Design Flaws in Accelerometer Hardware

Wednesday, March 15, 2017 @ 02:03 PM gHale

There is a public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company, according to a report with ICS-CERT.

The design flaws may be exploitable by playing specific acoustic frequencies in close proximity to devices containing embedded capacitive MEMS accelerometer sensors, the report said. At a specific acoustic frequency, it may be possible to induce a vibration within vulnerable accelerometers to alter the sensors’ output in a predictable way.

Fatek Clears PLC Ethernet Module Hole
Schneider Mitigates ClearSCADA Issue
Wonderware Intelligence Hole Mitigated
AMX Updates Multiple Vulnerabilities

The impact of exploitation would depend on the function and operation of host devices, but during an attack it may be possible to render affected sensors inoperable. This could result in a denial of service for host devices. During a successful attack, the integrity of measured data by vulnerable sensors could also end up compromised. In the worst case scenario, it may be possible for an attacker to control sensor output data in a predictable way to achieve some level of control over a host device that primarily operates on unvalidated sensor data.

The exploitability of the hardware design flaws is dependent on many factors to include physical attributes of the host device, how the host device uses the accelerometer data, the accessibility of the host device, as the attack would likely need to end up carried out in close proximity to the target system.

ICS-CERT notified the affected vendors of the public reporting. Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., and Analog Devices Inc. have validated the hardware design flaws. ICS-CERT issued its alert to provide early notice of the public reporting.

ICS-CERT is also working with several of the cooperative vendors to identify a list of affected devices that contain vulnerable capacitive MEMS accelerometer sensors.

The following MEMS Accelerometer sensors may suffer from the issue:
•           Bosch BMA222E
•           STMicroelectronics MIS2DH
•           STMicroelectronics IIS2DH
•           STMicroelectronics LIS3DSH
•           STMicroelectronics LIS344ALH
•           STMicroelectronics H3LIS331DL
•           InvenSense MPU6050
•           InvenSense MPU6500
•           InvenSense ICM20601
•           Analog Devices ADXL312
•           Analog Devices ADXL337
•           Analog Devices ADXL345
•           Analog Devices ADXL346
•           Analog Devices ADXL350
•           Analog Devices ADXL362
•           Murata SCA610
•           Murata SCA820
•           Murata SCA1000
•           Murata SCA2100
•           Murata SCA3100

MEMS accelerometer sensors measure tilt, motion, inactivity, and shock vibration, and embed in numerous types of devices and equipment, such as: Automobiles, cell phones, computer equipment, and machine interfaces. These embedded sensors see use in several critical infrastructure sectors, including communications, critical manufacturing, healthcare and public health, information technology, and transportation systems.

Timothy Trippel, Ofir Weisse, Peter Honeyman, and Kevin Fu from University of Michigan, along with Wenyuan Xu from the University of South Carolina, reported the hardware design flaws to ICS-CERT.

ICS-CERT is working with the identified sensor manufactures to identify a list of affected products that use the affected capacitive MEMS accelerometers and to determine each vendor’s mitigation plan.

Robert Bosch GmbH released a security advisory that provides additional information about the hardware design flaws.

Robert Bosch GmbH has also provided a link to their Handling, Soldering, and Mounting Instructions document for additional information for their customers.

InvenSense Inc. issued the following statement:

“Successive generations of InvenSense sensors have demonstrated lower vibration sensitivity. For more critical applications and mitigation of intentional acoustic interference or attacks, host device designers should be aware of and address these issues through host device designs and use of sensors with low vibration sensitivity as appropriate.”

Leave a Reply

You must be logged in to post a comment.