Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

Similar documents
Hacking Sensors. Yongdae Kim

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

SONIC GUN TO SMART DEVICES YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND

SONIC GUN TO SMART DEVICES YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND

CIS 700/002: Special Topics: Acoustic Injection Attacks on MEMS Accelerometers

Systematical Methods to Counter Drones in Controlled Manners

FREQUENCY RESPONSE AND LATENCY OF MEMS MICROPHONES: THEORY AND PRACTICE

Attack on the drones. Vectors of attack on small unmanned aerial vehicles Oleg Petrovsky / VB2015 Prague

FLCS V2.1. AHRS, Autopilot, Gyro Stabilized Gimbals Control, Ground Control Station

Indoor Positioning by the Fusion of Wireless Metrics and Sensors

SMART SENSORS AND MEMS

THE USE OF VOLUME VELOCITY SOURCE IN TRANSFER MEASUREMENTS

GPS-Aided INS Datasheet Rev. 2.3

Reference Diagram IDG-300. Coriolis Sense. Low-Pass Sensor. Coriolis Sense. Demodulator Y-RATE OUT YAGC R LPY C LPy ±10% EEPROM TRIM.

Design and Implementation of FPGA Based Quadcopter

ENHANCEMENTS IN UAV FLIGHT CONTROL AND SENSOR ORIENTATION

Introducing the Quadrotor Flying Robot

Todd Hubing. Clemson Vehicular Electronics Laboratory Clemson University

OS3D-FG MINIATURE ATTITUDE & HEADING REFERENCE SYSTEM MINIATURE 3D ORIENTATION SENSOR OS3D-P. Datasheet Rev OS3D-FG Datasheet rev. 2.

Direct Digital Amplification (DDX )

IMU: Get started with Arduino and the MPU 6050 Sensor!

Production Noise Immunity

ARDUINO BASED CALIBRATION OF AN INERTIAL SENSOR IN VIEW OF A GNSS/IMU INTEGRATION

Electronics Design Laboratory Lecture #11. ECEN 2270 Electronics Design Laboratory

SCS SERIES INTRODUCTION

3DM-GX4-45 LORD DATASHEET. GPS-Aided Inertial Navigation System (GPS/INS) Product Highlights. Features and Benefits. Applications

Assessing the likelihood of GNSS spoofing attacks on RPAS

GPS-Aided INS Datasheet Rev. 2.6

4GHz / 6GHz Radiation Measurement System

3D Distortion Measurement (DIS)

TEST SUMMARY. Prüfbericht - Nr.: Test Report No FIELD STRENGTH OF FUNDAMENTAL RESULT: Passed % BANDWIDTH RESULT: Passed

Attitude and Heading Reference Systems

Dynamically Adaptive Inverted Pendulum Platfom

NINTH INTERNATIONAL CONGRESS ON SOUND AND VIBRATION, ICSV9 ACTIVE VIBRATION ISOLATION OF DIESEL ENGINES IN SHIPS

Data Sheet, V1.0, Aug SMM310. Silicon MEMS Microphone. Small Signal Discretes

Motion Reference Units

SPEEDBOX Technical Datasheet

Speech Intelligibility Enhancement using Microphone Array via Intra-Vehicular Beamforming

School of Surveying & Spatial Information Systems, UNSW, Sydney, Australia

MEMS Solutions For VR & AR

Motion Capture for Runners

3DM -CV5-10 LORD DATASHEET. Inertial Measurement Unit (IMU) Product Highlights. Features and Benefits. Applications. Best in Class Performance

INDOOR LOCATION SENSING AMBIENT MAGNETIC FIELD. Jaewoo Chung

Characterization of medical devices electromagnetic immunity to environmental RF fields.

EL6483: Sensors and Actuators

Testing Autonomous Hover Algorithms Using a Quad rotor Helicopter Test Bed

HALS-H1 Ground Surveillance & Targeting Helicopter

Defense Technical Information Center Compilation Part Notice

PERFORMANCE OF A NEW MEMS MEASUREMENT MICROPHONE AND ITS POTENTIAL APPLICATION

Sensor system of a small biped entertainment robot

Figure 1. SIG ACAM 100 and OptiNav BeamformX at InterNoise 2015.

