Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Warn of Physics-Based Attacks On Sensors (securityledger.com)

Posted by BeauHD on from the heads-up-seven-up dept.

chicksdaddy shares a report from The Security Ledger: Billions of sensors that are already deployed lack protections against attacks that manipulate the physical properties of devices to cause sensors and embedded devices to malfunction, researchers working in the U.S. and China have warned. In an article in Communications of the ACM, researchers Kevin Fu of the University of Michigan and Wenyuan Xu of Zhejiang University warn that analog signals such as sound or electromagnetic waves can be used as part of "transduction attacks" to spoof data by exploiting the physics of sensors. Researchers say a "return to classic engineering approaches" is needed to cope with physics-based attacks on sensors and other embedded devices, including a focus on system-wide (versus component-specific) testing and the use of new manufacturing techniques to thwart certain types of transduction attacks.

"This is about uncovering the physics of cyber security and how some of the physical properties of systems have been abstracted to the point that we don't have a good way to describe the security of the system," Dr Fu told The Security Ledger in a conversation last week. That is particularly true of sensor driven systems, like those that will populate the Internet of Things. Cyberattacks typically target vulnerabilities in software such as buffer overflows or cross-site scripting. But transduction attacks target the physics of the hardware that underlies that software, including the circuit boards that discrete components are deployed on, or the materials that make up the components themselves. Although the attacks target vulnerabilities in the hardware, the consequences often arise as software systems, such as the improper functioning or denial of service to a sensor or actuator, the researchers said. Hardware and software have what might be considered a "social contract" that analog information captured by sensors will be rendered faithfully as it is transformed into binary data that software can interpret and act on it. But materials used to create sensors can be influenced by other phenomenon -- such as sound waves. Through the targeted use of such signals, the behavior of the sensor can be interfered with and even manipulated. "The problem starts with the mechanics or physics of the material and bubbles up into the operating system," Fu told The Security Ledger.

85 comments

  1. "Physics-based attacks"? by whoever57 · · Score: 4, Insightful

    If I hit something with a hammer, is that a "physics-based attack", or a physical attack?

    --
    The real "Libtards" are the Libertarians!
    1. Re: "Physics-based attacks"? by Anonymous Coward · · Score: 0

      if I slap the thing with my ballsack, itâ(TM)s also a physics based attack

    2. Re:"Physics-based attacks"? by ShanghaiBill · · Score: 5, Informative

      If I hit something with a hammer, is that a "physics-based attack", or a physical attack?

      Both. TFA is using the term "physics-based attack" to mean any attack that is not via software.

    3. Re:"Physics-based attacks"? by msauve · · Score: 0

      "TFA is using the term "physics-based attack" to mean any attack that is not via software."

      So, the TFA claims phishing and social engineering are "physics-based attacks?" I'm not seeing it.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re: "Physics-based attacks"? by Anonymous Coward · · Score: 0

      I think that's a kinetic attack.

    5. Re: "Physics-based attacks"? by Reverend+Green · · Score: 1

      I read the title as "physics-based attacks on censors." Which would be way more entertaining.

    6. Re:"Physics-based attacks"? by gnick · · Score: 1

      So, the TFA claims phishing and social engineering are "physics-based attacks?" I'm not seeing it.

      I think you know full well that's neither the case nor what Bill meant. You could RTFA and find out.

      --
      He's getting rather old, but he's a good mouse.
    7. Re:"Physics-based attacks"? by Anonymous Coward · · Score: 0

      If I hit something with a hammer, is that a "physics-based attack", or a physical attack?

      It inflicts Bludgeoning damage. The item may attempt a Saving Throw.

    8. Re:"Physics-based attacks"? by ShanghaiBill · · Score: 1

      So, the TFA claims phishing and social engineering are "physics-based attacks?" I'm not seeing it.

      How would an attack on a sensor be based on phishing or social engineering? I'm not seeing it.

    9. Re:"Physics-based attacks"? by Jane+Q.+Public · · Score: 3

      This has to be among the vaguest OPs I've read on Slashdot to date.

