LAS VEGAS—As much as we hate to admit it, even the most advanced smartphone or VR headset is pretty dumb. It can't do much on its own, and requires special sensors to understand things like speed and motion. At the Black Hat conference here, a pair of researchers from Alibaba Security demonstrated how a gun that fires ultrasonic sound can mess with these critical sensors, sending phones spinning and hoverboards toppling over.
Two members of the five-person Alibaba team appeared at Black Hat. They drew on several years of work involving the microelectromechanical systems (MEMS) chips found in most modern consumer electronics, which contain a variety of different, microscopic constructions, ranging from springs and levers to tiny gears. For the purposes of this work, the researchers focused on accelerometers and gyroscopes.
Everything from video game controllers to cell phones use these tiny sensors to interpret motion and speed. When you twist your iPhone to steer an on-screen car or tilt your head while wearing a VR helmet, it's a MEMS chip that turns your physical motion into signals computers can understand.
A single accelerometer consists of a sensor mass and several tiny spring-like structures. When the accelerometer moves, so does the sensor mass, and the difference between it being at rest and being in motion can be measured. Multiple accelerometers allow a device to detect motion in more than one axis.
The MEMS gyroscope is similar, except that the sensor mass is induced to move back and forth in a consistent, periodic motion. When the device is rotated, force is placed on the sensor mass causing it to pull sideways. This displacement is measured and used to determine motion.
Because these are physical sensors, they can be affected by outside sources. In fact, they're designed to do precisely that. By focusing ultrasonic waves at the resonant frequency of the sensor, the researchers were able to cause the tiny components within the MEMS chips to move while the device containing the chips remained stationary.
Hit Me With That (Sonic) Bop Gun
With an established body of research and a strong understanding of the math involved, the research team assembled a test rig to try out their theories. All together, a similar system can be purchased for around $30, but the team opted for a more powerful and precisely variable ultrasonic device.
By placing the tip of the ultrasonic device against the rough location of the MEMS sensors, the team was able to observe a wide range of results. On the Oculus Rift VR headset, the view began to spin disconcertingly in the presence of the untrasound. When placed against the Oculus controller, the on-screen representation of the stationary controller drifted rhythmically across the screen. Another VR headset, the HTC Vive, also became unstable, but is apparently designed to freeze interaction in these situations.
The Microsoft HoloLens is a augmented reality device that superimposes digital information over the physical world. Unlike the Vive and Rift, it uses physical landmarks and mapping technology to orient itself instead of cameras and IR sensors. When hit with the ultrasonic attack, the on-screen graphics merely pulsed (dithered) rhythmically.
Google Cardboard and Samsung Gear VR present a VR experience by making use of the sensors onboard smartphones, with some additions in the case of the Gear VR. When hit with ultrasound, the Samsung Galaxy S7 smartphone, which is compatible with the Gear VR system, started to rotate the image it displayed. The researchers found they could manipulate the level and compass app in the iPhone 7. When they created a doppler effect by moving the ultrasonic emitter back and forth while the iPhone ran 360-degree video from Facebook, the image started to spin, too.
Not satisfied with the merely digital, the team took their ultrasonic device to a collection of drones and self-balancing two-wheeled robots and scooters. For the sake of protecting their fingers, the researchers removed the blades from a DJI Phantom 3 quadcopter. Ultrasonic sound targeted at the drone's sensor chips caused the motors to increase and decrease their RPM erratically, which certainly didn't sound good. The researchers, however, conceded that they weren't able to shoot a drone out of the sky.
They had better luck with scooters and robots, which rolled forward, flipped over, and generally performed very badly when exposed to the ultrasonic attack—making Segways and similar devices even less appealing.
The researchers were quick to acknowledge the limitations of their work. For one thing, the ultrasonic probe needed to be very close to the target. In the case of the DJI Phantom, the exterior case had to be removed. The same was true for one of the hoverboards they tested. To make it really effective, researchers explained, you'd have to find a way to project the ultrasound through the volume of air between you and the target, plus whatever shielding exists on the target itself.
While humans can't hear ultrasound, the resonant frequency of the target sensor sometimes fell within the range of hearing. In the case of one self-balancing wheeled robot, the researcher described the attack as "very, very noisy." It would surely be noticed. Moreover, the researchers had their most dramatic results when attacking small, two-wheeled self-balancing toys. "Maybe some very serious badass hackers will exploit this vulnerability to make some kids cry," they mused.
- Evil, Metal-Destroying Bubbles Are Hackers' New Best Friends Evil, Metal-Destroying Bubbles Are Hackers' New Best Friends
While a plastic shell makes a good defense, researchers suggested that software could be even better. Because a specific frequency needs to be targeted, it would be easy to simply monitor for that frequency range and have a pre-set response or a warning for the user. Some MEMS chip designers are already working on this kind of solution, researchers said. They also suggested that clustering MEMS chips from different manufacturers onto devices would prevent this kind of attack, because each would have a different resonant frequency to target.
With commercial drones becoming more capable and affordable each year, law enforcement has sought ways to better control them. Currently, drones in the US are hard-coded to avoid specific no-fly zones, usually around airports. Figuring out how to bring down a drone has involved everything from nets in shotguns to specially trained eagles. An ultrasonic weapon, while perhaps not quite feasible today, is sure to be of interest. And the ability to disrupt navigation on a variety of devices, from cell phones to VR headsets, has a lot of potential for researchers.
But the most intriguing area was one touched on only briefly in the session. The researchers noted that MEMS chips are also used to deploy airbags and assist in power steering in some vehicles. Perhaps that will be the subject of a session at next year's Black Hat.