back to article Boffins Rickroll smartphone by tickling its accelerometer

Smartphone vendors might be learning to mistrust software, but what about the hardware? University of Michigan boffins have put this question to the world by sending unauthorised data to a Samsung turns-out-to-be-not-so-smartphone by buzzing its accelerometer. The problem highlighted in this paper is that systems “blindly …

  1. agatum
    Megaphone

    Sympathy

    Spoofing such sensors [MEMS] with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems

    I sympathize for you, little chips. I mean, I will start behaving out-of-spec (ie. go postal) should someone force me to endure sounds generated by Rick Astley.

    1. veti Silver badge

      Re: Sympathy

      Oh, don't be like that. In the fast-paced, frog-eat-badger world of web memes, I find it positively heartwarming that Rickrolling, apparently, is here to stay. I mean, it's been ten years now.

      Who saw this coming, back in 1987?

  2. Neil Barnes Silver badge

    Hang on a mo...

    just *why* is an analogue input from a mems sensor getting anywhere near an executable form?

    Or are they just saying 'here is an input through which a command might be passed *provided* you've already got some sort of application already watching that sensor for a precise input'?

    1. Thoguht Silver badge

      Re: Hang on a mo...

      The whole thing has been misunderstood by El Reg, what they are doing is controlling the accelerometer's output by using sound. So if you have software which is using the accelerometer's output like a fitness tracker or pedometer app then you can spoof the amount of exercise you are getting.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hang on a mo...

        So if you have software which is using the accelerometer's output like a fitness tracker or pedometer app then you can spoof the amount of exercise you are getting.

        I just put mine on a washing machine with an unbalanced load, and apparently I've been walking hundreds of miles per day. I suspect though that sooner or later the people at the corporate "wellness" program are going to notice.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hang on a mo...

        I been able to do that for years - just having one off the wrist will spoof most wrist based fitness trackers

    2. Ralph B

      Re: Hang on a mo...

      You're right. Read the report (PDF linked in the article) and you'll find they merely* managed to get the accelerometer to output a g-graph with a curve that vaguely resembled the word "WALNUT". There was no takeover or execution of injected code. Just manipulation of accelerometer output.

      * Fair play, there was a lot of difficult maths and clever fine tuning to find resonant frequencies of the accelerometers involved.

    3. Starace

      Re: Hang on a mo...

      As spun it's a bit of a bollocks story.

      Yes you can spoof the sensor readings if you want to.

      No the isn't any route to using this as an injection vector.

      It's an interesting POC but nothing more and a bit of analysis on the sensor data would probably detect it if you had an application where something like this mattered. Especially if cross referenced with other inputs like any sensible sensor user does.

      1. frank ly Silver badge

        Re: Hang on a mo...

        Also, the first video seems designed to give the impression that an injected sound caused a video to be played, according to the experimenters choice. The implication is that they can make your phone show what they want you to watch.

        The entire story has been hyped up by these experimenters to give themselved coverage and publicity. The Register seems to have gone along with this.

        1. Michael Strorm

          Re: Hang on a mo...

          @Frank Ly - "The entire story has been hyped up by these experimenters to give themselved coverage and publicity."

          Don't act like it's a big deal- all of us here, we're no strangers to clickbait. You know the rules, and so do they.

      2. Neil Barnes Silver badge

        Re: Hang on a mo...

        Hmm, yes.

        An admittedly brief look at the ADXL345 datasheet (one of the parts they tested) indicates that the bandwidth and rate can be slected basically anywhere between 0.05Hz and 1600Hz in steps (with data rates at twice those). The diagrams indicate a digital low pass filter *after* the ADC but nothing before it.

        And before the ADC is where you need an anti-aliasing filter because once alias noise is in the system there is precisely nothing you can do about it... oops!

  3. befugglewump

    Night-clubs

    I suppose one place you wouldn't notice large speakers pointed at you, would be night-clubs.

    Or loud pubs.

    You could have a new genre of music, Techno-Haxx :)

    1. MrT

      Re: Night-clubs

      Sooooo, that's what Skrillex was all about...

