelerometers

Similar documents
Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

SONIC GUN TO SMART DEVICES YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND

SONIC GUN TO SMART DEVICES YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND

Hacking Sensors. Yongdae Kim

two computers. 2- Providing a channel between them for transmitting and receiving the signals through it.

Capacitive Versus Thermal MEMS for High-Vibration Applications James Fennelly

Analogue Interfacing. What is a signal? Continuous vs. Discrete Time. Continuous time signals

System Inputs, Physical Modeling, and Time & Frequency Domains

MECE 3320 Measurements & Instrumentation. Data Acquisition

ELG3336 Design of Mechatronics System

ni.com Sensor Measurement Fundamentals Series

II Year (04 Semester) EE6403 Discrete Time Systems and Signal Processing

Lecture 10: Accelerometers (Part I)

EE 230 Lecture 39. Data Converters. Time and Amplitude Quantization

Radio Receiver Architectures and Analysis

Integrated Dual-Axis Gyro IDG-1004

Integrated Dual-Axis Gyro IDG-500

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

Capacitive MEMS accelerometer for condition monitoring

Systematical Methods to Counter Drones in Controlled Manners

NINTH INTERNATIONAL CONGRESS ON SOUND AND VIBRATION, ICSV9 ACTIVE VIBRATION ISOLATION OF DIESEL ENGINES IN SHIPS

Digitally Tuned Low Power Gyroscope

Master Degree in Electronic Engineering

Development of Control Algorithm for Ring Laser Gyroscope

There are four possible reasons that justify directional or horizontal drilling:

Reference Diagram IDG-300. Coriolis Sense. Low-Pass Sensor. Coriolis Sense. Demodulator Y-RATE OUT YAGC R LPY C LPy ±10% EEPROM TRIM.

Digitally controlled Active Noise Reduction with integrated Speech Communication

Quartz Lock Loop (QLL) For Robust GNSS Operation in High Vibration Environments

There is growing interest in the oil and gas industry to

AGN 008 Vibration DESCRIPTION. Cummins Generator Technologies manufacture ac generators (alternators) to ensure compliance with BS 5000, Part 3.

TUNED AMPLIFIERS. Tank circuits.

Last Name Girosco Given Name Pio ID Number

Dynamic Angle Estimation

DATA ANALYSIS FOR VALVE LEAK DETECTION OF NUCLEAR POWER PLANT SAFETY CRITICAL COMPONENTS

FFT Analyzer. Gianfranco Miele, Ph.D

Developer Techniques Sessions

Digital Signal Processing. VO Embedded Systems Engineering Armin Wasicek WS 2009/10

Panca Mudji Rahardjo, ST.MT. Electrical Engineering - UB

Analog-Digital Interface

Active Vibration Isolation of an Unbalanced Machine Tool Spindle

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer. Linear Integrated Circuits Applications

Data acquisition and instrumentation. Data acquisition

Module 1: Introduction to Experimental Techniques Lecture 2: Sources of error. The Lecture Contains: Sources of Error in Measurement

Fig m Telescope

Chapter 7. Introduction. Analog Signal and Discrete Time Series. Sampling, Digital Devices, and Data Acquisition

Module 4 TEST SYSTEM Part 2. SHAKING TABLE CONTROLLER ASSOCIATED SOFTWARES Dr. J.C. QUEVAL, CEA/Saclay

EEE 432 Measurement and Instrumentation

Digital Signal Processing +

Technical note. Impedance analysis techniques

A Real-Time Regulator, Turbine and Alternator Test Bench for Ensuring Generators Under Test Contribute to Whole System Stability

UNIT 2. Q.1) Describe the functioning of standard signal generator. Ans. Electronic Measurements & Instrumentation

UNIT III Data Acquisition & Microcontroller System. Mr. Manoj Rajale

EECS240 Spring Advanced Analog Integrated Circuits Lecture 1: Introduction. Elad Alon Dept. of EECS

Music 270a: Fundamentals of Digital Audio and Discrete-Time Signals

Lab 4. Crystal Oscillator

CMPT 318: Lecture 4 Fundamentals of Digital Audio, Discrete-Time Signals

Receiver Architectures

Teaching Staff. EECS240 Spring Course Focus. Administrative. Course Goal. Lecture Notes. Elad s office hours

UNIT-3. Electronic Measurements & Instrumentation

Continuous vs. Discrete signals. Sampling. Analog to Digital Conversion. CMPT 368: Lecture 4 Fundamentals of Digital Audio, Discrete-Time Signals

430. The Research System for Vibration Analysis in Domestic Installation Pipes

Integrated Dual-Axis Gyro IDG-1215

Design of Class F Power Amplifiers Using Cree GaN HEMTs and Microwave Office Software to Optimize Gain, Efficiency, and Stability

Spectrum. Additive Synthesis. Additive Synthesis Caveat. Music 270a: Modulation

Lecture 7 Frequency Modulation

3D Distortion Measurement (DIS)

