If you listen hard enough, you can hear cyber criminals violating your car

As the promise of IoT comes closer and closer to reality, concerns over security are becoming increasing vocal and more detailed.

The latest alarm has been raised by the University of Michigan after researchers claim sound waves could be used to hack into critical sensors in various technologies including smartphones, cars and medical devices. Considering the deeply penetrated role IoT will have in our day-to-day lives in the digital economy, if there is credibility to the claim it will be a huge worry for the ecosystem.

“The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor,” said Kevin Fu, Associate Professor of Computer Science and Engineering, who is leading the University’s research project. “Our findings upend widely held assumptions about the security of the underlying hardware.

“If you look through the lens of computer science, you won’t see this security problem. If you look through the lens of materials science, you won’t see this security problem. Only when looking through both lenses at the same time can one see these vulnerabilities.”

Fu’s claim is that devices in the IoT can be tricked into collecting data which doesn’t exist. The team precisely tuned acoustic tones to deceive 15 different devices into registering movement that never occurred. As the devices collected this data, it essentially created a backdoor which allowed the team to access the network and control other aspects of the system.

In one example, the team used a used a $5 speaker to inject thousands of fictitious steps into a Fitbit, while simultaneously playing malicious music file from a smartphone’s own speaker to control the phone’s accelerometer trusted by an Android app. This allowed the team to move freely inside the system and control other areas, including controlling a Samsung Galaxy S5’s accelerometer to spell out the word ‘WALNUT’ in a graph of its readings.

All accelerometers (a component measure the rate of change in an object’s speed in three dimensions) have an analogue core – a mass suspended on springs. When the object the accelerometer is embedded in changes speed or direction, the mass moves accordingly. The digital components in the accelerometer process the signal and ferry it to other circuits.

“Analog is the new digital when it comes to cybersecurity,” said Fu. “Thousands of everyday devices already contain tiny MEMS accelerometers. Tomorrow’s devices will aggressively rely on sensors to make automated decisions with kinetic consequences.”

The success of the IoT world relies on several equally critical components from the artificial intelligence serving as the brains, to infrastructure to ensure low latency. That said, sensors are just as critical as numerous use cases involve the ability for the ‘thing’ to be aware of its surroundings. In this light, the claim could be disastrous. Imagine a car which can’t pick up a child walking across the street or one which could be tricked into thinking there is a turning when there isn’t.

It is worth noting the University are looking to commercialize technology which could counter this problem; there is a cash incentive at the end of the road. But that should not detract from the importance of this vulnerability should the claims be as serious as Fu and his team claim.