      There is no description of how the physical attacks might affect the software, although that is the recurring theme. Am I to assume that this is about the fact that hitting the IP cam hard with a hammer, that might affect its ability to transmit video?

      Are we supposed to infer from this amazingly vague word salad that we should write our software to account for such an event? If so, that might make sense, but it isn't actually stated anywhere.

    10. Re: "Physics-based attacks"? by Anonymous Coward · · Score: 0

      if I slap the thing with my ballsack, it's also a physics based attack

      Not really an attack since the thing wouldn't even notice it.

    11. Re: "Physics-based attacks"? by c6gunner · · Score: 3, Funny

      Obviously you have no idea how lonely and attention starved radar dishes get. Prime targets for social engineering.

    12. Re:"Physics-based attacks"? by Nidi62 · · Score: 2

      So, the TFA claims phishing and social engineering are "physics-based attacks?" I'm not seeing it.

      How would an attack on a sensor be based on phishing?

      You could hit it with a fish

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    13. Re: "Physics-based attacks"? by Anonymous Coward · · Score: 0

      Agreed. That's about as long as summaries ever get and it says nothing in support of the title.

    14. Re:"Physics-based attacks"? by TeknoHog · · Score: 1

      What if the attack is based on moving electrons around in conductors? If electrons are not physical, then please go to your nearest physics department and tell the people to start hitting things with hammers instead. Although using this logic, I guess Rowhammer would count as physical.

      See also: digital music vs. CDs.

      --
      Escher was the first MC and Giger invented the HR department.
    15. Re:"Physics-based attacks"? by gweihir · · Score: 1

      Both, clearly. For a non-physical attack, you would have to curse the device or, say, conjure a fire-elemental to scorch it (which would then be a physical attack by the fire-elemental, but a non-physical by you).

      This neatly shows the terminology is bullshit and merely an attempt to make irrelevant and obvious research sound important.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    16. Re:"Physics-based attacks"? by ceoyoyo · · Score: 2

      Some "journalist" wanted to write a story about hacking, but, you know, different. They then located some guy who builds sensors who was willing to wax poetic about systems engineering, and voila.

  2. Oh FFS by Anonymous Coward · · Score: 0

    I can turn on the AC and fog up a camera. Should all cameras have heat strips on them now? There's a point where security turns into flat out paranoia and the secured device functions as well as if it were turned off.

    1. Re:Oh FFS by Anonymous Coward · · Score: 0

      I can turn on the AC and fog up a camera. Should all cameras have heat strips on them now? There's a point where security turns into flat out paranoia and the secured device functions as well as if it were turned off.

      Perhaps not in the homes. But it might be something to recommend in a high security installation.

    2. Re: Oh FFS by sound+vision · · Score: 1

      Air conditioning decreases humidity, not increases it. So in the absence of other factors, like the camera being non-stationary or being buffeted by gusts of non-air-conditioned air at the right time, you'd be wasting your time.
      But even this scenario is grossly oversimplified. Obscuring a camera isn't the type of attack that they are worried about. It's more like causing sensors (or the other physical components of a system) to report false data in such a way that it tricks the software into doing what the attackers want it to. It's less "taping over a camera to break into Burger King" and more Stuxnet. You do know what Stuxnet is right? Read up, specifically the details.

  3. Pro-Tip: Don't detonate a nuke by your sensor by Anonymous Coward · · Score: 1

    Direct hits from nuclear weapons can cause issues with the long-term reliability of sensors.

    Don't do that.

    I'll send you the bill for my consulting fee.

  4. Not as bad as the Magic based attacks by gurps_npc · · Score: 3, Insightful

    Those are the worst.

    --
    excitingthingstodo.blogspot.com
    1. Re:Not as bad as the Magic based attacks by gurps_npc · · Score: 1

      Wow- a Russian/Trump agent replied to my post.

      I feel... violated.

      --
      excitingthingstodo.blogspot.com
    2. Re:Not as bad as the Magic based attacks by Anonymous Coward · · Score: 0

      Those CIA/Clinton agents sure are amateurs. Not one hashtag from the known fountain of truth: twitter. Not one!

    3. Re:Not as bad as the Magic based attacks by Anonymous Coward · · Score: 0

      Wow- a Russian/Trump agent replied to my post.

