{"id":18505,"date":"2020-01-27T11:07:07","date_gmt":"2020-01-27T11:07:07","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/curious-mems-vulnerabilities\/18505\/"},"modified":"2020-01-27T11:07:07","modified_gmt":"2020-01-27T11:07:07","slug":"curious-mems-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/curious-mems-vulnerabilities\/18505\/","title":{"rendered":"The curious vulnerabilities of ordinary MEMS"},"content":{"rendered":"<p>Digital devices now have \u201csense organs\u201d to help them interact with the physical world. On the one hand, that\u2019s awfully convenient for users. But on the other hand, it creates <a href=\"https:\/\/www.kaspersky.com\/blog\/voice-recognition-threats\/14134\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">new threats<\/a>, and they\u2019re often quite unexpected ones. Even though electronic sensors are functionally similar to their human analogs, they are still very different in terms of design and capabilities \u2014 and designers don\u2019t always take those differences into account.<\/p>\n<p>Consider, for example, <a href=\"https:\/\/www.kaspersky.com\/blog\/ultrasound-attacks\/25549\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ultrasound commands<\/a>, which are inaudible to humans, but which voice assistants hear and obey. Well, hacking a voice-responsive assistant with the help of <em>sound<\/em>, even if that sound is inaudible to human ears, is at least fairly predictable. But what about using <em>light<\/em>?<\/p>\n<h2>Hearing light: MEMS microphones and their glitches<\/h2>\n<p>If a voice command is transformed into a flicker of a laser beam pointed at a voice assistant\u2019s microphone, the assistant will detect and comply with the request. Researchers from the University of Electro-Communications (Chofu, Japan) and the University of Michigan made the discovery. They <a href=\"https:\/\/lightcommands.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">injected commands into gadgets<\/a> from a distance of several dozen meters. The only necessary condition is direct visibility between the source of the laser beam and the mike.<\/p>\n<p>The researchers <a href=\"https:\/\/lightcommands.com\/20191104-Light-Commands.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">tested the laser-based attack<\/a> on smart speakers, smartphones, tablets, and other devices running Amazon Alexa, Apple Siri, or Google Assistant. The trick worked for them all, but the distance at which the mike would detect the signal varied from 5 to 110 meters. In theory, reach may be further increased with a laser powerful enough and a proper lens.<\/p>\n<p>The video below (as an illustration of what can be achieved using the method) shows the researchers, who trick a Google Home smart speaker into opening the garage door of the building next door.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/EtzP-mCwNAs?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<h3>Why MEMS microphones respond to light<\/h3>\n<p>The laser attack is possible because of the design of microphones in gadgets. Most modern microphones featured in smart electronics are what is called microelectromechanical systems (MEMS), miniature devices in which the electronic and mechanical components are merged into one intricate design.<\/p>\n<p>MEMS-based sensors are mass-produced using the same technologies as for computer chips, mostly of the same material \u2014 silicon \u2014 and with the same degree of miniaturization (their individual parts are measured in micrometers or even nanometers). MEMS sensors are also very inexpensive, so they have already ousted the majority of other sensors and miniature devices operating at the junction of the electronics and physical worlds.<\/p>\n<p>The main sensing element of a MEMS mike is a superfine membrane about a hundredth the thickness of a human hair. The sound waves make the membrane vibrate, so the space between it and the fixed part of the sensor alternately expands and shrinks. The membrane and the fixed base of the sensor together form a condenser, so the variation of the distance between them translates to capacitance variation. These variations are easy to measure and record, so later they can be transformed into audio.<\/p>\n<p>A beam of light, too, can create waves that cause the sensitive membrane to vibrate. The so-called <a href=\"https:\/\/en.wikipedia.org\/wiki\/Photoacoustic_effect\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">photoacoustic effect<\/a> has been known since the late nineteenth century. It was then that Scottish scientist Alexander Graham Bell, best known for patenting the telephone, invented the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Photophone\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">photophone<\/a> \u2014 a device that used a light beam to exchange audio messages at a distance of several hundred meters.<\/p>\n<p>The photoacoustic effect occurs mostly because light heats the objects exposed to it. When heated, objects expand, and when they cool down they recover their original size. So, exposed to the flicker of a laser beam, they change in their dimensions. You\u2019ll never notice it, but MEMS sensors are minuscule, so they can sense even microscopic action. They therefore sense vibrations and transform them into a sound recording, which is then recognizable as a voice command.<\/p>\n<h2>The music of motion: A MEMS accelerometer\u2019s audio sensitivity<\/h2>\n<p>Lots of sensors other than microphones \u2014 for example, motion sensors such as gyroscopes and accelerometers \u2014 use MEMS technology. You can find such sensors in cardiac pacemakers, car air bags, and many other items. They also control screen orientation in smartphones and tablets. They are also subject to some fancy trickery.<\/p>\n<p>A couple of years ago, researchers from the Universities of Michigan and South Carolina staged an experiment in which they <a href=\"https:\/\/spqr.eecs.umich.edu\/papers\/trippel-IEEE-oaklawn-walnut-2017.