Vintage Radio Alignment: What It Is and How to Do It

PRACTICAL PROBLEMS INVOLVING PHASE NOISE MEASUREMENTS

Differential Amplifier : input. resistance. Differential amplifiers are widely used in engineering instrumentation

(i) Sine sweep (ii) Sine beat (iii) Time history (iv) Continuous sine

Introduction to Embedded Systems

The case for longer sweeps in vibrator acquisition Malcolm Lansley, Sercel, John Gibson, Forest Lin, Alexandre Egreteau and Julien Meunier, CGGVeritas

ESE 150 Lab 04: The Discrete Fourier Transform (DFT)

TE 302 DISCRETE SIGNALS AND SYSTEMS. Chapter 1: INTRODUCTION

Lab 4. Crystal Oscillator

Assessing the likelihood of GNSS spoofing attacks on RPAS

Lab course Analog Part of a State-of-the-Art Mobile Radio Receiver

Lab 2A: Introduction to Sensing and Data Acquisition

COVENANT UNIVERSITY NIGERIA TUTORIAL KIT OMEGA SEMESTER PROGRAMME: MECHANICAL ENGINEERING

1. Explain how Doppler direction is identified with FMCW radar. Fig Block diagram of FM-CW radar. f b (up) = f r - f d. f b (down) = f r + f d

PYROTECHNIC SHOCK AND RANDOM VIBRATION EFFECTS ON CRYSTAL OSCILLATORS

An induced emf is the negative of a changing magnetic field. Similarly, a self-induced emf would be found by

ACCURACY JUNGLE TRUE OR FALSE?

The VIRGO Environmental Monitoring System

STATION NUMBER: LAB SECTION: Filters. LAB 6: Filters ELECTRICAL ENGINEERING 43/100 INTRODUCTION TO MICROELECTRONIC CIRCUITS

NEVER TRUST YOUR INPUTS: CAUSING 'CATASTROPHIC PHYSICAL CONSEQUENCES' FROM THE SENSOR (OR HOW TO FOOL ADC)

Chapter 2 The Test Benches

Transmission Fundamentals

The Virgo detector. L. Rolland LAPP-Annecy GraSPA summer school L. Rolland GraSPA2013 Annecy le Vieux

Haptic Feedback Technology

Design IV. E232 Spring 07

Fourier Signal Analysis

Analytical Chemistry II

Microprocessors & Interfacing

Wireless Sensor Networks. EP2980

Lightweight Decentralized Algorithm for Localizing Reactive Jammers in Wireless Sensor Network

ENGR 210 Lab 12: Sampling and Aliasing

4. Digital Measurement of Electrical Quantities

The Calculation of grms. QUALMARK: Accelerating Product Reliability WHITE PAPER

Costas Loop. Modules: Sequence Generator, Digital Utilities, VCO, Quadrature Utilities (2), Phase Shifter, Tuneable LPF (2), Multiplier

Transcription:

CIS 700/002: Special Topics: Acoustic Injection Attacks on MEMS Accelerometers Thejas Kesari CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of Pennsylvania 24 March 2017

The Idea Compromise digital integrity of Capacitive MEMS Accelerometer Deliver chosen digital values 2

MEMS Accelerometer Sensing mass connected to springs that is displaced When accelerated, the displacement of mass creates an electrical signal due to change in capacitance Measured acceleration s(t) relates to the displacement of mass d(t) F=m a F= k s d 3

Prior Art Sensors can be tricked by maliciously fabricated physical properties An adversary could incapacitate drones equipped with MEMS gyroscopes using intentional sound noise Resonant frequency has been identified as a problem that causes the performance degradation of MEMS gyroscopes Acoustic interference can hence cause DoS attacks -Yunmok Son, et. al., Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors, 24 th USENIX, August 2015 4

MEMS Accelerometer If the acoustic frequency tuned correctly, it can vibrate the sensing mass altering sensor output The sensor output can also be altered in a predictable way Two problematic components in the signal conditioning path: Insecure LPF Insecure amplifier 5

MEMS Accelerometer Insecure LPF and Insecure Amplifier explain the root cause of DoS attacks Also, enabled design two more classes of attacks: Output biasing Output control 6

More Prior Art Defending against malicious acoustic interference by applying acoustic dampening materials (elastomers, microfibrous metallic cloth, felt, etc) ** Provide physical isolation from the noise *** Make the actuator and sensor operate in tandem, provide a challenge-response mechanism ^* **P. Soobramaney, Mitigation of the Effects of High Levels of High-Frequency Noise on MEMS Gyroscopes, Ph.D. dissertation, Auburn University, 2013 ***Yunmok Son, et. al., Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors, 24 th USENIX, August 2015 ^*Y. Shoukry, et. al, Pycra: Physical challenge-response authentication for active sensors under spoofing attacks, in Proc. ACM CCS, 2015 7

