Sonic Gun to Smart Devices: Your Devices Lose Control Under Ultrasound/Sound

Black Hat USA 2017

Presented by: Wang Kang, Shangyuan LI, Aimin Pan, Zhengbo Wang, Bo Yang
Date: Thursday July 27, 2017
Time: 09:45 - 10:35
Location: Jasmine Ballroom

MEMS sensors, such as accelerometers and gyroscopes, play non-substitutive roles in modern smart devices. A vulnerability has been revealed that the inside sensing elements will resonate when imposed acoustic wave at the certain frequencies, thus yielding spoiled data. We developed the attack method and achieved data manipulation via precise parameter tuning for both gyroscopes and accelerometers. Also, we invented a joint attack by combining both ones providing hackers with more versatility. We will explore extensively the impact of this vulnerability among several categories of devices with MEMS sensors onboard, including VR devices, self-balancing vehicles, and drones.

Using a home-built ultrasound/sound emitting system, we launch attacks towards prevailing VR products, including smartphones such as iPhone 7 and Galaxy S7. By emitting an ultrasound/sound beam onto devices at resonant frequencies, we are able to manipulate the "virtual world." For example, we can steer the facing direction without the user's movement, trigger quake with different frequencies and amplitudes and so on. It could daze some users as it contradicts with their real feeling, which may cause a fall or even physical injury.

"Shooting" a self-balancing vehicle, we show that it would lose balance as soon as we "pull the trigger." In a realistic circumstance, the user would probably fall and even get injured while riding speedily. We also attack a commercial product of DJI, induced change of its flight state, which could ultimately lead to a crash. These attacks can exclusively deprive users of their control. Moreover, in the cases of the VR device and the self-balancing vehicle, users may get physically injured! We also introduce several countermeasures, on both hardware and software to mitigate the vulnerability. Last but not least, through all these attacks, we call for the attention of related companies to prevent further exploitations.

Zhengbo Wang

Zhengbo Wang received his Ph.D degree in Physics from Tsinghua University in China. After years of building atomic clocks, he joined Alibaba as a senior engineer in the department of security in Alibaba group, and is ready to hack ab initio.

Wang Kang

Wang Kang is a Security Specialist of the Mobile Security team of Alibaba Group. He is a contributor of Linux Kernel. (TDD-LTE USB Dongle support) as well as a Founder of the Tsinghua University Network Administrators (http://tuna.tsinghua.edu.cn). He has delivered a talk at Black Hat Europe 2015 - "Time and Position Spoofing with Open Source Projects.

Bo Yang

Yang Bo is a telecommunication specialist in the China Telecommunication Technology Labs in CAICT. He has also been worked on ultrasonic transducers and measurements for several years. His main research interests include sensors/transducers, wireless communication, and related measurement technologies.

Shangyuan LI

Shangyuan Li is now an assistant researcher in the Department of Electronic Engineering, Tsinghua University. His research interest focus on the interdisciplinary area among different WAVEs, including microwave, lightwave and soundwave. He has published more than 40 papers.

Aimin Pan

Aimin Pan is the chief architect of the mobile security division within the Alibaba Corporation. He has written and translated many books, including "Understanding the Windows Kernel"(Chinese edition, 2010) and "COM Principles and Applications"(Chinese edition, 1999). Before joining Alibaba, he worked at Peking University (Beijing), Microsoft Research Asia, and Shanda Innovations. Aimin has published more than 30 academic papers, filed 10 USA patents. In recent years, his research focuses on mobile operating systems and security.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats