Transducer Sensors Suffer Security Risks Based on Physics, Not Malware

By Special Guest
Justin Jett, Director of Audit and Compliance, Plixer
February 09, 2018

The Internet of Things (IoT) is comprised of a massive and rapidly growing number of devices connected to the Internet. These devices include things like household appliances, thermostats, manufacturing robots, cameras, automobiles, biochip transponders and many others. Among these devices are sensors called transducers.

Transducers gather data from the physical world, such as light, sound, vibration, heat, and pressure and convert that information into electrical impulses. Software interprets these electrical impulses to make sense of the data. Recent research conducted by Kevin Fu from the University of Michigan and Wenyuan Xu from Zhejiang University has revealed that transducers are inherently vulnerable to attacks based on physics, not malware.

Physical manipulation can be used to trick transducers into reporting environmental data that is inaccurate. Ambient sound can be used to trick voice recognition sensors. Electromagnetic waves can be used to dupe transducers into inaccurately reporting temperature.

Although the term “transduction attacks” was recently coined by Fu and Xu, these attack surfaces aren’t new. In March of 2017, scientists from Israel demonstrated how a flatbed scanner could be used to gain access to an air-gapped network (like the ones often found in government and military environments). In this case, lasers and smart lightbulbs were used to communicate with the optical sensor of a flatbed scanner.

The attack demonstrated that by altering the input of physical data, in this case light, you could trick the sensor into behaving in a manner different from that which it was intended. Imagine the implication of tricking sensors used in hospitals to measure refrigerator temperatures where medications and specimens are stored. In hospitals or other healthcare environments, refrigeration unit temperatures could be increased, ruining lifesaving medication and destroying medical samples waiting for diagnosis.

In the automobile industry, consider the safety implications. Sensors measuring vehicle acceleration/deceleration for the purposes of airbag deployment could be altered. Airbags could be triggered to go off, even though there was no accident. Sensors measuring the distance of objects could be tricked into causing the vehicle to brake hard while driving at full speed, or fail to brake, causing a collision.

In critical infrastructure, transducers measuring the temperature of data centers or other critical infrastructure could be altered, causing damage to server farms or the failure of public utility systems.

The more our modern world relies on IoT devices and transducers for safety systems, process automation and general data gathering, the more at risk we are from these transducer attacks.

Manufacturers that build transducers should take a system-centric approach to security. This means that they need to ensure the validity of input data being received through a defense in depth approach. Installing additional sensors that look for the types of environmental variations used to trick the system could provide an extra layer of protection for such attacks. With these complimentary sensors, operating systems or computer software could be used to mitigate false data inputs. In this manner, the attack could be thwarted.

About the Author: Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Justin, a graduate of the University of Maine at Farmington, is an avid learning of all things security, with a particular interest in TLS and DNS attacks.

Edited by Ken Briodagh

Related Articles

MapR Announces Complementary Data Management and Logistics for NVIDIA Software

By: Ken Briodagh    10/15/2018

MapR Technologies will now support data access and production deployments for data science through the NVIDIA RAPIDS open-source software.

Read More

5G and GDPR can be boon to cyber criminals, says GlobalData

By: Ken Briodagh    10/11/2018

Following the Europol IOCTA report, in which the agency stated that 5G mobile networks and GDPR will make it difficult to track cyber criminals, Gary …

Read More

Paessler and Sigfox Announce Partnership to Accelerate IoT Adoption

By: Ken Briodagh    10/10/2018

PRTG Network Monitor Provides Visibility into the IT Infrastructure of Sigfox Network that Decreases Cost and Energy from Internet of Things Connectiv…

Read More

Magic xpi Achieves SAP-Certified Integration with SAP S/4HANA

By: Ken Briodagh    10/9/2018

Magic's integration solution empowers customers to automate and optimize processes through interoperability with SAP solutions

Read More

netsapiens Launches Cloud-Native SNAPvantage B/OSS Automation Platform

By: Ken Briodagh    10/9/2018

netsapiens, a B2B provider of unified communications (UCaaS) products & services to communications service providers (CSP's), recently announced that …

Read More