Integrated Dual-Axis Gyro IDG-1004

Digitally Tuned Low Power Gyroscope

Balanced Armature Check (BAC)

OtoRead - Technical Specifications Page 0. Technical Specifications. OtoRead D A 2017/06

Di6 / Di6t. Product Description

ASR-2300 Multichannel SDR Module for PNT and Mobile communications. Dr. Michael B. Mathews Loctronix, Corporation

NovAtel SPAN and Waypoint GNSS + INS Technology

SOUND FIELD MEASUREMENTS INSIDE A REVERBERANT ROOM BY MEANS OF A NEW 3D METHOD AND COMPARISON WITH FEM MODEL

Platform Independent Launch Vehicle Avionics

Design and Navigation Control of an Advanced Level CANSAT. Mansur ÇELEBİ Aeronautics and Space Technologies Institute Turkish Air Force Academy

Directed Energy Weapons in Modern Battlefield

ASC IMU 7.X.Y. Inertial Measurement Unit (IMU) Description.

Motion Reference Units

OughtToPilot. Project Report of Submission PC128 to 2008 Propeller Design Contest. Jason Edelberg

DEVELOPMENT OF AN AUTONOMOUS SMALL SCALE ELECTRIC CAR

Defeating Magnetic Interference on the Battlefield

NEXT-LAB SENSOR Scritto da Administrator Martedì 24 Settembre :01 - Ultimo aggiornamento Mercoledì 20 Luglio :44 NEXT-LAB SENSOR 1 / 7

VQ 60. Product Description. Features. Applications

430. The Research System for Vibration Analysis in Domestic Installation Pipes

Surface Micromachining

Acoustic Yagi Uda Antenna Using Resonance Tubes

INERTIAL LABS SUBMINIATURE 3D ORIENTATION SENSOR OS3DM

Di6. Product Description. Features. Applications

Integrated Navigation System

GPS-Aided INS Datasheet Rev. 3.0

iw6 DS Product Description Features Applications

Master Op-Doc/Test Plan

Sonic Distance Sensors

Technical Specifications KF853

SELF STABILIZING PLATFORM

TACOT Project. Trusted multi Application receiver for Trucks. Bordeaux, 4 June 2014

VTech R&D Design Support Capability

MEASUREMENT of physical conditions in buildings

Multi-Receiver Vector Tracking

GPS-Aided INS Datasheet Rev. 2.7

High intensity and low frequency tube sound transmission loss measurements for automotive intake components

UL Japan, Inc. Head Office EMC Lab Asama-cho, Ise-shi, Mie-ken JAPAN Telephone : Facsimile :

Inertial Sensors. Ellipse 2 Series MINIATURE HIGH PERFORMANCE. Navigation, Motion & Heave Sensing IMU AHRS MRU INS VG

OBSTACLE DETECTION AND COLLISION AVOIDANCE USING ULTRASONIC DISTANCE SENSORS FOR AN AUTONOMOUS QUADROCOPTER

Sound source localization accuracy of ambisonic microphone in anechoic conditions

Inertial Sensors. Ellipse 2 Series MINIATURE HIGH PERFORMANCE. Navigation, Motion & Heave Sensing IMU AHRS MRU INS VG

CMS601. Product Description. Features. Applications

LINEAR 5 LTS A THE NEW PERFORMANCE CLASS > LONG THROW. ULTRA COMPACT. ECONOMICAL.

Annex to the Accreditation Certificate D-K according to DIN EN ISO/IEC 17025:2005

Heterogeneous Control of Small Size Unmanned Aerial Vehicles

FCC ID: A3LSLS-BD106Q. Report No.: HCT-RF-1801-FC003. Plot Data for Output Port 2_QPSK 9 khz ~ 150 khz Middle channel 150 khz ~ 30 MHz Low channel

The Next Generation Design of Autonomous MAV Flight Control System SmartAP

Lt Col Greg Vansuch. Special Projects Office. DARPATech September 2000

Cooperative navigation (part II)

Transcription:

USENIX Security Symposium 2015 Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors 2015. 08. 14. Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim Electrical Engineering at KAIST System Security Lab.

