WALNUT: Acoustic Attacks on MEMS Sensors

Updates: Fitbit response (March 17, 2017), News

Millions of accelerometers reside inside smartphones, automobiles, medical devices, anti-theft devices, drones, IoT devices, and many other industrial and consumer applications. Our work investigates how analog acoustic injection attacks can damage the digital integrity of the capacitive MEMS accelerometer. Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems that blindly trust the unvalidated integrity of sensor outputs. Our contributions include (1) modeling the physics of malicious acoustic interference on MEMS accelerometers, (2) discovering the circuit-level security flaws that cause the vulnerabilities by measuring acoustic injection attacks on MEMS accelerometers as well as systems that employ on these sensors, and (3) two software-only defenses that mitigate many of the risks to the integrity of MEMS accelerometer outputs.

What can attackers do?

Attackers that have capabilities to deliver high intensity acoustic interference in close proximity to the target MEMS sensor can spoof the sensor to output arbitrary, attacker–chosen, signals. Our experiments demonstrate the spelling of the word "WALNUT" over the output signal of a MEMS accelerometer. With proper knowledge of the algorithms that are utilizing the polluted sensor data, adversaries may be able to control the behavior of a system that relies on the sensor data to make automated decisions.

Demonstration Video

In the video below, we demonstrate playing a YouTube music video laced with special tones on a Samsung Galaxy S5 smartphone. The tones trick the phone's internal accelerometer to output a signal spelling "WALNUT". The computer plots the phone's accelerometer output signal in real time.

The second video below is the source of acoustic interference played in the first video above. Note that we laced a music video with the tones, demonstrating that the interference remains effective even when combined with videos and music that could be automatically played from websites, email attachments, Twitter links tapped on a smartphone, etc.

Finally, we show a video of injecting steps into a simple fitness monitor from Fitbit that contains a MEMS accelerometer. We do not feel this fitness attack poses a significant security risk given that the devices perform no medical therapy or diagnostics. However, it's illustrative as a proof of concept of acoustic interference to control the output of MEMS accelerometers.

How does the attack work?

Capacitive MEMS accelerometers use the deflection of a mass as a proxy for measuring acceleration. An ideal capacitive MEMS accelerometer architecture is shown below. When subjected to accelerative forces, the sensing mass shifts, causing a change in capacitance, which is translated to an analog voltage signal, s(t). The analog voltage signal is correlated to the acceleration function, s(t), sensed.

Acoustic pressure waves exhibit forces on physical objects in their path. Subjecting the sensing mass–spring structure to acoustic interference at its resonant frequency can displace the sensing mass enough to spoof false acceleration signals. These spoofed acceleration signals are correlated to the acoustic interference signal, sa(t), as shown in the figure below. It is important note that the resonant frequency of the mass–spring structure is a characteristic of how it is physically designed, and that the frequency of acoustic interference must match the mass–spring structure's resonant frequency (or potentially a harmonic thereof) to successfully spoof false acceleration.

An acoustic attack on a MEMS accelerometer can be as simple as amplitude modulating the desired sensor output signal on top of the acoustic sinusoid, whose frequency matches the resonant frequency of the MEMS sensor. The figure below demonstrates how we spoofed a specific MEMS accelerometer to output a signal resembling the alphanumeric string "WALNUT".

If a system or device utilizes a vulnerable MEMS sensor to make autonomous state-changing decisions, an adversary can leverage the vulnerable MEMS sensor as an attack vector. To demonstrate this, we mounted an acoustic attack on a Samsung Galaxy S5 smartphone that was running an application to pilot an RC car based on real time measurements from the smartphone's MEMS accelerometer. Under normal operation, a user can steer the car by tilting the phone in the direction they wish the car to go. By mounting an acoustic attack on the phone, the car can be piloted without moving the phone.

What sensors are vulnerable?

Our experiments only measure the susceptibility of 20 different MEMS accelerometer models. Other MEMS sensors, including MEMS gyroscopes, are potentially also susceptible. The vulnerable sensors that we tested are listed below. Please note that not all configurations of the sensor are necessarily vulnerable, but it is possible that at least one configuration may be. Also note that our experiments consider the amplitude of acoustic interference to be 110 db SPL; however, lower amplitudes can also negatively impact various sensors.