      This could end up like an audible version of Barcode Battlers.

  4. Whitter
    Boffin

    Given the description of a controlled aliased signal

    Given the description of a controlled aliased signal, doing the ADC sampling properly would have avoided the problem in the first place (anti-alias analogue prefilter in hardware; over-sampled DAC, digital downsampling filter; downsample). I'm going to guess that was too much bother for the manufacturers.

    1. getHandle

      Re: Given the description of a controlled aliased signal

      Or overkill given the applications for the accelerometer in today's phones... "Oh noes, my fitbit has been spoofed!"

      1. YetAnotherLocksmith

        Re: Given the description of a controlled aliased signal

        If it costs an extra 0.2¢, forget about it! They don't have money for security to close the FTP port so reworking a chip is well out!

  5. jMcPhee
    Trollface

    Wow... so it could be possible to spike an mp3, play it in a car, and freak out its accelerometers to pop the air bags? Turn up the volume to trick Onstar into thinking the car next to you had a wreck? Screw with the orientations of a room full of tablets? Such possibilities...

    1. J. R. Hartley Silver badge
  6. Francis Boyle Silver badge

    I frequently "blindly" trust the input from my eyes.

    1. Anonymous Coward
      Anonymous Coward

      I frequently "blindly" trust the input from my eyes.

      In the interests of cross-refererencing and sampling accuracy I never trust my visual input without a tactile record as well, a perfectly reasonable and scientific approach.

      This will form the crux of my defence as to exactly what I was doing on the 7.06 into Liverpool Street last month. I did attempt to explain everything to the ticket inspector in question, and indeed to the two gentlemen from the transport police who met me at my destination, and the rather young and excitable Standard reporter afterwards, but none of them were people of science and my explanation was simply pooh-poohed.

      This, I truly feel, reflects far more badly on today's educational system than it does on any alleged positioning of my hands.

  7. DougS Silver badge

    In other news

    Enough loud, random noise can affect a human's "MEMS", i.e. sense of balance.

    This is a non-story being hyped by the press, and what's worse the Reg totally misunderstood it! The word 'WALNUT' is displayed on an app reading sensor output, which while cute is no more of an attack vector on a smartphone than making an old style 5.25" floppy drive "sing" was.

    Worst case, someone will be able to add steps to your Fitbit, making you think you walked more steps than you actually did. Oh, the horror! If we get better MEMS that are properly capable of doing dead rereckoning, this technique could be used to confuse it and perhaps get someone a bit lost. However, the "loud, random noise" being blared at you to cause this would probably make you want to move away from it long before that could happen.

    1. Swarthy Silver badge
      Megaphone

      Re: In other news

      and at 2.9kHz, it is not a subtle attack. That "WALNUT" video was painful to hear, and (for once) Rick Astley was not the painful part.

    2. Captain DaFt

      Re: In other news

      "Worst case, someone will be able to add steps to your Fitbit, making you think you walked more steps than you actually did. Oh, the horror!"

      Think the other way:

      Spoof the resident health freak's Fitbit into showing he's jogged only a fraction of the distance he's set to run. Oh, the hilarity!

  8. J. R. Hartley Silver badge

    Johnson

    This is bollocks, Mark.

  9. Anonymous Coward
    IT Angle

    Daily Mail version - with same amount of useful content as this article

    Music Makes Phones EXPLODE!

    * ILLEGAL IMMIGRANTS are using this life hack to reduce house prices in YOUR area.

    * Playing music at the phone in your POCKET gives you CANCER.

    * Rock a hot dress like our all grown up model at Femail Fashion Finder.

    * Samsung and Apple CONTINUE to sell these DANGEROUS phones NEAR YOU.

    * MPs do nothing.

    <...picture of young woman holding phone and laughing...>

    Comments 92,285

    KeepEmOut - Milton Keynes

    "I saw an immigrant fella once. He was on benefits, taking our jobs and eating our children. Then, while he was fitting a new kitchen for the missus, I put Ed Sheeran on, his phone exploded and my house price fell by 50 big ones. Scum. Trump is right."

    ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019