Drones (Multi-coptors) Distribution delivery Search and rescue Aerial photography Private hobby 2

Drone, A New Threat Air terrorism using a weaponized drone 3

Drone, A New Threat Air terrorism using a weaponized drone Jul. 2015 3

Drone, A New Threat Air terrorism using a weaponized drone Jul. 2015 May. 2015 3

Drone, A New Threat Air terrorism using a weaponized drone Jul. 2015 May. 2015 Apr. 2015 3

Drone, A New Threat Air terrorism using a weaponized drone Jul. 2015 May. 2015 Apr. 2015 Sep. 2013 3

Attack Vectors of Drone Drone 4

Attack Vectors of Drone High Power Laser Bumper Drone Drone Capturing Drone with Net Physical attack Drone Shot-gun 4

Attack Vectors of Drone High Power Laser Bumper Drone RF jamming or spoofing Comm. channel Drone Capturing Drone with Net Physical attack Drone Shot-gun 4

Attack Vectors of Drone High Power Laser Bumper Drone RF jamming or spoofing Comm. channel Software hacking Drone Hacking Drone ( Skyjack ) Drone Capturing Drone with Net Physical attack Drone Shot-gun 4

Attack Vectors of Drone High Power Laser Bumper Drone RF jamming or spoofing Comm. channel Software hacking Drone Hacking Drone ( Skyjack ) Drone Capturing Drone with Net Physical attack Drone Positioning Shot-gun GPS Jamming or Spoofing 4

Attack Vectors of Drone High Power Laser Bumper Drone RF jamming or spoofing Comm. channel Software hacking Drone Hacking Drone ( Skyjack ) Drone Capturing Drone with Net Physical attack Drone Positioning Shot-gun Sensing channel GPS Jamming or Spoofing 4

Attack Vectors of Drone High Power Laser Bumper Drone RF jamming or spoofing Comm. channel Software hacking Drone Hacking Drone ( Skyjack ) Drone Capturing Drone with Net Drone How Physical secure is drone against Positioning attack interference on sensing channel? Shot-gun Sensing channel GPS Jamming or Spoofing 4

Drone System Wireless Transmitter RF Wireless Receiver User Controller Flight Controller Rotors (with speed controllers) 6

Drone System Wireless Transmitter RF Wireless Receiver User Controller Flight Controller Rotors (with speed controllers) 6

Drone System Wireless Transmitter RF Wireless Receiver Input User Controller Flight Controller Rotors (with speed controllers) 6

Drone System Wireless Transmitter RF Wireless Receiver Input User Controller Flight Controller Rotors (with speed controllers) Output 6

Drone System * IMU: Inertial Measurement Unit Wireless Transmitter RF Input Wireless Receiver Input IMU Sensors (Gyroscope, etc. User Controller Flight Controller Rotors (with speed controllers) Output 6

Gyroscope on Drone * MEMS: Micro-Electro-Mechanical Systems Inertial Measurement Unit (IMU) A device to measure velocity, orientation, or rotation Using a combination of MEMS gyroscopes and accelerometers 7

Gyroscope on Drone * MEMS: Micro-Electro-Mechanical Systems Inertial Measurement Unit (IMU) A device to measure velocity, orientation, or rotation Using a combination of MEMS gyroscopes and accelerometers MEMS gyroscope 7

Gyroscope on Drone Inertial Measurement Unit (IMU) A device to measure velocity, orientation, or rotation Using a combination of MEMS gyroscopes and accelerometers * MEMS: Micro-Electro-Mechanical Systems <Conceptual structure of MEMS gyro.> MEMS gyroscope 7

Gyroscope on Drone Inertial Measurement Unit (IMU) A device to measure velocity, orientation, or rotation Using a combination of MEMS gyroscopes and accelerometers * MEMS: Micro-Electro-Mechanical Systems <Conceptual structure of MEMS gyro.> MEMS gyroscope 7 (https://www.youtube.com/watch?v=jos6kfjukqo, https://www.youtube.com/watch?t=45&v=sh7xsx10qkm)

Resonance in MEMS Gyroscope Mechanical resonance by sound noise Known fact in the MEMS community Degrades MEMS Gyro s accuracy With (resonant) frequencies of sound 8

