Sensors are devices that measure physical quantities from surrounding environments. They are used by many embedded devices for various purposes. The data collected by sensors from the environments are used for decision-making and the actuation of embedded devices, and this interrelation creates a sensing channel between the embedded device and the real world. Traditional network-based attacks and software vulnerabilities have been studied for a long time, and defense techniques against them have been developed. However, the attacks or vulnerabilities exploited through the sensing channels of embedded devices have not been given significant attention previously. As a result, countermeasures or secure sensing systems have not yet been seriously considered. In this thesis, as a preliminary step to ensuring the security of sensor-equipped embedded devices, we classify the security problems caused by the sensing channel into three categories: spoofing attack, side-channel attack, and information leakage. For each category, we show that such attacks are practical and their threats are serious, through hardware and software analyses of real-world embedded devices.
Firstly, we propose a new type of sensor spoofing attack that utilizes sensor saturation. A sensor has a linear relationship between its input (i.e., physical stimulus) and output in a typical operating region. However, if the input exceeds the upper bound of this operating region, the output is saturated and does not change as much as the corresponding changes in the input. Using saturation, our attack can cause a sensor to ignore legitimate inputs. To demonstrate our sensor spoofing attack, we targeted two medical infusion pumps equipped with infrared (IR) drop sensors to precisely control the amount of medicine injected into a patient's body. Our experiments based on analyses of the drop sensors showed that their outputs could be manipulated by saturating the sensors using an additional IR source. By analyzing the infusion pumps' firmware, we found a vulnerability in the mechanism handling the outputs of the drop sensors, and implemented an attack that could bypass the alarm systems of the targets. As a result, we showed that our spoofing attack could cause the system to inject up to 3.33 times the intended amount of fluid and down to 0.65 times this amount over 10 minutes. In addition, we found fundamental weaknesses in an existing sensor spoofing detection scheme, which is called PyCRA, and propose a theoretical method to bypass it.
For a side-channel attack, we investigate the possibility of incapacitating drones equipped with micro-electro mechanical systems (MEMS) gyroscopes using intentional sound interference.While MEMS gyroscopes are known to have resonant frequencies that degrade their accuracy, it is not known whether this property can be maliciously exploited to disrupt the operation of a drone.We tested 15 kinds of MEMS gyroscopes subjected to sound interference and discovered the resonant frequencies of seven of these MEMS gyroscopes by scanning the frequencies under 30 kHz using a consumer-grade speaker. The standard deviation of the resonant output from those gyroscopes was dozens of times larger than that of the normal output. After analyzing a target drone's flight control system, we performed real-world experiments and a software simulation to verify the effect of the crafted gyroscope output. Our real-world experiments using a sound source in 10~cm of distance from the target drone showed that one of the two target drones equipped with vulnerable gyroscopes lost control and crashed shortly after we started our attack in all 20 trials. Theoretically, the attack distance can be increased using high-power sound sources. Furthermore, we experimented with the use of physical shielding as a countermeasure, and the results showed that the effect of the resonance could be reduced by this physical shielding.
Lastly, for information leakage, we propose a fingerprinting method for tracking drones in motion based on the offsets of MEMS gyroscopes, which are essential for maintaining the attitudes of drones. Considering the increase in drone-related services, fingerprinting and tracking drones can cause security threats such as attempts to escape surveillance, disturb services, and capture drones by leaking route information. Telemetry transceivers are used to wirelessly monitor the status of drones, and the status the information contains latitude and longitude, calibrated sensor outputs, and sensor offsets. Because many telemetry transceivers support no authentication and encryption, an attacker can obtain the locations of the drones using a suitable wireless communication device, but cannot track the drones because the location data cannot be specified for each drone. However, we found that the offsets of MEMS gyroscopes can be used as efficient fingerprints because of the hardware imperfections caused by manufacturing mismatches. As evidence, we found that the offsets of five drones obtained through their telemetry were distinguishable and constant during their flights. To evaluate the performance of our fingerprinting method on a larger scale, we collected the offsets from 70 stand-alone MEMS gyroscopes to generate fingerprints. When using the offsets of three and two axes calculated using 128 raw outputs samples per axis as fingerprints, the F-scores of the proposed method reached 98.78 % and 94.47 %, respectively. The offsets collected after a month could also be fingerprinted with F-scores of 96.58 % and 78.45 %, respectively. The proposed fingerprinting and tracking method is effective and robust even when the target drones are flying because the offsets are determined during the booting process for the drones and do not change in flight. Furthermore, the fingerprints can survive firmware updates, factory resets, and reinstallations as long as the MEMS gyroscope is not replaced.
In summary, because many critical decisions or operations of sensor-equipped embedded devices are decided based on the data collected by sensors, through sensing channels, fabricated sensor inputs or outputs can maliciously manipulate the embedded devices, and the leakage of the data can cause privacy problems. In this thesis, we show three types of security attacks and threats that can be caused through sensing channels in detail. Each attack is designed based on both hardware and software analyses and proved by experiments with real-world embedded devices. Therefore, it is necessary to securely design and implement the sensing channel, and sensing data need to be securely managed. The results of this study can be used as important cases to ensure that sensor-equipped embedded devices are secure in the future. In particular, the proposed side-channel and information leakage attacks targeting drones can be used for disabling and tracking unauthorized drones.