Sensor Manufacture Sensor Model Vulnerable to acoustic
interference at 110 db SPL
Bosch BMA222E Yes
STMicroelectronics MIS2DH Yes
STMicroelectronics IIS2DH Yes
STMicroelectronics LIS3DSH Yes
STMicroelectronics LIS344ALH Yes
STMicroelectronics H3LIS331DL Yes
InvenSense MPU6050 Yes
InvenSense MPU6500 Yes
InvenSense ICM20601 Yes
Analog Devices ADXL312 Yes
Analog Devices ADXL337 Yes
Analog Devices ADXL345 Yes
Analog Devices ADXL346 Yes
Analog Devices ADXL350 Yes
Analog Devices ADXL362 Yes
Murata SCA610 No
Murata SCA820 Yes
Murata SCA1000 No
Murata SCA2100 No
Murata SCA3100 Yes

How do I deploy vulnerable sensors safely ?

For full details on acoustic attack defense mechanisms please refer to Section 8 in our IEEE paper. In short, deploying vulnerable sensors safely could involve a combination of various techniques, but two general approaches should be taken:

  1. Deploy MEMS sensors in an a way that limits their exposure to acoustic interference, e.g., surround them with acoustic dampening foam.
  2. Deploy data processing algorithms that attempt to reject abnormal acceleration signals, especially those with frequency components around the resonant frequency of the MEMS sensor.

Full technical paper

WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks
PDF paper | Bibtex
by Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu.
To Appear at IEEE European Symposium on Security and Privacy (Oaklawn), Paris, France, April 2017.


This research is supported by National Science Foundation grants CNS-1330142 and CNS-1218586. The views and conclusions contained in this paper are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of NSF.

News media

The New York Times, University of Michigan, IFL Science, IEEE Spectrum, Science Friday, EE News, The Register, Gizmodo, Radio Sputnik


Why is the acoustic attack named WALNUT?

Our research team decided to give acoustic injection attacks the alias "WALNUT", since the first MEMS accelerometer output signal we spoofed using intentional acoustic interference spelled "WALNUT".

How can I contact the WALNUT research team?

We apologize if we are not able to respond personally to each individual inquiry. Semiconductor manufacturers that produce MEMS accelerometers and need assistance writing a vulnerability disclosure may contact ICS-CERT at the U.S. Department of Homeland Security. Companies producing products that integrate MEMS accelerometers into circuit boards should send their semiconductor supplier this web page and ask for a vulnerability assessment, updated list of acoustic resonant frequencies, and recommended mitigations. Individual consumers, businesses, and others are advised to watch for vulnerability reports from the producers of affected products. Institutions looking for expert assistance to test their MEMS accelerometers are welcome to reach out. One can also watch for updates here or on Twitter. The team can be reached by email at walnut-spqr at the domain name of umich.edu. WALNUT was developed by researchers at the University of Michigan and University of South Carolina: Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu

How easy is it to carry out the attack? Is it practical?

Short answer: it depends on the target sensor and system. Launching a successful acoustic attack against an autonomous system to alter its behavior depends on three requirements:

  1. delivery of high amplitude, and arbitrarily modulated, acoustic interference in close proximity to the target MEMS sensor
  2. knowledge of the resonant frequency of the target MEMS sensor
  3. knowledge of the sensor data processing and behavior controlling algorithm(s) of the target autonomous system

What is the amplitude of acoustic interference required to carry out the attack?

Our experiments were conducted with 110 db SPL acoustic interference at a distance of 10 cm from the target device. However, depending on the sensor, lower amplitudes and longer distances are plausible. Note that speakers and sensors soldered to the same circuit board (e.g., a smartphone) will experience mechanical coupling that transmits additional energy from the attack.

Are acoustic vulnerabilities of MEMS sensors currently being exploited by attackers?

We have no reason to believe that acoustic sensor spoofing attacks are currently being mounted to disable autonomous cyber-physical systems. Additionally, given the requirements (see Section 3 in our IEEE paper) for this attack involve subjecting a target sensor to high intensity acoustic noise it restricts the plausible scenarios in which an attack could be mounted.