Resonance in MEMS Gyroscope Mechanical resonance by sound noise Known fact in the MEMS community Degrades MEMS Gyro s accuracy With (resonant) frequencies of sound MEMS Gyro. with a high resonant frequency to reduce the sound noise effect (above 20kHz) 8

Experiment Setup Up to 48 khz without aliasing Anechoic Chamber Sound Source (Speaker) Audio Amplifier External Soundcard Single Tone Sound Noise 10cm USB Up to 24 khz without aliasing Sound Frequency: every 100 Hz up to 30 khz Gyroscope Read Registers Arduino USB Laptop Python Script 10

Sound Pressure Level = 85~95 db (The sound level of noisy factory or heavy truck) Sound source Microphone Gyroscope Arduino

12 EA 12 EA 12 EA On the target drones 15 kinds of MEMS gyroscopes 12

Experimental Results (1/3) Found the resonant frequencies of 7 MEMS gyroscopes Not found for 8 MEMS gyroscopes Sensor Vender Supporting Axis L3G4200D STMicro. X, Y, Z Resonant freq. in the datasheet (axis) Resonant freq. in our experiment (axis) 7,900 ~ 8,300 Hz (X, Y, Z) L3GD20 STMicro. X, Y, Z No detailed information 19,700 ~ 20,400Hz (X, Y, Z) LSM330 STMicro. X, Y, Z 19,900 ~ 20,000 Hz (X, Y, Z) MPU6000 InvenSense X, Y, Z 30 ~ 36 khz (X) 26,200 ~ 27,400 Hz (Z) MPU6050 InvenSense X, Y, Z 27 ~ 33 khz (Y) 25,800 ~ 27,700 Hz (Z) MPU9150 InvenSense X, Y, Z 24 ~ 30 khz (Z) 27,400 ~ 28,600 Hz (Z) MPU6500 InvenSense X, Y, Z 25 ~ 29 khz (X, Y, Z) 26,500 ~ 27,900 Hz (X, Y, Z) 13

Experimental Results (1/3) Found the resonant frequencies of 7 MEMS gyroscopes Not found for 8 MEMS gyroscopes Sensor Vender Supporting Axis L3G4200D STMicro. X, Y, Z Resonant freq. in the datasheet (axis) Resonant freq. in our experiment (axis) 7,900 ~ 8,300 Hz (X, Y, Z) L3GD20 STMicro. X, Y, Z No detailed information 19,700 ~ 20,400Hz (X, Y, Z) LSM330 STMicro. X, Y, Z 19,900 ~ 20,000 Hz (X, Y, Z) MPU6000 InvenSense X, Y, Z 30 ~ 36 khz (X) 26,200 ~ 27,400 Hz (Z) MPU6050 InvenSense X, Y, Z 27 ~ 33 khz (Y) 25,800 ~ 27,700 Hz (Z) MPU9150 InvenSense X, Y, Z 24 ~ 30 khz (Z) 27,400 ~ 28,600 Hz (Z) MPU6500 InvenSense X, Y, Z 25 ~ 29 khz (X, Y, Z) 26,500 ~ 27,900 Hz (X, Y, Z) 13

Experimental Results (1/3) Found the resonant frequencies of 7 MEMS gyroscopes Not found for 8 MEMS gyroscopes Sensor Vender Supporting Axis L3G4200D STMicro. X, Y, Z Resonant freq. in the datasheet (axis) Resonant freq. in our experiment (axis) 7,900 ~ 8,300 Hz (X, Y, Z) L3GD20 STMicro. X, Y, Z No detailed information 19,700 ~ 20,400Hz (X, Y, Z) LSM330 STMicro. X, Y, Z 19,900 ~ 20,000 Hz (X, Y, Z) MPU6000 InvenSense X, Y, Z 30 ~ 36 khz (X) 26,200 ~ 27,400 Hz (Z) MPU6050 InvenSense X, Y, Z 27 ~ 33 khz (Y) 25,800 ~ 27,700 Hz (Z) MPU9150 InvenSense X, Y, Z 24 ~ 30 khz (Z) 27,400 ~ 28,600 Hz (Z) MPU6500 InvenSense X, Y, Z 25 ~ 29 khz (X, Y, Z) 26,500 ~ 27,900 Hz (X, Y, Z) 13

