Slashdot Mirror

← Back to Stories (view on slashdot.org)

It's Possible To Hack a Smartphone With Sound Waves, Researchers Show (cnbc.com)

Posted by msmash on from the security-woes dept.

A security loophole that would allow someone to add extra steps to the counter on your Fitbit monitor might seem harmless. But researchers say it points to the broader risks that come with technology's embedding into the nooks of our lives. John Markoff, writes for the NYTimes: On Tuesday, a group of computer security researchers at the University of Michigan and the University of South Carolina will demonstrate that they have found a vulnerability that allows them to take control of or surreptitiously influence devices through the tiny accelerometers that are standard components in consumer products like smartphones, fitness monitors and even automobiles. In their paper, the researchers describe how they added fake steps to a Fitbit fitness monitor and played a "malicious" music file from the speaker of a smartphone to control the phone's accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car. "It's like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words" and enter commands rather than just shut down the phone, said Kevin Fu, an author of the paper, who is also an associate professor of electrical engineering and computer science at the University of Michigan and the chief executive of Virta Labs, a company that focuses on cybersecurity in health care. "You can think of it as a musical virus."

41 comments

  1. obligatory xkcd by slew · · Score: 2

    For your bemusement...

    1. Re:obligatory xkcd by Anonymous Coward · · Score: -1

      I get more bemusement from watching Jamal and Tyrone destroy your tight, white ass by jackhammering it with their big, black cocks.

    2. Re:obligatory xkcd by Anonymous Coward · · Score: 0

      I'll bet you really do. Here's your paper towels. Clean up after yourself.

    3. Re:obligatory xkcd by Anonymous Coward · · Score: 0

      No thanks. Your mouth does the job well enough, cuck boy.

  2. Play a song, complete your mile walk faster by Anonymous Coward · · Score: 0

    Wow, this is scary stuff. What are they going to do next? Change a pixel on my screen?

    1. Re:Play a song, complete your mile walk faster by Travis+Mansbridge · · Score: 1

      If you can execute arbitrary code on a target machine it's not a whole lot of steps further to have it "play a song" that pipes out a stream representing your personal (or other private) information. That'd let you "hack into" even an air-gapped machine.

    2. Re:Play a song, complete your mile walk faster by viperidaenz · · Score: 1

      They're not executing code.
      That're manipulating an accelerometer with sound waves.

      The extent of the impact is applications that use accelerometer input can get false readings - like steps in a fitness app or steering control for a remote control toy car.or game.

    3. Re:Play a song, complete your mile walk faster by Anonymous Coward · · Score: 0

      Assuming you could get close enough to an air gapped machine. But this has all been proven before and is nothing new. If the machine can respond to any radio or electromagnetic frequency it can be hacked. You might have to be close by, but it's possible.

    4. Re:Play a song, complete your mile walk faster by pr0fessor · · Score: 1

      Now I'm waiting for a DIY sonic screwdriver that can interfere with accelerometers.....

    5. Re:Play a song, complete your mile walk faster by Ol+Olsoc · · Score: 1

      If you can execute arbitrary code on a target machine it's not a whole lot of steps further to have it "play a song" that pipes out a stream representing your personal (or other private) information. That'd let you "hack into" even an air-gapped machine.

      As long as you wear a tinfoil hat, you should be safe.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  3. Snow Crash comes true? by Anonymous Coward · · Score: 0

    Sounds like Stephenson's idea of the "nam-shub" from Snow Crash has become real

  4. Partij Voor De Vrijheid by Anonymous Coward · · Score: -1

    de enige partij die luistert naar het volk!

    Stemmen voor Geert

  5. Paging the Emperor by Anonymous Coward · · Score: 0

    Duke Leto Atreides is developing a secret army using a new weapon based on sound.

  6. TL;DR by Scarred+Intellect · · Score: 3, Funny

    Yelling at your phone DOES work!

  7. Ha ha ha by JustAnotherOldGuy · · Score: 1

    Ha ha ha h- errr, I mean, that's terrible!

    Seriously, what passes for "security" these days is akin to throwing a nympho with a bottle of Jack Daniels under each arm onto a troopship and expecting her to come out a virgin.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  8. 10 years ago today by Anonymous Coward · · Score: -1

    https://en.wikipedia.org/wiki/...

    You know, he killed himself because he put a nannycam in his girlfriend's sister's room (she was staying with him), and got caught. He couldn't face her, lonely soul and all.

    1. Re:10 years ago today by Anonymous Coward · · Score: 0

      Umm, your reference source doesn't in fact reference him and a nannycam, his girlfriends sister or anything like that. No wonder he was a lonely soul... O.o

    2. Re:10 years ago today by Anonymous Coward · · Score: 0

      so, your goal in life is to start false rumors about dead people making them out to all be pervs?

      Wow. You are such an asshole.

    3. Re:10 years ago today by Anonymous Coward · · Score: 0

      Hello, this is the Internet calling.

      http://archive.boston.com/ae/m...

      Or whatever Google.com.

      Brad Delp nannycam

      In Delpâ(TM)s last days, the crisis involving Meg Sullivan weighed heavily on him, according to legal filings examined by the Globe.

