Sensor Security

Sensor Security Vulnerabilities & Defense Strategies

By Anna Anderson

Contents

1. Introduction
2. Foundations of Security
3. Sensor Attacks & Solutions
4. Conclusion: Designing with Security in Mind

Introduction

Sensors are all around us in the modern world. Just think about it, the device you are reading this on right now likely has a camera, a microphone, and many other sensors monitoring the status of different functionalities under the hood. The purpose of a sensor in an electronic system is to take an environmental analog stimulus and convert it into something we can digitally understand. This allows for external signals to be sampled in order for data to be stored, converted, or otherwise processed. This data is then used for various tasks such as transmitting vocal audio across a network.

Internet of Things (IoT) devices, a recent trend in technology, are user centered and meant to interact in a harmonious networked ecosystem with one another. The Apple watch, which pairs perfectly with other Apple devices, is a great example of IoT. One of the benefits, or drawbacks depending on who you ask, is the sheer amount of personal data that can be collected via the device’s many onboard sensors. A user can monitor their step count, heart rate, and even blood oxygen level with just one compact device [1]. This is all bundled into a package with a host of apps as well as a user-friendly interface paired with the world’s friendliest voice control system, “Siri” [1].

[1]

Although these functionalities are appealing to users, engineers have a responsibility to be mindful of the security risks stemming from sensor integration. These issues are not exclusive to the personal devices, they also permeate many other industries including biomedical and automotive. We will be diving into a few examples of sensor attacks as well as their corresponding solutions. But first, let us get familiar with some security foundations.

Foundations of Security

In a perfect world, we would be able to use our devices with the following guarantees [5]:

• Confidentiality: Only those who are authorized may access specific information and permissions in a device
• Integrity: Device services and information are consistent across user accesses
• Availability: The user is always able to use device services and their access is not blocked

Unfortunately, we do not live in a perfect world. Not only are there device and network faults, there is also the presence of adversaries who intentionally diminish these principles through attacks [5]. Whether they are after sensitive information, denial of service, or interference with a device, adversaries are constantly at odds with users and ultimately the engineers responsible for implementing secure systems [5]. There are countless ways that a device can be attacked with new ones popping up every day as technology advances. Defending against security threats can often be overlooked because it comes with tradeoffs in cost, performance, and latency. In this article we will focus on a few examples of sensor security attacks, but this topic is far reaching and touches every area in computing [5].

Sensor Attack Examples

Because sensors can be affected by external stimuli, an attacker does not necessarily need to touch or be in close proximity to the device they are targeting. Common attack strategies include fabricating stimuli that cause sensors to read incorrect or out of bound values [6].

DolphinAttack: A Voice Control System Attack

DolphinAttack is an attack on voice controlled systems (e.g. Siri and Alexa) performed by modulating commands to inaudible frequencies so that a victim’s device may be activated without their knowledge [2]. This can be utilized by adversaries to [2]:

• Turn a phone on airplane mode (Denial of Service)
• Visit nefarious websites
• Spy via the victim’s camera or microphone
• Send false information from a text or call

It works by exploiting the nonlinear properties of the amplifiers in MEMs microphones (utilized in voice control systems) to take in input beyond the typical frequency range and be filtered as a valid command [2]. Researchers utilized text-to-speech applications to concatenate valid wake commands like “Hey siri”, as well as instructional commands. These commands were then transmitted with ultrasonic carriers to achieve inaudible frequencies [2]. They found success in activation and recognition across a multitude of devices and voice recognition systems

DolphinAttack Solutions

Defenses against DolphinAttack have been developed in both hardware and software. One solution is to enhance the microphones themselves to suppress signals in the inaudible frequency range [2]. This enhancement in materials has a cost tradeoff. On the other hand, machine learning classifiers can be used to detect adversarial patterns (such as the synthetic voice qualities associated with text-to-speech applications) [2]. Detection can catalyze an alert to the use of suspicious activity but it is computationally costly.

