Sensor Security - ECE-180D-WS-2023/Knowledge-Base-Wiki GitHub Wiki
Sensor Security Vulnerabilities & Defense Strategies
By Anna Anderson
- Foundations of Security
- Sensor Attacks & Solutions
- Conclusion: Designing with Security in Mind
Sensors are all around us in the modern world. Just think about it, the device you are reading this on right now likely has a camera, a microphone, and many other sensors monitoring the status of different functionalities under the hood. The purpose of a sensor in an electronic system is to take an environmental analog stimulus and convert it into something we can digitally understand. This allows for external signals to be sampled in order for data to be stored, converted, or otherwise processed. This data is then used for various tasks such as transmitting vocal audio across a network.
Internet of Things (IoT) devices, a recent trend in technology, are user centered and meant to interact in a harmonious networked ecosystem with one another. The Apple watch, which pairs perfectly with other Apple devices, is a great example of IoT. One of the benefits, or drawbacks depending on who you ask, is the sheer amount of personal data that can be collected via the device’s many onboard sensors. A user can monitor their step count, heart rate, and even blood oxygen level with just one compact device . This is all bundled into a package with a host of apps as well as a user-friendly interface paired with the world’s friendliest voice control system, “Siri” .
Although these functionalities are appealing to users, engineers have a responsibility to be mindful of the security risks stemming from sensor integration. These issues are not exclusive to the personal devices, they also permeate many other industries including biomedical and automotive. We will be diving into a few examples of sensor attacks as well as their corresponding solutions. But first, let us get familiar with some security foundations.
Foundations of Security
In a perfect world, we would be able to use our devices with the following guarantees :
- Confidentiality: Only those who are authorized may access specific information and permissions in a device
- Integrity: Device services and information are consistent across user accesses
- Availability: The user is always able to use device services and their access is not blocked
Unfortunately, we do not live in a perfect world. Not only are there device and network faults, there is also the presence of adversaries who intentionally diminish these principles through attacks . Whether they are after sensitive information, denial of service, or interference with a device, adversaries are constantly at odds with users and ultimately the engineers responsible for implementing secure systems . There are countless ways that a device can be attacked with new ones popping up every day as technology advances. Defending against security threats can often be overlooked because it comes with tradeoffs in cost, performance, and latency. In this article we will focus on a few examples of sensor security attacks, but this topic is far reaching and touches every area in computing .
Sensor Attack Examples
Because sensors can be affected by external stimuli, an attacker does not necessarily need to touch or be in close proximity to the device they are targeting. Common attack strategies include fabricating stimuli that cause sensors to read incorrect or out of bound values .
DolphinAttack: A Voice Control System Attack
DolphinAttack is an attack on voice controlled systems (e.g. Siri and Alexa) performed by modulating commands to inaudible frequencies so that a victim’s device may be activated without their knowledge . This can be utilized by adversaries to :
- Turn a phone on airplane mode (Denial of Service)
- Visit nefarious websites
- Spy via the victim’s camera or microphone
- Send false information from a text or call
It works by exploiting the nonlinear properties of the amplifiers in MEMs microphones (utilized in voice control systems) to take in input beyond the typical frequency range and be filtered as a valid command . Researchers utilized text-to-speech applications to concatenate valid wake commands like “Hey siri”, as well as instructional commands. These commands were then transmitted with ultrasonic carriers to achieve inaudible frequencies . They found success in activation and recognition across a multitude of devices and voice recognition systems
Defenses against DolphinAttack have been developed in both hardware and software. One solution is to enhance the microphones themselves to suppress signals in the inaudible frequency range . This enhancement in materials has a cost tradeoff. On the other hand, machine learning classifiers can be used to detect adversarial patterns (such as the synthetic voice qualities associated with text-to-speech applications) . Detection can catalyze an alert to the use of suspicious activity but it is computationally costly.
Medical Pump Attack
Medical infusion pumps utilize IR sensors to verify the dosage transmitted to the patient . The dropper works by measuring the amount of time that the IR receiver cannot detect the IR emitter as medicine passes between them, and it translates this information to get the proper dosage . Attackers can force the system to go into an inoperable saturation region by utilizing an additional emitter shining at the receiver from a different angle than the original . The receiver does not properly detect the drops due to this extra stimulus, as seen in the figure below .
Forcing the device into saturation allows the attacker to manipulate the amount of medicine given to the patient (under or over-dosing) because the sensor ignores legitimate inputs .
Medical Pump Attack Solutions
The physical design of the device can be altered to include shielding around the original IR emitter and receiver so that no additional stimuli may be detected by the sensor . An alternative solution would be to detect saturation either through hardware or software processing and send a notification to the user .
Car PKES Attack
Many cars today utilize “Passive Keyless Entry & Start” (PKES) . This technology allows drivers to unlock and start their vehicles just by having a key fob in the vicinity of the car. This way they do not need to get to their key if their hands are full.
PKES systems work via low frequency radio identification (LF RFID) tags which utilize short range communication . Naturally, the key fob needs to be in close proximity to the vehicle for this protocol to register communication. The figure above displays the protocol used to verify the key identity and unlock the car . Researchers found that the system is vulnerable to relay attacks, which are commonly implemented against other communication systems as shown in the figure below .
Essentially, the attacker can place a long range ultra high frequency (UHF) transceiver in close proximity to the car, which then relays protocol messages between the key and car beyond the bounds of the intended distance for communication . This enables attackers to unlock and start the car when the owner is far away and unaware.
Car PKES Attack Solutions
Two hardware solutions have been proposed for this attack. The first is to add a switch for user to turn PKES on and off on their key fobs . This can however defeat the purpose of the functionality in the case that the user's hands are full . An alternative solution is to shield the key with a faraday cage that prevents communication out of the distance range of LF RFID . This solution is more robust but can be more costly in materials.
Conclusion: Designing with Security in Mind
By examining these case studies, it is clear that sensor security is an important factor to keep in mind when engineering devices.
Common solutions include :
- Sensor shielding
- Detection mechanisms for filtering concerning behavior
- Randomization: if components behave somewhat randomly, attackers cannot exploit their behavior
- Utilizing higher quality materials or adding additional sensors to detect adverse behavior, which comes with a cost tradeoff
In the past, security has been overlooked when priorities are focused on performance and cost. However, as the number of devices and systems multiplies, security is an increasing concern across the board. Incorporating security features in early design stages can help to build a stronger foundation at the ground level. This has potential to make all the difference in improving security trends and safety for all users.
Apple Watch Sensors:
- Apple, “Your Apple Watch,” Apple Support. [Online]. Available: https://support.apple.com/guide/watch/your-apple-watch-apd2054d0d5b/watchos. [Accessed: 18-Mar-2023].
G. Zhang, "DolphinAttack: Inaudible Voice Commands", CCS'17, Oct. 2017, Available: https://acmccs.github.io/papers/p103-zhangAemb.pdf
Y. Park, "This ain't your dose: Sensor Spoofing Attack on Medical Infusion Pump", Korea Advanced Institute of Science and Technology (KAIST), 2016, Available: https://www.usenix.org/system/files/conference/woot16/woot16-paper-park_0.pdf
A. Francillon, "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars", ETH Zurich, 2010, Available: https://eprint.iacr.org/2010/332.pdf
N. Sehatbakhsh, "Secure Computing Systems: Introduction", UCLA, 2023, Available: https://drive.google.com/file/d/1UwTrjnr20MoTDV9UQiDzcskq1AqJxTfJ/view
N. Sehatbakhsh, "Secure Computing Systems: CPS & Sensor Security", UCLA, 2023, Available: https://drive.google.com/file/d/1VQkfBYRugJO1EUfes2m-aTbm_TvBTBq_/view
Chipkin, "How safe is your car?", Chipkin, 2019, Available: https://store.chipkin.com/articles/how-safe-is-your-car-only-7-out-of-237-cars-tested-could-not-be-hacked