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">controlled accelerometers<\/a>, which normally respond to motion, with sound.<\/p>\n<h3>Why MEMS accelerometers respond to sound<\/h3>\n<p>Accelerometer sensors detect motion by calculating displacement of microscopic load. Sound waves can cause the load to vibrate, thus tricking the accelerometer into thinking it\u2019s moving. The researchers tested some 20 popular accelerometer models and found that three-quarters of them were susceptible to sound input.<\/p>\n<p>As part of their study, they had a Fitbit fitness tracker count fake steps and used a smartphone lying flat on a table to maneuver a radio-controlled car. (The car normally responds to the gadget\u2019s position, but in this case, music playing on the device fooled the smartphone\u2019s sensor.)<\/p>\n<h2>Inhaling helium: iPhones knocked out<\/h2>\n<p>Not all MEMS glitches require laboratory conditions to manifest themselves. During installation of a new MRI scanner at a US clinic, employees found that their <a href=\"https:\/\/ru.ifixit.com\/News\/iphones-are-allergic-to-helium\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">cell phones were not working<\/a>. Investigation revealed that only Apple devices were affected by the problem. The culprit was the liquefied helium used to chill some of the machine\u2019s components. Some gas leaked out, and was blown around the clinic\u00a0\u2014 and that was enough to knock out the iPhones.<\/p>\n<h3>Why iPhones stop working because of helium<\/h3>\n<p>Unlike the clinic\u2019s other systems, in which MEMS are used but are not critical for performance, Apple Watches and iPhones 6 and higher use MEMS for the system clock.<\/p>\n<p>Inside the MEMS is a vacuum needed for normal operation. To keep the vacuum intact, the chips are sealed with a thin layer of silicon. But helium molecules are small enough to penetrate the silica scale and interfere with the normal operation of the microscopic resonator inside the chip, driving electronics crazy and causing the iPhone to turn off instantly.<\/p>\n<p>Apple recognizes that its gadgets are sensitive to helium; their <a href=\"https:\/\/support.apple.com\/guide\/iphone\/important-safety-information-iph301fc905\/ios\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">user manuals<\/a> include a warning about that: \u201cExposing iPhone to environments having high concentrations of industrial chemicals, including near evaporating liquefied gasses such as helium, may damage or impair iPhone functionality.\u201d Such situations are so rare, though, that few people ever think about them.<\/p>\n<p>After some time away from the irritant \u2014 some needed up to several days \u2014 most of the damaged devices returned to normal. The maker of the MEMS sensors used in iPhones says newer generations of the units are not susceptible to this kind of malfunction.<\/p>\n<h2>Take good care of your gadgets<\/h2>\n<p>The MEMS vulnerabilities described above are the exception rather than the rule. That said, we recommend keeping your gadgets away from canisters of helium. Just in case.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"earth-2050\">\n","protected":false},"excerpt":{"rendered":"<p>Using simple tools such as lasers and music to trick voice assistants and motion sensors.<\/p>\n","protected":false},"author":2049,"featured_media":18506,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1623,2026],"tags":[2093,2639,26,2640,1747,321,2259],"class_list":{"0":"post-18505","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"category-threats","9":"tag-alexa","10":"tag-google-assistant","11":"tag-iphone","12":"tag-mems","13":"tag-siri","14":"tag-technology","15":"tag-voice-assistants"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/curious-mems-vulnerabilities\/18505\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/curious-mems-vulnerabilities\/18436\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/curious-mems-vulnerabilities\/15311\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/curious-mems-vulnerabilities\/7396\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/curious-mems-vulnerabilities\/20192\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/curious-mems-vulnerabilities\/16942\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/curious-mems-vulnerabilities\/20963\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/curious-mems-vulnerabilities\/19741\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/curious-mems-vulnerabilities\/26211\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/curious-mems-vulnerabilities\/7605\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/curious-mems-vulnerabilities\/32245\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/curious-mems-vulnerabilities\/13693\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/curious-mems-vulnerabilities\/22010\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/curious-mems-vulnerabilities\/10676\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/curious-mems-vulnerabilities\/26734\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/curious-mems-vulnerabilities\/24881\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/curious-mems-vulnerabilities\/20878\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/curious-mems-vulnerabilities\/25717\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/curious-mems-vulnerabilities\/25549\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/technology\/","name":"Technology"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/18505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2049"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=18505"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/18505\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/18506"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=18505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=18505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=18505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}