      I feel... violated.

      Let me guess, you think Russians can hack paper ballots all the way from Moscow and that Putin controls both the FBI and DNC from the inside?

      Because those are the minimal requirements for this russia collusion narrative to be borderline realistic..

    4. Re:Not as bad as the Magic based attacks by Verdatum · · Score: 1

      Heeeeeeeee wasn't talking about the collusion narrative. Are you a bot? He made a silly joke comment, and an anon spam-replied to it with that releasethememo off-topic junk. The only people who care about that are russian agents and trump agents. So he rightly concluded that a russian/trump agent replied to his post.

  5. Chinese sensors. by Anonymous Coward · · Score: 0

    All of which translates into more expensive sensors. Hopefully our suppliers can meet the challenge.

    1. Re: Chinese sensors. by Anonymous Coward · · Score: 0

      American sensors are bigger, and function properly if nuked.

    2. Re: Chinese sensors. by Anonymous Coward · · Score: 0

      In America, sensor nukes YOU!

    3. Re:Chinese sensors. by Verdatum · · Score: 1

      But what if more expensive sensors are met with more expensive physics???

  6. what nonsense is this? by iggymanz · · Score: 3, Funny

    All analog sensors are susceptible to "physics based attacks" too. Like putting device that gives off a lot of heat under a thermostat to get a nice cool comfy workspace....

    1. Re:what nonsense is this? by RhettLivingston · · Score: 2

      Or what about smoke screens? Human eyes are analog sensors too.

      This article basically describes every attempt to avoid or deceive an observer - human, animal, or otherwise - since time began.

    2. Re:what nonsense is this? by Anonymous Coward · · Score: 0

      Or what about smoke screens?

      Cameras can use infrared light to see through smoke.

      Captcha: intrude

    3. Re:what nonsense is this? by iggymanz · · Score: 1

      all the thermal imaging from cameras I've seen would be useless in a court of law to identify someone; for finding and rescuing in building they're great

  7. When Physics Attacks by mentil · · Score: 3, Insightful

    This sounds like how radar guns can clock a house going 100MPH due to the heater causing it to malfunction. Or side-channel attacks. The problem with employing a physics-based attack is that it can be tracked down, and requires hardware to be specially employed for this purpose, so it can't be widely deployed without the attacker getting caught. OTOH, a software worm can travel hundreds of hops before researchers/law enforcement catch wind of it, can be deployed behind 17 proxies, and takes no special hardware to deploy. Aside from denial of service (like shining a bright light at a camera) I'm having trouble coming up with an attack precise enough to cause serious problems, that couldn't be affected via other means (like say an anti-materiel rifle or explosives.)

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  8. ECM by Templer421 · · Score: 4, Informative

    The military calls it Electronic Counter Measures.

    There is also ECCM, Electronic Counter Counter Measures.

    1. Re:ECM by DontBeAMoran · · Score: 1

      That's nice, but what about ECCCM?

      --
      #DeleteFacebook
    2. Re:ECM by msauve · · Score: 1

      You can do that for a while, but most of them can only counter to 10.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:ECM by Bing+Tsher+E · · Score: 1

      So they're just 7490's, huh?

    4. Re:ECM by Anonymous Coward · · Score: 0

      ... but most of them can only counter to 10.

      Mine goes to up to eleven.

    5. Re:ECM by Anonymous Coward · · Score: 0

      Maybe you should consider reduction surgery?

    6. Re:ECM by Anonymous Coward · · Score: 0

      It's turtles, all the way down .

    7. Re:ECM by Bing+Tsher+E · · Score: 1

      You can't cheat and count the overflow pin.

  9. The problem starts with by AHuxley · · Score: 1

    management who did not want union workers on site.
    An engineer could use networking to replace many of the workers.

