Inertial sensors provide crucial feedback for control systems to determine
motional status and make timely, automated decisions. Prior efforts tried to
control the output of inertial sensors with acoustic signals. However, their
approaches did not consider sample rate drifts in analog-to-digital converters
as well as many other realistic factors. As a result, few attacks demonstrated
effective control over inertial sensors embedded in real systems.
This work studies the out-of-band signal injection methods to deliver
adversarial control to embedded MEMS inertial sensors and evaluates consequent
vulnerabilities exposed in control systems relying on them. Acoustic signals
injected into inertial sensors are out-of-band analog signals. Consequently,
slight sample rate drifts could be amplified and cause deviations in the
frequency of digital signals. Such deviations result in fluctuating sensor
output; nevertheless, we characterize two methods to control the output:
digital amplitude adjusting and phase pacing. Based on our analysis, we devise
non-invasive attacks to manipulate the sensor output as well as the derived
inertial information to deceive control systems. We test 25 devices equipped
with MEMS inertial sensors and find that 17 of them could be implicitly
controlled by our attacks. Furthermore, we investigate the generalizability of
our methods and show the possibility to manipulate the digital output through
signals with relatively low frequencies in the sensing channel.Comment: Original publication in the proceedings of the 27th USENIX Security
Symposium, 201