      On Feb. 28, Meg Sullivan discovered the battery-powered camera in her bedroom when it fell into view. The next day, Delp wrote her an emotional e-mail saying, âoeI feel sick about this, and deservedly so.â She didnâ(TM)t respond.

      On March 2, Delp had a show with his Beatles tribute band, Beatlejuice, at the Sit â(TM)n Bull pub in Maynard. Todd Winmill, Meg Sullivanâ(TM)s boyfriend, was scheduled to work as a sound engineer for the show; Winmill had also been a sound man for Boston. Delp huddled in Winmillâ(TM)s car before the gig, according to Winmillâ(TM)s testimony.

      âoeHe essentially apologized for about a half-hour,â said Winmill. âoeAnd then I told him he had to tell Pamela. He didnâ(TM)t like the thought of having to do that.â

      At 2 a.m. on March 3, Delp e-mailed Meg Sullivan again, pleading for forgiveness.

      âoeI want to try and make you understand that I consider myself a decent person who made a dreadful error in judgment,â wrote Delp. âoeI acted out of some impulse that is still not completely fathomable to me.â

      He called his action an âoeaberrationâ and compared it to Pamela Sullivanâ(TM)s affair the previous summer â" an affair that emerged in previous testimony and was confirmed last year by Pamela Sullivan in a Globe interview. At one point, Delp had tried to set up tracking devices on her computer to catch her in an affair, but in the end, she admitted the infidelity and the two eventually made plans to get married.

      Pamela Sullivan did not respond to recent requests for an interview. Attorney Jeffrey Robbins, who is representing the Herald, declined to comment on the case. Scholz attorney Nicholas Carter also declined comment.

      The e-mail Delp sent in the early morning hours of March 3 led to responses from Meg Sullivan and Winmill.

      Winmill pushed Delp to tell Pamela Sullivan about the camera. He gave him one day to do it because, he wrote via e-mail, it was unfair to ask Meg to keep the secret from her sister.

      âoeIt is because of [Megâ(TM)s] regard for you that she has given you this opportunity to tell Pam yourself,â wrote Winmill, who now lives in California and did not respond to recent interview requests. âoeIt is probably the best way for her to hear it, but please understand, and this is not a threat, but understand that she will find out.â

      Delp asked if he could have until March 5, when he planned to tell his fiancee on the phone.

      That day, Delp started purchasing tubes and vents at the Home Depot in Plaistow, N.H., according to receipts filed in court. Delpâ(TM)s idea was to hook these up to the exhaust pipe of his yellow Volkswagen Bug. This, he would later write in a note taped to his garage, was for a backup suicide plan.

      On the night of March 7, according to Winmillâ(TM)s deposition, he and Meg Sullivan showed up at Delpâ(TM)s home to pick up more of her things. It was an unpleasant experience, as described in Meg Sullivanâ(TM)s deposition. Winmill yelled and swore at Delp, who repeatedly apologized and was in tears, according to Sullivan.

      The next day, Delp bought a pair of charcoal grills at Walmart. And that night, instead of returning to Delpâ(TM)s house, Pamela Sullivan stayed at an apartment they had rented for her. She found Delpâ(TM)s body the following day.

      The Herald, in a pair of recent articles, has focused on Delpâ(TM)s relationship with Scholz, describing what it says were the singerâ(TM)s negative feelings about Scholz

  9. Horse Shit by h4x0t · · Score: 1

    This is not hacking a smartphone. This is A) 'biasing output' or making it look like one has put in more steps for the day, and B) 'controlling output' or spelling a word with the graph of acceleration/time using tight sound manipulation of an accelerometer. Link to TFPeer reviewed paper: https://spqr.eecs.umich.edu/pa...

    1. Re:Horse Shit by Ol+Olsoc · · Score: 1

      This is not hacking a smartphone. This is A) 'biasing output' or making it look like one has put in more steps for the day, and B) 'controlling output' or spelling a word with the graph of acceleration/time using tight sound manipulation of an accelerometer. Our headlines have been getting more hyperbolic, with this and the "Rogue Robot" killing it's handler.

      Next we'll be hearing about how O'Bama wiretapped Trump Tower or how he did it with Microwave ovens.......

      Oh - wait.

      Who's writing these Slashdot headlines anyhow?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Horse Shit by Anonymous Coward · · Score: 0

      Who's writing these Slashdot headlines anyhow?

      In this case it was an editor at CNBC.

      It is pretty funny that they managed to make the Fitbit app even more inaccurate and got all excited about that.

    3. Re:Horse Shit by Ol+Olsoc · · Score: 1

      Who's writing these Slashdot headlines anyhow?

      In this case it was an editor at CNBC.

      That explains much

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  10. Musical virus by Anonymous Coward · · Score: 0

    We already have this - it's called earworms ... (now to get Itsy Bitsy Spider out of my head!)

  11. no it won't "take control" by Sneftel · · Score: 3, Insightful

    Wellll. Okay, let's walk back some of that.