More Prior Art Impractical increases packaging size Not always applicable sensor must operate with an actuator in a closed loop system Insufficient not an exhaustive method and cannot filter out all interference 8

Architecture Additional processing is required for the electrical acceleration signals to interface with microprocessors Change in capacitance is converted to a voltage, amplified, filtered, and digitized Without stage D, aliasing can occur, enabling output biasing attacks Signal clipping at C can introduce a DC component into the acceleration signal, enabling output control attacks 9

Threat Model Attackers neither access the sensor readings directly nor physically touch the sensor Do not assume lunchtime attack, but assume he is able to reverse engineer a sample device to extract the exact accelerometer model and profile its behaviour under different amplitudes and frequencies Attacker is able to induce sound in the vicinity of the victim device in the audible frequency range 10

Forces from acoustic waves can also displace the mass True acceleration: s(t) Acoustic: s a (t) Attack Modeling For acoustic frequency F a, with amplitude A 0 and phase, the measured acceleration becomes s (t)=s(t)+ A 1 A 0 11

Attack Modeling 12

Attack Modeling 13

Maximize the impact s (t)=s(t)+ A 1 s a (t) Maximize the attenuation co-efficient A 1 Resonance! A 1 =1 at resonant frequencies 14

Hardware Deficiencies 15

Hardware Deficiencies True measurements: No signal clipping occurs; LPF attenuates high frequency acoustic acceleration signals Fluctuating False Measurements: No signal clipping; LPF does not completely attenuate HF acoustic signals (undersampled by ADC) Constant Shifted False Measurements: Signal clipping occurs and introduces a non-zero DC component into the amplified signal. Secure LPF passes the DC signals and block HF. 16

Finding Resonant Frequency A sensor at rest should measure constant acceleration of 0 g along the X and Y axes and 1 g along the Z axis If at a particular frequency, output measurements are fluctuating or constantly shifted, then that is the resonant frequency By sweeping an acoustic frequency range and acquiring several acceleration measurements at each frequency, both scenarios can be observed 17

Finding Resonant Frequency: Results Both instances of the same sensor behaved identically Resonant frequencies can fall in a range, not a single value Some sensors have multiple resonant frequencies Some sensors have resonant frequencies which result in all combinations of constant shifted or fluctuating Most sensors that were not affected by acoustic interference are physically larger than those that were 18

Output Biasing Attack Pertains to accelerometers that experience fluctuating false measurements at their resonant frequencies due to insecure LPF To perform this attack, step one: Stabilize fluctuating false measurements to constant ones by shifting the acoustic resonant frequency to induce a DC alias at the ADC. How? How? Signal aliasing. Recall: Nyquist sampling theorem 19

Output Biasing Attack Signal aliasing: Misinterpretation of an analog signal caused by digitizing it with inadequate sampling rate 20

Output Biasing Attack To perform this attack, step two: Reshape the desired output signal by modulating it on top of the acoustic resonant frequency. How? AM and PM Signal Modulation is used to transmit arbitrary information signals over another carrier signal 21

Output Biasing Attack Sinusoidal Carrier f c (t)=a sin (2πft+ ) 22

F samp is fixed Output Biasing Attack Resonant frequencies might be a range: frequency deviation f e Acoustic frequency: F a = F res + f e (find f e such that the sum is still within resonance) Then choose AM or PM to further shape the output signal 23

Output Biasing Attack 24

Output Control Attack Applicable to accelerometers that exhibit constant shifted false measurements at their resonant frequencies due to insecure amplifiers To perform this attack: reshape the output signal by modulating it over resonant frequency Achieving fine grain control requires AM 25

Output Control Attack 26

Controlling Accelerometer Output Under resonant acoustic interference, an output biasing attack (B) class indicates a sensor s falsified measurements fluctuate (insecure LPF) while an output control attack (C) class indicates constant falsified measurements are observed (insecure amplifier) 27

Attacking Embedded Devices: Fitbit https://www.youtube.com/watch?v=aedof3cznei 28

Attacking Embedded Devices: Galaxy S5 https://www.youtube.com/watch?v=c8az5nbmkh0 29

Defence: Hardware Design Secure LPF: A properly designed LPF should have a cut-off frequency of less than half of the ADC sampling rate Secure Amplifier: Amplifier that can accept large amplitude inputs. Pre-filter acoustic resonant frequencies prior to amplification Use of acoustic dampening materials 30

Defence: Software Design Randomized sampling: Instead of setting ADC sampling rate fixed, sample at random intervals prevents attacker from inducing a DC alias 180⁰ Out-of-Phase Sampling: Attenuates acceleration signals with frequencies around the resonant frequency 31

References T. Trippel, et. al., WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks, 2017 P. Soobramaney, Mitigation of the Effects of High Levels of High-Frequency Noise on MEMS Gyroscopes, 2013 Yunmok Son, et. al., Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors, 2015 Y. Shoukry, et. al., Pycra: Physical challenge-response authentication for active sensors under spoofing attacks, 2015 32

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback