Usenix Enigma 2017 Hacking sensors isn’t as big an area of research as hacking operating systems and firmware, but the results of simple physical hacks can be far-reaching.
In a talk at Enigma 2017 Yongdae Kim, professor in the Korea Advanced Institute of Science and Technology’s Graduate School of Information Security, showed how active and passive sensors can be hacked by simple laser pointer or speakers set on just the right frequency.
Passive sensors, like gyroscopes and magnetometers, simply measure their environment and report back. Active sensors, like radar and sonar, send out a signal and then take measurements on the return signal. Both are hackable relatively simply. Take, for example, the gyroscopes used in off-the-shelf drones, which use an inertial measurement unit that tracks the forces on a weight along three axes. Many materials have a resonant frequency that causes them to oscillate – think breaking a wine glass with a high note – and it’s just a matter of finding that frequency.
Kim and his team found the correct frequency for gyroscopes in seven of the 15 commercial drones they tested, including hardware from STMicro and InvenSense. These ranged between audible and inaudible sounds for humans, but all proved effective in confusing the drone and causing it to crash.
This was demonstrated on stage, where a commercial quadrocopter crashed after Kim and his assistant fired the right sound at it. While you needed to be close up for the attack to work, more distant attacks could be achieved by ramping up the power output. There are limiting factors, he admitted. If the gyroscope housing is sturdy, this would make the hack much more difficult, and there’s a limit to how loud you can go before the attack becomes more trouble than it’s worth.
On the active side, Kim showed how an active medical sensor that dispenses drips of drugs can be hacked using a laser pointer. By shining the laser at the sensor controlling droplet flows, it loses its ability to measure the droplets of medicine flowing into the patient. In testing, the sensor could be tricked to double the dose of drugs to the patient, or to cut the flow of medicine by 45 per cent. To make matters worse, the physical distance needed to do this is based on the laser’s power, so as long as the laser has line of sight access to the sensor, the hack could work.
Thankfully this is fairly easy to block. Kim said you could simply cover the transparent sections of the device in masking tape. But overall, he said, it was worrying how easily commonly used sensors can be hacked. This problem is only going to get worse. Sensors are increasingly added into all manner of devices and his team is currently looking at the kinds of sensors that self-driving cars rely on to keep us safe.