    Now people work out that the sensors can be manipulated over distances.
    Buy new, better sensors? With new code? Build a wall around a sensitive site? Have security patrol large areas of private land around sensitive sites?
    Work out the distance that sound and other signals can still be a problem and buy up the land around a site greater that that range?
    Build a wall, fence around the site.
    Cant buy the land? Build a stronger wall, use a sally port. Consider the way mil factories got designed in the 1950-90's. Lots of land, few windows, a strong fence with guards on duty.
    Keep the bad people away from the secrets and harden the networks. Find out who is going to want to alter the result of sensors. Spies? Other nations? Faith groups? Environmental activists? Party political activists? Ex and former gov/mil workers/contractors with skills and site plans? Competitors?
    Start looking at who is walking, driving around, using a camera near the "sensors" that are so important. Use some facial recognition, voice prints, get a license plate. Consider the size and amount of equipment needed for sound and other signals to work over distances. What size are the "special tools"? A truck? Van? Car? Laptop? Bag? A tablet? Look for strangers walking, driving around the fence line who do not belong.

    --
    Domestic spying is now "Benign Information Gathering"
  10. First... by GerryGilmore · · Score: 3, Interesting

    ....I am not (yet) buying into this IoT hype. Certainly between smart TVs and thermostats, etc. the use of IP-enabled devices is expanding, but...there's no cohesive vision/standard tying everything together, thereby limiting its ultimate usefulness beyond today's "Let me check my refrigerator app on my iPhone..." nonsense. Secondly, why use "physics-based attacks" when very, very basic methods remain as open as a whorehouse without a roof! Perspective remains absent...

    1. Re:First... by GerryGilmore · · Score: 1

      PS - Reminds of my days at Intel when they were pushing "VIVE" which promised to unify all of your media devices at home into a single, unified, glorious interface.....Yeah.

    2. Re:First... by Anonymous Coward · · Score: 0

      While I agree most of the IoT stuff is garbage, they're talking about systems and sensors which goes quite a bit beyond a doorbell or a fridge app. Why go to the trouble of hacking a self driving car when you can just point an ultrasonic transducer at it and crash the car that way? I think that would be a lot harder to trace.

  11. Where's the exploit? by Gravis+Zero · · Score: 2

    All I'm can tell here is that some sensors can be tricked into recording incorrect data. What I don't understand is how this can be turned into an attack. I mean, unless your security is based on shaking your phone like a maraca, I really don't see how this can be used to attack you. Anyone have an idea what this guy's freak out is all about?

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Where's the exploit? by 110010001000 · · Score: 1

      You are kidding, right? Sensors are used everywhere in industry. The idea is that if you can fool a sensor, you can control entire industrial systems. For example, blow up a power plant.

    2. Re:Where's the exploit? by Anonymous Coward · · Score: 0

      There has been a continuous war to fool sensors since the first life that consumed other life appeared on this planet. This is nothing new. The easiest to fool are human eyes and ears.

    3. Re:Where's the exploit? by Gravis+Zero · · Score: 2

      The idea is that if you can fool a sensor

      Well let's be clear, you aren't fooling a sensor, you are providing additional data to a sensor.

      you can control entire industrial systems. For example, blow up a power plant.

      If there is any way that bad sensor input can result in a power plant exploding then you clearly designed the system improperly.

      --
      Anons need not reply. Questions end with a question mark.
    4. Re:Where's the exploit? by Anonymous Coward · · Score: 0

      While I agree that this vulnerability isn't likely to be exploitable (any more than physically mangling the sensor would be), control data for industrial equipment does have to come from somewhere and some systems rely on that data to not over pressurize a system or put too much heat on chemical processes.

    5. Re:Where's the exploit? by freeze128 · · Score: 2

      "If there is any way that bad sensor input can result in a power plant exploding then you clearly designed the system improperly."

      That's almost exactly how 3-mile island had a "mishap". A water-level gauge (mechanical) was stuck, and the operator on duty didn't know that the coolant level was almost to minimum. A bad sensor could have told you the exact same thing.

    6. Re:Where's the exploit? by JaredOfEuropa · · Score: 1

      Exactly: poor design. A simple countermeasure against that sort of thing is to have redundant sensors. Redundancy also helps against these attacks: it'll be that much harder to physically attack multiple sensors at the same time, especially in a way that affects all of them equally.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    7. Re:Where's the exploit? by Gravis+Zero · · Score: 1

      "If there is any way that bad sensor input can result in a power plant exploding then you clearly designed the system improperly."