Medical Pump Attack

Medical infusion pumps utilize IR sensors to verify the dosage transmitted to the patient [3]. The dropper works by measuring the amount of time that the IR receiver cannot detect the IR emitter as medicine passes between them, and it translates this information to get the proper dosage [3]. Attackers can force the system to go into an inoperable saturation region by utilizing an additional emitter shining at the receiver from a different angle than the original [3]. The receiver does not properly detect the drops due to this extra stimulus, as seen in the figure below [3].

Forcing the device into saturation allows the attacker to manipulate the amount of medicine given to the patient (under or over-dosing) because the sensor ignores legitimate inputs [3].

Medical Pump Attack Solutions

The physical design of the device can be altered to include shielding around the original IR emitter and receiver so that no additional stimuli may be detected by the sensor [3]. An alternative solution would be to detect saturation either through hardware or software processing and send a notification to the user [3].

Car PKES Attack

Many cars today utilize “Passive Keyless Entry & Start” (PKES) [4]. This technology allows drivers to unlock and start their vehicles just by having a key fob in the vicinity of the car. This way they do not need to get to their key if their hands are full.

PKES systems work via low frequency radio identification (LF RFID) tags which utilize short range communication [4]. Naturally, the key fob needs to be in close proximity to the vehicle for this protocol to register communication. The figure above displays the protocol used to verify the key identity and unlock the car [4]. Researchers found that the system is vulnerable to relay attacks, which are commonly implemented against other communication systems as shown in the figure below [7].

[7]

Essentially, the attacker can place a long range ultra high frequency (UHF) transceiver in close proximity to the car, which then relays protocol messages between the key and car beyond the bounds of the intended distance for communication [4]. This enables attackers to unlock and start the car when the owner is far away and unaware.

Car PKES Attack Solutions

Two hardware solutions have been proposed for this attack. The first is to add a switch for user to turn PKES on and off on their key fobs [4]. This can however defeat the purpose of the functionality in the case that the user's hands are full [4]. An alternative solution is to shield the key with a faraday cage that prevents communication out of the distance range of LF RFID [4]. This solution is more robust but can be more costly in materials.

Side Channel Attacks

Side channel attacks exploit information leaked by a system during normal operation, such as power consumption, electromagnetic emissions, or timing data. By gathering enough of this type of data, a bad actor can potentially extract sensitive information such as secret keys or passwords. Side channel attacks take advantage of seemingly innocuous data to access encrypted information [3]. When we design technology, mathematical algorithms are translated to a combination of tangible physical events including timing, power, sound, and electromagnetic emissions. Since these events are a direct result of the system operations, attackers can decrypt hidden information by observing and analyzing this data. There are several types of side channel attacks; attacks can be invasive or non-invasive, and active or passive. The invasiveness refers to whether or not the attacker must access internal components (such as attaching a wire to a data bus) or relies exclusively on externally available data like power emissions. An active attack changes the way the device functions, while a passive attack simply gathers data without interfering with the device itself. All types of side channel attacks are dangerous, especially because they use information that’s unintentionally exposed.

Examples

Researchers recently discovered a new side channel vulnerability in Intel CPUs which relies on the timing analysis of transient executions. Timing analysis enabled researchers to decipher system code [2]. Another more generic example involves analyzing the leakage and power consumption of CMOS devices; there is a direct relationship between the power consumption and the internal data of the device. Side channel attacks are particularly concerning because they can be performed with inexpensive equipment, and they exploit a vulnerability which cannot be completely eliminated as technology will always have some sort of measurable effect on its environment [4]. An additional instance of a side channel attack are acoustic side channel attacks on additive manufacturing systems. A team of researchers was able to recreate 3D printed designs through audio processing of the sounds emitted by a 3D printer without any other information about the designs [1]. This example demonstrates how side channel attacks use information that appears harmless. The sound a machine makes, the heat it gives off, and the timing of the power consumption often aren’t factors we necessarily take into account when designing for security, but we must be vigilant to vulnerabilities both in the digital and physical world.