Experimental Results (2/3) Unexpected output by sound noise (for L3G4200D) Standard deviation of raw data samples for 12 L3G4200D chips (X-axis) Standard deviation of raw data samples for 12 L3G4200D chips (Y-axis) 14

Experimental Results (2/3) Unexpected output by sound noise (for L3G4200D) Standard deviation of raw data samples for 12 L3G4200D chips (X-axis) Standard deviation of raw data samples for 12 L3G4200D chips (Y-axis) 7,900 ~ 8,300Hz 14

Experimental Results (2/3) Unexpected output by sound noise (for L3G4200D) Standard deviation of raw data samples for 12 L3G4200D chips (X-axis) 7,900 ~ 8,300Hz Standard deviation of raw data samples for 12 L3G4200D chips (Y-axis) 7,900 ~ 8,300Hz 14

Experimental Results (3/3) Unexpected output by sound noise (for L3G4200D) Standard deviation of raw data samples for 12 L3G4200D chips (Z-axis) Raw data samples of one L3G4200D chip (@ 8,000Hz) 15

Experimental Results (3/3) Unexpected output by sound noise (for L3G4200D) Standard deviation of raw data samples for 12 L3G4200D chips (Z-axis) Raw data samples of one L3G4200D chip (@ 8,000Hz) 7,900 ~ 8,300Hz 15

Experimental Results (3/3) Unexpected output by sound noise (for L3G4200D) Standard deviation of raw data samples for 12 L3G4200D chips (Z-axis) Raw data samples of one L3G4200D chip (@ 8,000Hz) 7,900 ~ 8,300Hz What is the impact of abnormal sensor output to the actuation of drone system? 15

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm Proportional-Integral -Derivative control 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm Proportional-Integral -Derivative control 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm Proportional-Integral -Derivative control 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm Proportional-Integral -Derivative control 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm Proportional-Integral -Derivative control 16

Software Analysis Two open-source firmware programs Multiwii project ArduPilot project Rotor control algorithm Proportional-Integral -Derivative control 16

Target Drones Target drone A (DIY drone) Target drone B (DIY drone) Gyroscope: L3G4200D Gyroscope: MPU6000 Resonant freq.: 8,200 Hz Firmware: Multiwii (Audible sound range) Resonant freq.: 26,200 Hz Firmware: ArduPilot (Ultra sound range) 18

19 Attack DEMO

Attack DEMO (Target drone A) Raw data samples of the gyroscope 21

Attack DEMO (Target drone A) Input Raw data samples of the gyroscope Flight Controller Output Rotor control data samples 21

Attack DEMO (Target drone A) Altitude data samples from sonar Input Raw data samples of the gyroscope Flight Controller Output Rotor control data samples 21

Attack Results Result of attacking two target drones Target Drone A Target Drone B Resonant Freq. (Gyro.) 8,200 Hz (L3G4200D) 26,200 Hz (MPU6000) Affected Axes X, Y, Z Z Attack Result Fall down - 22

Attack Results Result of attacking two target drones Target Drone A Target Drone B Resonant Freq. (Gyro.) 8,200 Hz (L3G4200D) 26,200 Hz (MPU6000) Affected Axes X, Y, Z Z Attack Result Fall down - X- and Y-axis = vertical rotation (more critical effect on stability) Z-axis = horizontal orientation 22

Attack Distance The minimum sound pressure level in our experiments About 108.5 db SPL (at 10cm) 24

Attack Distance The minimum sound pressure level in our experiments About 108.5 db SPL (at 10cm) Theoretically, 37.58m using a sound source that can generate 140 db SPL at 1m 24

Attack Distance The minimum sound pressure level in our experiments About 108.5 db SPL (at 10cm) Theoretically, 37.58m using a sound source that can generate 140 db SPL at 1m <450XL of LRAD Corporation> 24 (http://www.lradx.com/wp-content/uploads/2015/05/lrad_datasheet_450xl.pdf)

Attack Scenarios Drone to Drone Attack Sonic Weapons Sonic Wall/Zone 25

Limitations (1/2) Aiming at a 3- dimensional moving object 26

Limitations (1/2) Aiming at a 3- dimensional moving object Speaker array Audio amp. 26

