Musical cyberattacks? How sound waves can mess with a connected device

capture

New research suggests that hackers could potentially use sound waves to meddle with or take control of a connected device.

On Tuesday a group of security researchers at the University of Michigan and the University of South Carolina showed how a connected device can be meddled with, or taken control of, using sound waves. That would be some prank, although the ramifications of such a hack could be deadly serious in some circumstances.

The vulnerability the team found was used to add extra steps to a Fitbit fitness monitor by playing a malicious music file and manipulating accelerometers and other motion sensors. The researchers said this could be done with any connected device.

Kevin Fu, associate professor of computer science and engineering at the University of Michigan, said it’s useful to think of the manipulation as a ”musical virus.” Fu said the only reason his team had created this kind of musical remote control of connected devices was to show Internet of Things makers what vulnerabilities existed. The team also created a kind of antivirus for possible attacks.

“The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor,” Fu said. “Our findings upend widely held assumptions about the security of the underlying hardware.”

The researchers tested their musical virus on more than just a Fitbit. They also played a malicious piece of music on a smartphone to take control of a remote-control toy car.

Simply put, the accelerometer in a device measures speed and change of movement, such as when you position a tablet or where your Fitbit is going. “Thousands of everyday devices already contain tiny MEMS [micro-electromechanical systems] accelerometers,” said Fu. “Tomorrow’s devices will aggressively rely on sensors to make automated decisions with kinetic consequences.”

In a statement, Fitbit said this didn’t involve a compromise of Fitbit user data. “What is being described is simply a way to game the system,” the company said. “We believe that any attempt to get credit for steps not actually taken, however clever, deprives the user of the very real benefits of living a more active, healthier life…. We continue to explore solutions that help mitigate the potential for this type of behavior.”

Image: Joel Kramer via Flickr