How Sound Waves Can Fool MEMS Accelerometers (and Other Ways to Dupe Sensors)

May 01, 2017 by Donald Krambeck

Accelerometers, activity trackers, and fingerprint sensors can be duped. Learn how and what designers can do to prevent false input.

Sensors can do just about anything and they're reliable, but just how reliable? Accelerometers, activity trackers, and LIDAR sensors are just a few we'll go into and show just how the sensors can be fooled.

Have you ever wondered just how well your sensors work? The functionality of many devices relies on sensors receiving input from the world around them. But how reliable are these sensors in the first place? It turns out that you can pull a fast one on more sensors than you might realize.


Fooling Accelerometers in Smartphones with Sound Waves

The accelerometer in your smartphone can be altered using sound waves, which was discovered by Timothy Tippel, Kevin Fu, and other engineers at the University of Michigan's Computer Science and Engineering Department. Fu is part of the Security and Privacy Research Group—or SPQR Group for short.

Fu and his colleagues found that if a single tone is played at the accelerometer's resonant frequency, two signal processing components are generated within the phone, thus creating false information.

Some accelerometers work using the piezoelectric effect; they contain a microscopic crystal that causes the generation of voltage when an accelerative force stresses it. Other accelerometers use capacitance to determine acceleration. When two microstructures are right next to one another, there is a certain value of capacitance between them. Once an accelerative force is detected in one, the capacitance in the other will change.

Learn more in the video below:

As interesting as the science behind this discovery is, there are serious implications. These types of sensors are in many devices that depend on reliable security. According to Fu and his team, this ability to fool sensors provides a lot of vulnerability in sensor systems. His team has been contacting the manufacturers of the sensors in question, letting them know the potential for misleading readings.

As a less dire consequence, fooling an accelerometer may also mean being able to fool an activity tracker. There are tons of smartphone apps that can track the number of steps you take in a day or how fast you can run a mile. Generally speaking, these activity tracking apps utilize your smartphone's accelerometer and gyroscope. Users have been found sitting down and shaking their phone to count steps or even mimic their running by moving the phone in that manner. Once the word got out about this, the trackers were made more accurate so this wasn't an issue anymore.

What can designers do to prevent this sort of sensor-misleading tomfoolery? In this instance, the solution may be to house the accelerometers in a type of noise-canceling enclosure in order to eliminate a majority of the soundwaves coming in to throw it off.

You can read the paper on the research here (PDF).


Fooling Fingerprint Scanners with Capacitive Touch

Another sensor is the fingerprint scanner that isn't always 100% accurate. Capacitance fingerprint scanners such as the one below measure a change in voltage that is created when a finger is placed on an array of electrical sensors.


A Zvetco P5000 fingerprint scanner. Image courtesy of Fulcrum Biometrics


The ridges on your finger produce a higher capacitance than the valleys, thus a difference is created. This difference is used to generate an image. Some other fingerprint sensors apply small voltages to the finger to better refine the quality of the image.

Researchers from the Tandon School of Engineering at New York University actually recently released a paper demonstrating that fingerprint scanners can actually be fooled by a single "master" fingerprint—a "MasterPrint", if you will.

The key lies in the fact that most fingerprint security systems rely on partial print matches. The MasterPrint system uses a group of partial print matches—about 800 for a batch taken from a pool of 8,200—and attempts to find a match. 


An example of a fingerprint (a) and some of the partial matches that can be extracted from it (b). Image courtesy of NYU.


An obvious solution that could be employed is for security systems to use full print matches rather than partial print matches. However, according to the to paper, part of the issue is that fingerprint scanners are small and limited in their capabilities. Simply put, the hardware may need to catch up to the security issues.


Fooling LiDAR Sensors with a Laser, Pulse Generator, and... Raspberry Pi?

LiDAR (light detection and ranging) is a type of sensor increasingly used to help autonomous vehicles navigate. Unfortunately, LiDAR systems are also susceptible to being fed incorrect information.

Jonathan Petit from Security Innovation has developed a system that sends false signals in the direction of the LiDAR sensors that are used on autonomous vehicles. The system consists of a lower-power laser and a laser generator that can be powered by a single board computer—all parts that can be assembled at home for about $60. Petit says that the system would be relatively easy to create using an Arduino or Raspberry Pi.

The system is capable of informing the car of nonexistent objects in its path, hindering movement. On the other hand, the system could blind the LiDAR sensors to obstacles, allowing the vehicle to accelerate into whatever is in its path.

In response, LiDAR manufacturers could encode or encrypt their signals so that such a problem doesn't occur. But this solution will take time. In the meantime, it's possible that autonomous vehicle sensor systems may be more vulnerable to outside influence than consumers are comfortable with.

Waymo's self-driving minivan. Image courtesy of Waymo


Our sensors aren't infallible. As sensors show up in more and more devices, it's important for security experts and designers to be working together on solutions. 

The unifying factor of the examples of vulnerable sensors in this article is that they're being demonstrated by researchers. There are some of the brightest minds on the planet trying to find and exploit sensor vulnerabilities so that solutions can be found. But to an extent these researchers are in an arms race against malicious parties who would exploit these sensors in harmful ways. 

So, keep in mind, it's also important for consumers to remember that they're trusting sensors that are susceptible to outside influence.


Featured image used courtesy of Kevin Fu.

1 Comment
  • User8192 May 05, 2017

    Another source of false signals in circuits is the ubiquitous multilayer ceramic capacitor (MLC).  These passive components exhibit piezoelectric effects that can convert circuit board flexing and vibration into electrical signals.

    Like. Reply