Limitations (1/2) Aiming at a 3- dimensional moving object Speaker array Audio amp. 26

Limitations (1/2) Aiming at a 3- dimensional moving object Speaker array Audio amp. Long Range Acoustic Device for police 26

Limitations (2/2) No accumulated effect or damage Simple sonic wall (3m-by-2m, 25 speakers) 27

28 Countermeasure

Countermeasure Physical isolation Shielding from sound Using four materials Paper box Acrylic panel Aluminum plate Foam 28

Countermeasure Physical isolation Shielding from sound Using four materials Paper box Acrylic panel Aluminum plate Foam Standard deviation of raw data samples for one L3G4200D chip (averaged for 10 identical tests) 28

Conclusion A case study for a threat caused by sensor input Finding mechanical resonant frequencies from 7 kinds of MEMS gyro. Analyzing the effect of this resonance on the firmware of drones Demonstrating to attack drones using sound noise in the real world Suggesting several attack scenarios and defenses 30

Conclusion A case study for a threat caused by sensor input Finding mechanical resonant frequencies from 7 kinds of MEMS gyro. Analyzing the effect of this resonance on the firmware of drones Demonstrating to attack drones using sound noise in the real world Suggesting several attack scenarios and defenses Future work Developing a software based defense (without hardware modifications) Against sensing channel attacks for drones or embedded devices 30

Conclusion A case study for a threat caused by sensor input Finding mechanical resonant frequencies from 7 kinds of MEMS gyro. Analyzing the effect of this resonance on the firmware of drones Demonstrating to attack drones using sound noise in the real world Suggesting several attack scenarios and defenses (Not only by natural errors, but also by attackers) Future work Sensor output should not be fully trusted. Developing a software based defense (without hardware modifications) Against sensing channel attacks for drones or embedded devices 30

31 yunmok00@kaist.ac.kr

32 APPENDIXES

Sensor Definition To detect physical properties in nature To convert them to quantitative values 33

Sensor Definition To detect physical properties in nature To convert them to quantitative values New channel to attack (for attacker) 33

Sensor Definition To detect physical properties in nature To convert them to quantitative values New channel to attack (for attacker) Network traffic Software update Sensor reading Sensing & Actuation System 33

Attack Vectors of Sensor Three interfaces System (Processor) Sensor Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities System (Processor) Sensor Legitimate channel Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities Insensitive to other (physical) quantities System (Processor) Sensor Legitimate channel Nonlegitimate channel Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities Insensitive to other (physical) quantities Need to send data to the system System (Processor) Sensor Legitimate channel Nonlegitimate channel Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities Insensitive to other (physical) quantities Need to send data to the system System (Processor) Data/Signal injection Sensor Sensing data injection Legitimate channel Nonlegitimate channel Interference or performance degradation Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities Insensitive to other (physical) quantities Need to send data to the system System (Processor) Data/Signal injection EMI injection attack for defibrillator and BT headset (S&P 2013) Sensor Sensing data injection Legitimate channel Nonlegitimate channel Interference or performance degradation Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities Insensitive to other (physical) quantities Need to send data to the system System (Processor) Data/Signal injection EMI injection attack for defibrillator and BT headset (S&P 2013) Sensor Sensing data injection Legitimate channel Nonlegitimate channel Interference or performance degradation Spoofing attack for ABS in a car (CHES 2013) Physical quantities 34

Attack Vectors of Sensor Three interfaces Sensitive to legitimate (physical) quantities Insensitive to other (physical) quantities Need to send data to the system System (Processor) Data/Signal injection EMI injection attack for defibrillator and BT headset (S&P 2013) Sensor Sensing data injection Legitimate channel Nonlegitimate channel Interference or performance degradation Spoofing attack for ABS in a car (CHES 2013) Our work Physical quantities 34

Sound Noise Source Sound Pressure Level (SPL) and Total Harmonics Distortion plus Noise (THD+N) measurement (The sound level of noisy factory or heavy truck) 85~95 db SPL Microphone (Brüel & Kjær 4189-A-021) below 2% THD+N Sound Measurement Instrument (NI USB-4431) 35

Paper box Acrylic panel Aluminum plate Foam 36

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback