Freak Out Your Smartphone with Ultrasound

There’s a school of thought that says complexity has an inversely proportional relation to reliability. In other words, the smarter you try to make something, the more likely it is to end up failing for a dumb reason. As a totally random example: you’re trying to write up a post for a popular hacking blog, all the while yelling repeatedly for your Echo Dot to turn on the fan sitting three feet away from you. It’s plugged into a WeMo Smart Plug, so you can’t even reach over and turn it on manually. You just keep repeating the same thing over and over in the sweltering July heat, hoping your virtual assistant eventually gets the hint. You know, something like that. That exact scenario definitely has never happened to anyone in the employ of this website.

Black Hat 2017 Presentation

So it should come as no surprise that the more sensors we pack into devices, the more potential avenues of failure we open up. [Julio Della Flora] writes in to tell us of some interesting experiments he’s been performing with the MEMS gyroscope in his Xiaomi MI5S Plus smartphone. He’s found that with a function generator and a standard speaker, he’s able to induce false sensor readings.

Now it should be said, [Julio] is not claiming to be the first person to discover that ultrasonic sound can confuse MEMS gyroscopes and accelerometers. At Black Hat 2017, a talk was given in which a “Sonic Gun” was used to do things like knock over self-balancing robots using the same principle. The researchers were also able to confuse a DJI Phantom drone, showing that the technique has the potential to be weaponized in the real-world.

It’s interesting to see more validation that not only is this a continuing issue with consumer devices, but that it doesn’t necessarily take expensive or exotic hardware to execute. Yet another reason to take ultrasound seriously as a potential threat.

13 thoughts on “Freak Out Your Smartphone with Ultrasound

  1. These are inherently very short range attacks unless the attacker has a very large transmitting array- all because of the relationship of the wavelength to transducer size and atmosphere becoming very, very lossy as you go up in frequency. To get a tight beam, you need a large array of transducers with respect to the wavelength. Since air is lossy, going to very high frequency means you would end up needing very powerful transmitters to go any distance. Not to say that this kind of attack is impossible- just hard to hide. Although you could induce a beat with microwaves (what a linked post didn’t state, but what I was thinking of)

  2. “It’s interesting to see more validation that not only is this a continuing issue with consumer devices, but that it doesn’t necessarily take expensive or exotic hardware to execute. Yet another reason to take ultrasound seriously as a potential threat.”

    Only thing I see is “you get what you pay for”. People wanted affordable electronics, they got affordable electronics, warts and all.

    1. This is a nonsense response. The cost of the MEMS chip isn’t the issue, it’s a matter of physics. Things vibrate when hit with certain frequencies.

      The solution is likely to be found with better software that can detect and dampen this obviously garbage data.

  3. The speaker looks like its leaning on the phone… even touching the same surface (desk) will cause false readings.. The little rubber feet he gave the phone aren’t enough proof of isolation. The speaker is close enough that even the air pressure waves will effect the phone’s sensors. I call scientific method fail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.