MEMS sensors, such as accelerometers and gyroscopes, play non-substitutive roles in modern smart devices. A vulnerability has been revealed that the inside sensing elements will resonate when imposed acoustic wave at the certain frequencies, thus yielding spoiled data. We developed the attack method and achieved data manipulation via precise parameter tuning for both gyroscopes and accelerometers. Also, we invented a joint attack by combining both ones providing hackers with more versatility. We will explore extensively the impact of this vulnerability among several categories of devices with MEMS sensors onboard, including VR devices, self-balancing vehicles, and drones.
Using a home-built ultrasound/sound emitting system, we launch attacks towards prevailing VR products, including smartphones such as iPhone 7 and Galaxy S7. By emitting an ultrasound/sound beam onto devices at resonant frequencies, we are able to manipulate the "virtual world." For example, we can steer the facing direction without the user's movement, trigger quake with different frequencies and amplitudes and so on. It could daze some users as it contradicts with their real feeling, which may cause a fall or even physical injury.
"Shooting" a self-balancing vehicle, we show that it would lose balance as soon as we "pull the trigger." In a realistic circumstance, the user would probably fall and even get injured while riding speedily. We also attack a commercial product of DJI, induced change of its flight state, which could ultimately lead to a crash. These attacks can exclusively deprive users of their control. Moreover, in the cases of the VR device and the self-balancing vehicle, users may get physically injured! We also introduce several countermeasures, on both hardware and software to mitigate the vulnerability. Last but not least, through all these attacks, we call for the attention of related companies to prevent further exploitations.