Can I detect if someone is launching an acoustic attack on a MEMS sensor in my devices?

There are two approaches whereby acoustically spoofed sensor data could be detected: detection of data irregularities or detection of the acoustic interference. Depending on the application to which the vulnerable MEMS sensor is deployed to service, it may be possible to detect irregularities in the measurements reported by the sensor. For example, if an accelerometer that is deployed in an adaptive rate pacemaker expects to experience a maximum amplitude of acceleration, and what it measures exceeds that amplitude, the sensor data could be ignored. In the case that the same device or system that contains the vulnerable MEMS sensor, also contains a microphone, the microphone could continuously monitor environmental acoustic noise. When the environmental acoustic noise contains frequency components that match the resonant frequency of the vulnerable sensor, the sensor data could be ignored.

I have an old embedded device that contains a vulnerable sensor. What should I do?

We recommend you contact the semiconductor manufacturer with a link to this web page for advice. We do not perform consulting for individuals, but we do conduct sponsored research by companies and institutions like the National Science Foundation. If you replicate our work and find a new vulnerability, we would be happy to add your results to our public compendium.

How does my company license your sensor security technology?

See the University of Michigan Tech Transfer website regarding intellectual property.

What other sensor spoofing attacks have been proposed?

Below is an (incomplete) list of some recent sensor spoofing attacks beyond MEMS accelerometers. These works demonstrate how spoofing sensor data can be leveraged as a viable attack vector to alter the behavior of autonomous systems.

Should I trust sensors in my health devices?

Patients are far safer with their medical devices than without. That said, it becomes more difficult to establish trust in the authenticity and integrity of a fitness monitoring device if the wearer is attempting to inflate the fitness measurements. For instance, should one trust the step count from a Fitbit as evidence for an alibi? The answer is to be determined, but we do know we can inject fake steps into fitness monitoring devices with acoustics. We have not tested the ability to halt a fitness step counter to fake undercounting, but we imagine this would be feasible by forcing the accelerometer to see zero acceleration except for the 9.8m/s^2 z-axis.

March 17, 2017: Fitbit asked us to consider sharing their response, which we include verbatim below. We agree that our discovery is about the sensor system, not the fitness data privacy.

 “To be clear, this is not a compromise of Fitbit user
data and users should not be concerned that any data has been accessed
or disclosed.  As the leader in connected health and fitness, Fitbit
is committed to protecting consumer privacy and keeping data safe. The
trust of our customers is paramount and we carefully design security
measures for new products, continuously monitor for new threats, and
rapidly respond to identified issues.
What is being described is simply a way to game the system. We believe
that any attempt to get credit for steps not actually taken, however
clever, deprives the user of the very real benefits of living a more
active, healthier life. It’s far better, and a whole lot more fun, to
discover the joys of moving one’s body—whether on your own or with
family and friends—to reach and beat your fitness goals.
We continue to explore solutions that help mitigate the potential for
this type of behavior."
-Fitbit spokesperson

How was vulnerability disclosure coordinated?

ICS-CERT coordinated the vulnerability disclosure on our behalf. We notified all the semiconductor companies listed on the MEMS accelerometer chips we tested. Most manufacturers responded quite positively, thanking us for the months of advance notice. The analog cybersecurity world is less accustomed to vulnerability reporting, so we are pleased that affected companies were receptive and responsive.

What manufacturers/organizations have released vulnerability disclosures?

What inspired this research?

In the SPQR lab, we focus on the challenging embedded cybersecurity problems that tend to require significant hands-on experimentation: pacemakers, drones, automobiles. The inspiration for this work began with an informal conversation in a buffet line at an IEEE security and privacy symposium in 2008 regarding music played over headphones to affect pacemaker security. However, our acoustic experiments on MEMS devices began a couple years ago after we read about fascinating work where sound waves could disable gyroscopes in drones. We wondered, could sound waves also allow one to control a sensor rather than disable it. The answer is yes. Don't trust your sensors. Verify.

What else do you do?