6.s062: mobile and sensor computing · spoofing gps signals. pacemaker security wireless control...
TRANSCRIPT
6.S062: Mobile and Sensor Computing
Lecture14:IoTSecurityPhysicalSecurityandAcous9cA:acks
Some material adapted from Nirupam Roy (UIUC)
Mobile Security Inaudible Voice Commands
Analog Sensor Security Acoustic Attacks on MEMS
Accelerometers
Drone Security Spoofing GPS Signals
Pacemaker Security Wireless Control of Pacemaker
BackDoor: Making Microphones Hear Inaudible Sounds
Microphones are everywhere
Microphones are everywhere
Speaker
Audible sound
Microphones record audible sounds
I hear that
I record that
Inaudible, but recordable !
Speaker
Inaudible, but recordable !
Speaker
I can’t hear that
I record that
Speaker
Works with unmodified devices
CameraSmartwatch
Laptop Hearing Aid
Near-ultrasound
It’s not “near-ultrasound”
50k40k10k
Ampl
itud
e
Frequency20k 30k
Microphonehardware
Exploiting fundamental nonlinearity
50k40k10k
Ampl
itud
e
20k 30k Frequency
What can we do with it?
Application: Acoustic jammer
Application: Acoustic communication
$ 5.00
Threat: Acoustic DOS attack
Jamminghearing aids
Threat: Acoustic DOS attack
Jamminghearing aids
Threat: Acoustic DOS attack
Blocking911 calls
Talk outline
Microphone Overview1
System Design2
Challenges3
Evaluation4
Talk outline
Microphone Overview1
System Design2
Challenges3
Evaluation4
Microphone working principle
Amplifier Filter ADCDiaphragm
Microphone working principle
Diaphragm Amplifier Filter ADC
Microphone working principle
Amplifier Filter ADC
Ampl
itud
e
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Diaphragm
Microphone working principle
Amplifier Filter ADC
Ampl
itud
e
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Diaphragm
Microphone working principle
Amplifier Filter ADC
Ampl
itud
e
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Diaphragm
Microphone working principle
Amplifier Filter ADC
Ampl
itud
e
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Diaphragm
Microphone working principle
Amplifier Filter ADC
Microphone filter
Diaphragm
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Ampl
itud
e
Diaphragm
Microphone working principle
Amplifier Filter ADC
Microphone filter
Ampl
itud
e
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Microphone working principle
Input
Out
put
Vin
Vout
Vout = a1Vin
InputOut
put
Vout = a1Vin+ a2Vin2+ a3Vin
3+…
Amplifier
10k
Frequency20k 30k 40k 50k 60k 70k 80k 90k 100k
Microphone working principle
Input
Out
put
Vin
Vout
Vout = a1Vin
10k
Frequency20k 30k 40k 50k 60k 70k 80k 90k 100k
InputOut
put
Vout = a1Vin+ a2Vin2
Amplifier
Microphone working principle
Input
Out
put
Vin
Vout
Vout = a1Vin
10k
Frequency20k 30k 40k 50k 60k 70k 80k 90k 100k
InputOut
put
Amplifier
Vout = a1Vin+ a2Vin2
Talk outline
Microphone Overview1
System Design2
Challenges3
Evaluation4
Exploiting amplifier non-linearityAm
plit
ude Microphone
filter
F1= 50kHzF2= 40kHz
F1F2
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Vout = a1Vin+ a2Vin2
Exploiting amplifier non-linearityAm
plit
ude Microphone
filter
F1= 50kHzF2= 40kHz
( sin F1 + sin F2 )2 = cos 2F1 + cos 2F2 + cos (F1+F2) + cos (F1- F2)
F1F2
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Vout = a1Vin+ a2Vin2
Exploiting amplifier non-linearityAm
plit
ude Microphone
filter
F1= 50kHzF2= 40kHz
F1F2
( sin F1 + sin F2 )2 = cos 2F1 + cos 2F2 + cos (F1+F2) + cos (F1- F2)
2F2 (F1+F2) 2F1
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
2F2 (F1+F2) 2F1
Vout = a1Vin+ a2Vin2
Exploiting amplifier non-linearityAm
plit
ude F1F2
( sin F1 + sin F2 )2 = cos 2F1 + cos 2F2 + cos (F1+F2) + cos (F1- F2)
F1= 50kHzF2= 40kHz
Microphone filter
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
2F2 (F1+F2) 2F1
Vout = a1Vin+ a2Vin2
Exploiting amplifier non-linearityAm
plit
ude F1F2
( sin F1 + sin F2 )2 = cos 2F1 + cos 2F2 + cos (F1+F2) + cos (F1- F2)
F1= 50kHzF2= 40kHz
Microphone filter
(F1-F2)
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
Exploiting amplifier non-linearityAm
plit
ude F1F2
F1= 50kHzF2= 40kHz
Microphone filter
10kFrequency
20k 30k 40k 50k 60k 70k 80k 100k90k
(F1-F2)
Exploiting amplifier non-linearityAm
plit
ude F1F2
F1= 50kHzF2= 40kHz
Microphone filter
10kFrequency
20k 30k 40k 50k 60k 70k 80k 90k 100k
(F1-F2)
Talk outline
Microphone Overview1
System Design2
Challenges3
Evaluation4
Challenges
Ultrasonic speaker
Amplitude modulation
Problem: speaker has non-linearities=> Audible sound
Challenges
Ultrasonic speaker
Frequency modulation
Wenyuan Xu
Primer on Modulation
Challenges
Ultrasonic speaker
Frequency modulation
Wenyuan Xu
2
Challenges
Ultrasonic speaker
Frequency modulation
Problem: microphone can’t measure
inaudible sound
Wenyuan Xu
Solution?
Ultrasonic speaker
Add another speaker How do we structure its
signal?
Talk outline
Microphone Overview1
System Design2
Challenges3
Evaluation4
Hardware generalizability
40 kHz
50 kHz
Hearing Aid
Camera iPhone Androidphone
Smartwatch Laptop
Hearing!aids!
Camera!
iPhone!
Android!phone!
Smart-w
atch!
Laptop!
BackDoor!Signal!(dB)!
Devices!
60!
40!
20!
0!
Implementation
Communication prototype
Jammerprototype
Communication performance
FM data packets
4kbpsup to 1 meter
More power can increase the distance
Jamming performance
BackDoor jammer
Spymicrophone
Jamming performance
BackDoor jammer
Spymicrophone
Jamming performance
BackDoor jammer
Spymicrophone
Jamming performance
BackDoor jammer
Spymicrophone
Jamming performance
BackDoor jammer
Spymicrophone
Jamming performance
BackDoor jammer
Jammed recording
2000 spoken words
Jamming performance
BackDoor jammer
Jammed recording
Humanlistener
Speech recognition
2000 spoken words
Jamming performance
BackDoor jammer
Jammed recording
Humanlistener
Speech recognition
% of legible words
2000 spoken words
Jamming performance100
80
60
40
20
0
1.0m
1.5m
2.0m
No Jam2.5m
3.0m
3.5m
4.0m
4.5m
5.0m
Jamming distance
Legi
bilit
y of
wor
ds (%
)Human users
Automatic speech recognition
How would you design a system to secure against this attack?
Summary
•IoT Security: both digital and analog •“Sensor” security & attacks:
- Mobile acoustic attacks (inaudible voice commands) - Analog Sensor attacks (on MEMS accelerometers) - Drone Security (Spoofing GPS) - Medical Security (Hacking Pacemakers)
•Modulation schemes - AM - FM - Inter-modulation
•Fundamentals have implications beyond IoT (e.g., Cuban “acoustic attack”)