    You can't "hack" a phone with sound waves (or, at least, no method for that has been demonstrated as yet. What is being demonstrated here is a method of artificially biasing the input to a MEMS accelerometer using audible (!) and not-incredibly-loud (!!!) sound waves. Make no mistake, that is impressive. But it's still just input. Unless your phone will reveal its passwords to anyone who shakes it in a particular way, there's no real attack surface here.

    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    1. Re:no it won't "take control" by AHuxley · · Score: 2

      Re "Unless your phone will reveal its passwords to anyone who shakes it in a particular way, there's no real attack surface here."
      Clever Attack Uses the Sound of a Computer’s Fan to Steal Data (06.28.16)
      https://www.wired.com/2016/06/...
      shows what can be done on the output side.
      The input side would be a way to open the device OS in some way to accept malware once its security was altered and a network opened.
      How would a device respond at code at 15 to 20 bits per minute in its own trusted hardware?

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:no it won't "take control" by Sneftel · · Score: 1

      The input side would be a way to open the device OS in some way to accept malware once its security was altered and a network opened.
      How would a device respond at code at 15 to 20 bits per minute in its own trusted hardware?

      Probably somewhat slower than it would if you were communicating with it at 5-100 megabits per second over that network connection you've already opened up.

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    3. Re:no it won't "take control" by AHuxley · · Score: 1

      Flood the area with two methods.
      The first to enter or reset the device hardware. A command to reset or default using unexpected hardware access.
      The sound does not have to be complex or need malware like bandwidth, just enough to alter the device settings to make it network receptive.
      The second network in the same area is just a flood of classic malware for that brand and version of device finding a now wide open default device wide open on normal networks with all the bandwidth needed for more complex OS alterations.
      Once infected, the device reverts to the expected user configuration.

      --
      Domestic spying is now "Benign Information Gathering"
  12. I do it all the time with sound waves by nospam007 · · Score: 2

    "Hey Siri, open the hacking app."

  13. Low barrier for "virus" by Anonymous Coward · · Score: 0

    So anything that interferes with normal operation is now a "virus"?
    Is the puddle that I dropped my (old, not waterproofed) phone in also considered a DDOS (the puddle did contain what appeared to be a large amount of water molecules) ?

  14. Obligatory: Intel CPU Backdoor Report by Anonymous Coward · · Score: 0

    Intel CPU Backdoor Report (Updated Mar 13, 2017)

    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
    [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    [Quotes] Vortrag:
    "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

    "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

    "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Useful links:
    The Intel ME subsystem can take over your machine, can't be audited
    REcon 2014 - Intel Management Engine Secrets
    Untrusting the CPU (33c3)
    Towards (reasonably) trustworthy x86 laptops
    30C3 To Protect And Infect - The militarization of the Internet
    30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

    1. Introduction, what is Intel ME

    Short version, from Intel staff:

    Re: What Intel CPUs lack Intel ME secondary processor?
    Amy_Intel Feb 8, 2016 9:27 AM

    The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in

  15. Yeah but by Anonymous Coward · · Score: 0

    hack it with CW or rtty

  16. Accerlometers Control Insulin Dosage?!?.. by BBF_BBF · · Score: 2

    If an accelerometer was designed to control the automation of insulin dosage in a diabetic patient, for example, that might make it possible to tamper with the system that controlled the correct dosage.

    This is pure fear mongering. Why didn't the article go with: "If an accelerometer was designed to control the launching of the US Nuclear Arsenal, it might make it possible for the hack to end human life on earth."

    :rolleyes:

    1. Re:Accerlometers Control Insulin Dosage?!?.. by Anonymous Coward · · Score: 0

      That's straight out of the BBC handbook. Mention something, then fly off at a tangent to create a completely different subject and bring in fear mongering experts that are little more than magazine readers under the "I reckon" category.

  17. DTFM tones by lucaiaco · · Score: 1

    When I was a kid people used to hack public phones with a similar technique. I think they used candies' wraps. It's true what they say that everything in computer technology is at last 50 years old.

  18. You don't say? by Anonymous Coward · · Score: 0

    Come on... even on the datasheets they tell you the resonant frequencies... is this research? or they are just investigating on how to hit the headlines with stupid article headings?

  19. The people who originally made it.. by SCVonSteroids · · Score: 1

    .. probably said the same thing before shipping the product; "You know.. In theory, people could mess with this through sound waves." Because I doubt anyone smart enough to make something like this wouldn't be smart enough to realize that. Oh, and then they probably all laughed their way to the bar and enjoyed a couple beers as colleagues usually do after a tough project.

    --
    I tend to rant.
  20. Rickroll hack by Anonymous Coward · · Score: 0

    Now I anticipate Rickroll music being used to hack your phone/car.

  21. Comment by WallyL · · Score: 1

    Musical virus-- like Taylor Swift?

  22. Sound waves? by Anonymous Coward · · Score: 0

    What, as opposed to just sound? Or did you add the "waves" bit to sound more intelligent?

  23. waves by bobmajdakjr · · Score: 1

    i listen to malicious music everyday in my car that threatens to rip the rear view mirror off the glass. til people are still surprised at what "sound" is.