Tech

From Fitbits to toy cars, study finds vulnerability in wide range of devices

From Fitbits to toy cars, study finds vulnerability in wide range of devices
In this Dec 15, 2014, file photo, fitness trackers, from left, Basis Peak, Adidas Fit Smart, Fitbit Charge, Sony SmartBand, and Jawbone Move, are posed for a photo next to an iPhone, in New York. Photo: AP
Published: 1:05 PM, March 14, 2017

SAN FRANCISCO — A hacking that would allow someone to add extra steps to the counter on your Fitbit monitor might seem harmless. But researchers say it points to the broader risks that come with technology’s embedding into the nooks of our lives.

On Tuesday (March 14), a group of computer security researchers at the University of Michigan and the University of South Carolina will demonstrate that they have found a vulnerability that allows them to take control of or surreptitiously influence devices through the tiny accelerometers that are standard components in consumer products like smartphones, fitness monitors and even automobiles.

In their paper, the researchers describe how they added fake steps to a Fitbit fitness monitor and played a “malicious” music file from the speaker of a smartphone to control the phone’s accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car.

“It’s like the opera singer who hits the note to break a wineglass, only in our case, we can spell out words” and enter commands rather than just shut down the phone, said Mr Kevin Fu, an author of the paper, who is also an associate professor of electrical engineering and computer science at the University of Michigan and chief executive of Virta Labs, a company that focuses on cybersecurity in health care. “You can think of it as a musical virus.”

The flaw, which the researchers found in more than half of the 20 commercial brands from five chipmakers they tested, illustrates the security challenges that have emerged as robots and other kinds of digital appliances have begun to move around in the world.

With dozens of start-ups and large transportation companies pushing to develop self-driving cars and trucks, undetected vulnerabilities that might allow an attacker to remotely control vehicles are an unnerving possibility.

Still, computer security researchers said the discovery was not a sky-is-falling bug but rather a revealing window into the cybersecurity challenges inherent in complex systems in which analog and digital components can interact in unexpected ways.

“The whole world of security is about unintended interactions,” said Mr Paul Kocher, a cryptographer and a former executive at the chip company Rambus.

Accelerometers are instruments that measure acceleration and are frequently manufactured as silicon chip-based devices known as microelectromechanical systems, or MEMS. Accelerometers are used for navigating, for determining the orientation of a tablet computer and for measuring distance travelled in fitness monitors such as Fitbits.

In the case of the toy car, the researchers did not actually compromise the car’s microprocessor, but they controlled the car by forcing the accelerometer to produce false readings. They exploited the fact that a smartphone application relies on the accelerometer to control the car.

While toy cars might seem like trivial examples, there are other, darker possibilities. If an accelerometer was designed to control the automation of insulin dosage in a diabetic patient, for example, that might make it possible to tamper with the system that controlled the correct dosage.

Fu has researched the cybersecurity risks of medical devices, including a demonstration of the potential to wirelessly introduce fatal heart rhythms into a pacemaker.

He said the current research was inspired by a discussion in his group about a previous study in which drones were disabled with music. He added that earlier research demonstrated denial-of-service attacks that used sound to disable accelerometers.

In 2014, security researchers at Stanford University demonstrated how an accelerometer could be used surreptitiously as a rudimentary microphone, for example. And in 2011, a group from the Massachusetts Institute of Technology and the Georgia Institute of Technology demonstrated the use of an accelerometer in a smartphone to decode roughly 80 per cent of the words being typed on a nearby computer keyboard by capturing vibrations from the keyboard.

In the case of the research by the University of Michigan and the University of South Carolina, scientists stopped the accelerometer from functioning and changed its behaviours.

In testing 20 accelerometer models from five manufacturers, they affected the information or output from 75 per cent of the devices tested and controlled the output in 65 percent of the devices.

The Department of Homeland Security was expected to issue a security advisory alert Tuesday for chips produced by the semiconductor companies documented in the paper, Mr Fu said. The five chipmakers were Analog Devices, Bosch, InvenSense, Murata Manufacturing and STMicroelectronics.

The paper, which will be presented at the IEEE European Symposium on Security and Privacy in Paris next month, also documents hardware and software changes manufacturers could make to protect against the flaws the researchers discovered. NEW YORK TIMES