Side Channel Attack Solutions

There are several solutions to mitigate the dangers of side channel attacks, such as blocking electromagnetic emissions, adding noise into power leakage, and shielding. By lining equipment with signal attenuating materials such as copper or steel, electromagnetic emissions can be blocked so that bad actors cannot use them to decrypt sensitive information [4]. This is referred to as shielding, and is currently the most effective solution to block side channel events. Additionally, adding artificial noise to power emissions makes it more difficult for the attacker to analyze the information. This method is not foolproof, however, as certain types of side channel attacks that analyze traces of power consumption can eliminate the noise through analysis.

Conclusion: Designing with Security in Mind

By examining these case studies, it is clear that sensor security is an important factor to keep in mind when engineering devices.

Common solutions include [6]:

• Sensor shielding (as seen above relating to side channel attacks)
• Detection mechanisms for filtering concerning behavior
• Randomization: if components behave somewhat randomly, attackers cannot exploit their behavior
• Utilizing higher quality materials or adding additional sensors to detect adverse behavior, which comes with a cost tradeoff

In the past, security has been overlooked when priorities are focused on performance and cost. However, as the number of devices and systems multiplies, security is an increasing concern across the board. There is an abundance of data available and bad actors can easily use it for nefarious purposes. Additionally, as technology improves, we must be creative and strive to consider new possible vulnerabilities. Incorporating security features in early design stages can help to build a stronger foundation at the ground level. This has potential to make all the difference in improving security trends and safety for all users.

Sources

Apple Watch Sensors:

1. Apple, “Your Apple Watch,” Apple Support. [Online]. Available: https://support.apple.com/guide/watch/your-apple-watch-apd2054d0d5b/watchos. [Accessed: 18-Mar-2023].

Research Papers:

2. G. Zhang, "DolphinAttack: Inaudible Voice Commands", CCS'17, Oct. 2017, Available: https://acmccs.github.io/papers/p103-zhangAemb.pdf

3. Y. Park, "This ain't your dose: Sensor Spoofing Attack on Medical Infusion Pump", Korea Advanced Institute of Science and Technology (KAIST), 2016, Available: https://www.usenix.org/system/files/conference/woot16/woot16-paper-park_0.pdf

4. A. Francillon, "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars", ETH Zurich, 2010, Available: https://eprint.iacr.org/2010/332.pdf

Security Principles

5. N. Sehatbakhsh, "Secure Computing Systems: Introduction", UCLA, 2023, Available: https://drive.google.com/file/d/1UwTrjnr20MoTDV9UQiDzcskq1AqJxTfJ/view

6. N. Sehatbakhsh, "Secure Computing Systems: CPS & Sensor Security", UCLA, 2023, Available: https://drive.google.com/file/d/1VQkfBYRugJO1EUfes2m-aTbm_TvBTBq_/view

7. Chipkin, "How safe is your car?", Chipkin, 2019, Available: https://store.chipkin.com/articles/how-safe-is-your-car-only-7-out-of-237-cars-tested-could-not-be-hacked

Sidechannel Attacks

8. Al Faruque, Mohammad Abdullah, et al. “Acoustic Side-Channel Attacks on Additive Manufacturing Systems.” IEEE Xplore, 1 Apr. 2016, ieeexplore.ieee.org/document/7479068.

9. Grad, Peter, and Tech Xplore. “New Side-Channel Attack Vulnerability Found in Intel CPU.” Techxplore.com, 21 Apr. 2023, techxplore.com/news/2023-04-side-channel-vulnerability-intel-cpu.html. Accessed 28 Apr. 2023.

10. Standaert, François-Xavier. “Introduction to Side-Channel Attacks.” Integrated Circuits and Systems, 9 Dec. 2009, pp. 27–42, https://doi.org/10.1007/978-0-387-71829-3_2. Accessed 18 Jan. 2021.

11. Zhang, Alex . “What Is a Side-Channel Attack? | Vulnerabilities & Countermeasures.” Blog.enconnex.com, 21 Mar. 2021, blog.enconnex.com/what-is-a-side-channel-attack-vulnerabilities-and-countermeasures. Accessed 28 Apr. 2023.