New research exposes broad risks accompanying our increasing use of technology
Computer security researchers have found a way to hack common technology products like smartphones and Fitbits using sound waves.
A musical virus
The New York Times (NYT) reports that researchers from the University of Michigan and the University of South Carolina have found a vulnerability in many consumer items that lets third parties influence or get control of the items. This is done using tiny accelerometers inside the devices, components that are a standard part of such products.
The researchers illustrated the security flaw by adding steps artificially to a Fitbit fitness monitor and played a music file that was "malicious" from a smartphone's speaker in order to control its accelerometer. This then let them interfere with other software that relies on the phone, like an app for driving a radio-controlled toy car.
"It's like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words" and enter commands rather than just shut down the phone, said Dr. Kevin Fu. Dr. Fu is one of the authors of the paper, an associate professor of electrical engineering and computer science at the University of Michigan, and chief executive of Virta Labs, a company that focuses on cybersecurity in health care.
"You can think of it as a musical virus," he explained.
The scientists found the flaw in more than half of the 20 commercial brands they tested from five chip makers. It shows the challenges in security that have risen as people have incorporated more and more digital devices into their daily lives.
Planes, Trains, Automobiles, and Insulin Pumps?
Now that major auto manufacturers and start-ups are working on self-driving vehicles, the possibility of undetected security flaws that could let an attacker remotely control a vehicle is worrying.
However, the researchers explained that they saw the discovery as a window into the "cybersecurity challenges inherent in complex systems in which analog and digital components can interact in unexpected ways" rather than a reason to panic.
"The whole world of security is about unintended interactions," said Paul Kocher, a former executive at chip company Rambus and currently a cryptographer.
The accelerometer measures acceleration and is used to navigate, figure out how a tablet computer is oriented, and to measure distance travelled in fitness monitors.
When the researchers hacked the toy car, they controlled it by making the accelerometer produce false readings. There are more serious ways in which the flaw could be exploited, however, such as in the instance that an accelerometer is designed to control the automation of a diabetic's insulin dosage. In this case, it could be possible to tamper with the system controlling the dosages.
Dr. Fu said that the Department of Homeland Security was expected on Tuesday to issue a security advisory alert regarding chips produced by the semiconductor companies documented in the study: Analog Devices, Bosch, InvenSense, Murata Manufacturing, and STMicroelectronics.