UPDATE: After this story broke, Fitbit sent a statement in response to us mentioning a MEMS accelerometer being spooked into counting ghost steps, and they were quite reassuring.
A spokesperson for the fitness tracking giant explained, "To be clear, this is not a compromise of Fitbit user data and users should not be concerned that any data has been accessed or disclosed. What is being described is simply a way to game the system. We believe that any attempt to get credit for steps not actually taken, however clever, deprives the user of the very real benefits of living a more active, healthier life. We continue to explore solutions that help mitigate the potential for this type of behavior."
As technology improves, so does the sophistication of cyber attacks, making it harder and harder to secure our devices from hackers.
And now there’s a new tool available to hackers to bolster their arsenal, and it’s simple and pretty cheap to implement – sound.
Researchers at the University of Michigan and University of South Carolina released a paper on Tuesday detailing how sound waves can be used to control accelerometers – the sensors in wearables and phones which determine when you’re moving and at what speed – which are used in millions of gadgets including phones, fitness trackers, cars, medical equipment and connected internet of things devices.
A $5 speaker was used to blast sound waves from “malicious” music files at 20 different accelerometers from five manufacturers, spooking the sensors and causing the devices to malfunction.
“It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words,” Kevin Fu, one of the authors of the paper and associate professor at the University of Michigan, told the New York Times. “You can think of it as a musical virus.”
The hacks
The researchers used the resonating frequency from the audio files to perform some simple hacks, like causing one accelerometer to spell out the word ‘Walnut’ in a graph and a Fitbit to record ghost steps. They were able to affect 75% of the sensors, and actually control 65% of them.
However, this simple tool could (possibly) do far more damage than registering a few extra steps that nobody took.
A Samsung Galaxy S5 running an app that controls a car’s steering via phone tilts was subjected to an acoustic attack, allowing the car to be piloted without moving the phone.
Acoustic attacks aren’t really new. A paper published in 2015 documents how a team at the Korea Advanced Institute of Science and Technology crashed a drone using sound waves to affect its gyroscopes.
But it’s important to remember that this research is just a proof of concept that's been used to highlight the security risks that popular consumer products are prone to. It doesn’t necessarily mean we’ll soon find hackers using opera to attack our gadgets.
