6.s062: mobile and sensor computing · spooﬁng gps signals. pacemaker security wireless control...

6.S062: Mobile and Sensor Computing

Lecture14:IoTSecurityPhysicalSecurityandAcous9cA:acks

Some material adapted from Nirupam Roy (UIUC)

Mobile Security Inaudible Voice Commands

Analog Sensor Security Acoustic Attacks on MEMS

Accelerometers

Drone Security Spoofing GPS Signals

Pacemaker Security Wireless Control of Pacemaker

BackDoor: Making Microphones Hear Inaudible Sounds

Microphones are everywhere

Speaker

Audible sound

Microphones record audible sounds

I hear that

I record that

Inaudible, but recordable !

Speaker

Inaudible, but recordable !

Speaker

I can’t hear that

I record that

Speaker

Works with unmodified devices

CameraSmartwatch

Laptop Hearing Aid

Near-ultrasound

It’s not “near-ultrasound”

50k40k10k

Ampl

itud

e

Frequency20k 30k

Microphonehardware

Exploiting fundamental nonlinearity

50k40k10k

Ampl

itud

e

20k 30k Frequency

What can we do with it?

Application: Acoustic jammer

Application: Acoustic communication

$ 5.00

Threat: Acoustic DOS attack

Jamminghearing aids


Jamminghearing aids


Blocking911 calls

Talk outline

Microphone Overview1

System Design2

Challenges3

Evaluation4

Microphone working principle

Amplifier Filter ADCDiaphragm


Diaphragm Amplifier Filter ADC


Amplifier Filter ADC

Ampl

itud

e

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k

Diaphragm



Microphone filter

Diaphragm

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k

Ampl

itud

e

Diaphragm



Microphone filter

Ampl

itud

e

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k


Input

Out

put

Vin

Vout

Vout = a1Vin

InputOut

put

Vout = a1Vin+ a2Vin2+ a3Vin

3+…

Amplifier

10k

Frequency20k 30k 40k 50k 60k 70k 80k 90k 100k


Input

Out

put

Vin

Vout

Vout = a1Vin

10k


InputOut

put

Vout = a1Vin+ a2Vin2

Amplifier


Input

Out

put

Vin

Vout

Vout = a1Vin

10k


InputOut

put

Amplifier


Talk outline


System Design2

Challenges3

Evaluation4

Exploiting amplifier non-linearityAm

plit

ude Microphone

filter

F1= 50kHzF2= 40kHz

F1F2

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k



plit

ude Microphone

filter

F1= 50kHzF2= 40kHz

( sin F1 + sin F2 )2 = cos 2F1 + cos 2F2 + cos (F1+F2) + cos (F1- F2)

F1F2

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k



plit

ude Microphone

filter

F1= 50kHzF2= 40kHz

F1F2


2F2 (F1+F2) 2F1

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k

2F2 (F1+F2) 2F1



plit

ude F1F2


F1= 50kHzF2= 40kHz

Microphone filter

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k

2F2 (F1+F2) 2F1



plit

ude F1F2


F1= 50kHzF2= 40kHz

Microphone filter

(F1-F2)

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k


plit

ude F1F2

F1= 50kHzF2= 40kHz

Microphone filter

10kFrequency

20k 30k 40k 50k 60k 70k 80k 100k90k

(F1-F2)


plit

ude F1F2

F1= 50kHzF2= 40kHz

Microphone filter

10kFrequency

20k 30k 40k 50k 60k 70k 80k 90k 100k

(F1-F2)

Talk outline


System Design2

Challenges3

Evaluation4

Challenges

Ultrasonic speaker

Amplitude modulation

Problem: speaker has non-linearities=> Audible sound

Challenges

Ultrasonic speaker

Frequency modulation

Wenyuan Xu

Primer on Modulation

Challenges

Ultrasonic speaker


Wenyuan Xu

Challenges

Ultrasonic speaker


Problem: microphone can’t measure

inaudible sound

Wenyuan Xu

Solution?

Ultrasonic speaker

Add another speaker How do we structure its

signal?

Talk outline


System Design2

Challenges3

Evaluation4

Hardware generalizability

40 kHz

50 kHz

Hearing Aid

Camera iPhone Androidphone

Smartwatch Laptop

Hearing!aids!

Camera!

iPhone!

Android!phone!

Smart-w

atch!

Laptop!

BackDoor!Signal!(dB)!

Devices!

60!

40!

20!

0!

Implementation

Communication prototype

Jammerprototype

Communication performance

FM data packets

4kbpsup to 1 meter

More power can increase the distance

Jamming performance

BackDoor jammer

Spymicrophone

Jamming performance

BackDoor jammer

Jammed recording

2000 spoken words

Jamming performance

BackDoor jammer

Jammed recording

Humanlistener

Speech recognition

2000 spoken words

Jamming performance

BackDoor jammer

Jammed recording

Humanlistener

Speech recognition

% of legible words

2000 spoken words

Jamming performance100

80

60

40

20

0

1.0m

1.5m

2.0m

No Jam2.5m

3.0m

3.5m

4.0m

4.5m

5.0m

Jamming distance

Legi

bilit

y of

wor

ds (%

)Human users

Automatic speech recognition

How would you design a system to secure against this attack?

Summary

•IoT Security: both digital and analog •“Sensor” security & attacks:

- Mobile acoustic attacks (inaudible voice commands) - Analog Sensor attacks (on MEMS accelerometers) - Drone Security (Spoofing GPS) - Medical Security (Hacking Pacemakers)

•Modulation schemes - AM - FM - Inter-modulation

•Fundamentals have implications beyond IoT (e.g., Cuban “acoustic attack”)

6.s062: mobile and sensor computing · spooﬁng gps signals. pacemaker security wireless control...

Documents