      That's almost exactly how 3-mile island had a "mishap". A water-level gauge (mechanical) was stuck, and the operator on duty didn't know that the coolant level was almost to minimum.

      That's a great example of an improperly designed system! Reactors have since been redesigned so that nothing so trivial as a bad sensor could cause problems. Modern energy systems are designed around the idea that something going awry will physically trigger it's own countermeasure. The Fukushima disaster never would have happened if had they not overridden the safeguards in place.

      --
      Anons need not reply. Questions end with a question mark.
    8. Re:Where's the exploit? by Anonymous Coward · · Score: 0

      Yeh because nothing could possibly be overlooked, its not as if things just go wrong despite the latest tech is it? Weve reached perfection at last.
      Crickey.

  12. WTF??? by Patent+Lover · · Score: 1

    Are they sure this wasn't written by a bot?

  13. New name for side-channel attacks or click-bait? by misnohmer · · Score: 1

    Not sure what is new here. Side channel attacks such as voltager glitching, timing, or power measurements have been known for a while (heard of meltdown lately? - timing attack).

    That said, I'm still not sure this is even a real article. The images of Tesla used look like a click-bait to include the name "Tesla" in the article - many cars have parking sensors. Also, the figure of Tesla display in the article is BS - the right-most part (c) shows tire pressure, nothing to do with ultrasonic sensor readings shown in parts (a) (b), so it definitely does not show "jammed distance" as claimed in the article. That lack of readings will shows up when you first start driving, until the first TPMS sensor readings are picked up by the computer, so they hacked nothing. I bet you can jam the TPMS signals of course since they use radio to transmit information, but that is not news.

  14. Whew! by Ol+Olsoc · · Score: 1

    Good thing we've legislated physics out of the picture.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  15. Only read as far as "Researchers warn of physics" by No+Longer+an+AC · · Score: 1

    And was reminded of the wisdom of Solomon....Dick Solomon that is.

    "Guns don't kill people, physics kills people!"

  16. New kind of attack by hcs_$reboot · · Score: 1

    Interesting. A couple weeks after the revolutionary Spectre and Meltdown attacks, another "new way" exploit (likewise, sensors have been used for decades, yet that kind of attack makes the news only today)

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  17. thats nothing... by JustNiz · · Score: 3, Funny

    the vast majority of computer systems, including those responsible for the security of our country remain totally vulnerable to liberal arts-based attacks expressed through the medium of interpretive dance.

    1. Re:thats nothing... by Falconhell · · Score: 1

      https://firstdogonthemoon.com....

  18. Re:Only read as far as "Researchers warn of physic by freeze128 · · Score: 1

    It's "physically impossible"!

    https://www.youtube.com/watch?v=sH9MJBLXtxs

  19. Re: Retarded science by Anonymous Coward · · Score: 0

    MIT is a sure "n1gger" university with stupid diversity nazis running it's SJW department.
      It used to be fine 30 years ago, before libturds infested schools en masse

  20. "the consequences often arise as software systems" by Anonymous Coward · · Score: 0

    Huh? What does that mean?
    "the consequences often arise as software systems" ... do something.

    Typical Slashdot summary.

  21. What's in a Name by dcw3 · · Score: 1

    Am I the only one who noticed? Brought to you by the team of Fu and Xu!

    --
    Just another day in Paradise
  22. Re:Only read as far as "Researchers warn of physic by Anonymous Coward · · Score: 0

    Physics never pulled a trigger. A person did using physics. Sorry about that gun nut narrative you had going.

  23. This is not new, but cheap IoT makes it worse by Bearhouse · · Score: 1

    There's nothing new about physically fooling sensors; the NVA/VC used to hang bags of urine in trees as a low-tech solution to the US's sophisticated human detection devices...

    https://en.wikipedia.org/wiki/...

    But I think what they're getting at here is that as people increasingly throw together IoT devices (and phones, and PCs...) using

    (a) the same (cheap and easily fooled) hardware, and
    (b) the same commodity firmware / software stacks and libraries, with damn-all security insight

    There will not be the same kind of "end to end" systems engineering applied that one would expect - say - from a car or airplane manufacturer...

    And yet you'll be entrusting your family's safety, security & data to cheap-ass, easy to crack-and-hack, commodity IoT devices that will be always-on, always-listening, always-connected and running your power, HVAC, fire detection and physical access systems...

  24. Had to re-read this article by warGod3 · · Score: 2

    For some reason, I read it as "Researchers warn of psychics based attacks on sensors" and I was disappointed. After re-reading it, I was still disappointed, but for a different reason.

    --
    "Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
  25. Re:Retarded science by Anonymous Coward · · Score: 0

    Don't feed the trolls. They write stupid stuff like this in every post, regardless of the subject. OP has no esteemed opinions.

  26. Sound attacks - definitely possible IMO by Anonymous Coward · · Score: 0

    Used to work on sensors for monitoring environmental ionizing radiation. We definitely had problems with microphonics in some of our more sensitive pre amplifiers and channel analyzers.

    Wouldnâ(TM)t surprise me at all that someone with knowledge of the gaps in testing and design flaws in an instruments can exploit those to cause massive failures in critical sensors. I worked with many software and systems engineers that had no clue about basic physics and engineering behind the hardware they were working on. So if there was a hardware problem, all kinds of wild theories emerged as to what was causing it and basics of how to test the systems they worked on....

  27. JC Denton Electronic Multitool by Anonymous Coward · · Score: 0

    This is basically the device that JC Denton carries around in the original Deus Ex. A small handheld signal generator that you can use to glitch out keypads and cameras and other devices. These are already in use by car thieves to remotely unlock/start certain brands of luxury cars.

  28. Star Trek is relevant again by decep · · Score: 1

    If Geordi La Forge were around today, he would get a DMCA cease and desist for the "physics-based attack" of "reversing the polarity of the deflector dish".

  29. From Vernor Vinge's "A Fire Upon The Deep" by Anonymous Coward · · Score: 0

    Quote from here: https://blog.regehr.org/archiv...

    The new Power had no weapons on the ground, nothing but a comm laser. That could not even melt steel at the frigate's range. No matter, the laser was aimed, tuned civilly on the retreating warship's receiver. No acknowledgment. The humans knew what communication would bring. The laser light flickered here and there across the hull, lighting smoothness and inactive sensors, sliding across the ship's ultradrive spines. Searching, probing. The Power had never bothered to sabotage the external hull, but that was no problem. Even this crude machine had thousands of robot sensors scattered across its surface, reporting status and danger, driving utility programs. Most were shut down now, the ship fleeing nearly blind. They thought by not looking that they could be safe.

    One more second and the frigate would attain interstellar safety.

    The laser flickered on a failure sensor, a sensor that reported critical changes in one of the ultradrive spines. Its interrupts could not be ignored if the star jump were to succeed. Interrupt honored. Interrupt handler running, looking out, receiving more light from the laser far below.... a backdoor into the ship's code, installed when the newborn had subverted the humans' groundside equipment.... ... and the Power was aboard, with milliseconds to spare. Its agents -- not even human equivalent on this primitive hardware -- raced through the ship's automation, shutting down, aborting. There would be no jump. Cameras in the ship's bridge showed widening of eyes, the beginning of a scream. The humans knew, to the extent that horror can live in a fraction of a second.

    There would be no jump. Yet the ultradrive was already committed. There would be a jump attempt, without automatic control a doomed one. Less than five milliseconds till the jump discharge, a mechanical cascade that no software could finesse. The newborn's agents flitted everywhere across the ship's computers, futilely attempting a shutdown. Nearly a light-second away, under the gray rubble at the High Lab, the Power could only watch. So. The frigate would be destroyed.

  30. What? by Anonymous Coward · · Score: 0

    After reading TFS I still have no idea what this is about.

  31. Re: Retarded science by Verdatum · · Score: 1

    I hate to break it to you, but Universities were overrun by liberals in the 18th century and maintained that control ever since. Please take more care the next time you feebly attempt to be shocking and edgy.

  32. Dr. Fu by Anonymous Coward · · Score: 0

    Coolest. Title. Ever.