ABSTRACT
Embedded and cyber-physical systems are critically dependent on the integrity of input and output signals for proper operation. Input signals acquired from sensors are assumed to correspond to the phenomenon the system is monitoring and responding to. Similarly, when such systems issue an actuation signal it is expected that the mechanism being controlled will respond in a predictable manner. Recent work has shown that sensors can be manipulated through the use of intentional electromagnetic interference (IEMI). In this work, we demonstrate thatboth input and output signals, analog and digital, can be remotely manipulated via the physical layer---thus bypassing traditional integrity mechanisms. Through the use of specially crafted IEMI it is shown that the physical layer signaling used for sensor input to, and digital communications between, embedded systems may be undermined to an attacker's advantage. Three attack scenarios are analyzed and their efficacy demonstrated. In the first scenario the analog sensing channel is manipulated to produce arbitrary sensor readings, while in the second it is shown that an attacker may induce bit flips in serial communications. Finally, a commonly used actuation signal is shown to be vulnerable to IEMI. The attacks are effective over appreciable distances and at low power.
- 2009. Electromagnetic Compatibility Engineering. 1--843 pages.Google Scholar
- C.K. Alexander and M.N.O Sadiku. 2001. Fundamentals of Electric Circuits. Google ScholarDigital Library
- Analog Devices. 2016. Accelerometers Product Selection Table. (2016). Datasheet.Google Scholar
- U. Azad and Y. E. Wang. 2012. Analysis and experimental results for an inductively coupled near-field power transmission system. In 2012 IEEE International Workshop on Antenna Technology (iWAT). 157--160.Google Scholar
- Mats G Backstrom and Karl Gunnar Lovstrand. 2004. Susceptibility of electronic systems to high-power microwaves: Summary of test experience. IEEE Transactions on Electromagnetic Compatibility 46, 3 (2004), 396--403.Google ScholarCross Ref
- Jeremie Bourqui, Michal Okoniewski, and Elise C Fear. 2010. Balanced antipodal Vivaldi antenna with dielectric director for near-field microwave imaging. IEEE Transactions on Antennas and Propagation 58, 7 (2010), 2318--2326.Google ScholarCross Ref
- A Boyer, S Bendhia, and E Sicard. 2007. Modelling of a direct power injection aggression on a 16 bit microcontroller input buffer. EMC Compo 7 (2007), 35--39.Google Scholar
- B. L Cannon, J. F Hoburg, D. D Stancil, and S. C Goldstein. 2009. Magnetic resonant coupling as a potential means for wireless power transfer to multiple small receivers. IEEE Trans. on Power Electronics 24, 7 (2009), 1819--1825.Google ScholarCross Ref
- Ruchir Chauhan. 2014. A platform for false data injection in frequency modulated continuous wave radar. Ph.D. Dissertation. Utah State University.Google Scholar
- J-H Chun and Boris Murmann. 2006. Analysis and measurement of signal distortion due to ESD protection circuits. IEEE journal of solid-state circuits 41, 10 (2006), 2354--2358.Google Scholar
- J Delsing, J Ekman, J Johansson, S Sundberg, M Backstrom, and T Nilsson. 2006. Susceptibility of sensor networks to intentional electromagnetic interference. In 17th International Zurich Symposium on Electromagnetic Compatibility. IEEE, 172--175.Google ScholarCross Ref
- Mark Harris. 2015. Researcher hacks self-driving car sensors. IEEE Spectrum (2015).Google Scholar
- Yu-ichi Hayashi, Naofumi Homma, Takaaki Mizuki, Takafumi Aoki, and Hideaki Sone. 2013. Transient IEMI threats for cryptographic devices. IEEE Transactions on Electromagnetic Compatibility 55, 1 (2013), 140--148.Google ScholarCross Ref
- Stephen Hopwood. 2010. EMI Filter Hints and Tips. (2010).Google Scholar
- J. Huijsing, M. Steyaert, and A.H.M. van Roermund. 2013. Analog Circuit Design: Sensor and Actuator Interface Electronics, Integrated High-Voltage Electronics and Power Management, Low-Power and High-Resolution ADC's. Springer US. Google ScholarDigital Library
- Ryan Hurley. 2005. Design Considerations for ESD/EMI Filters: I. Technical Report. ON Semiconductor.Google Scholar
- Ali Khaleghi and Ilangko Balasingham. 2009. Improving in-body ultra wideband communication using near-field coupling of the implanted antenna. Microwave and Optical Technology Letters 51, 3 (2009), 585--589.Google ScholarCross Ref
- Kyechong Kim and Agis A Iliadis. 2010. Operational upsets and critical new bit errors in CMOS digital inverters due to high power pulsed electromagnetic interference. Solid-State Electronics 54, 1 (2010), 18--21.Google ScholarCross Ref
- Denis Foo Kune, John Backes, Shane S Clark, Daniel Kramer, Matthew Reynolds, Kevin Fu, Yongdae Kim, and Wenyuan Xu. 2013. Ghost talk: Mitigating EMI signal injection attacks against analog sensors. In Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 145--159. Google ScholarDigital Library
- David Kushner. 2013. The Real Story of Stuxnet. IEEE Spectrum (Feb. 26 2013).Google Scholar
- Jonas Larsson. 2007. Electromagnetics from a quasistatic perspective. American Jourrnal of Physics (Mar. 2007).Google Scholar
- Shridhar Atmaram More. 2013. ADC Input Protection. Technical Report. Texas Instruments.Google Scholar
- D.A. Neamen. 2012. Semiconductor Physics and Devices. McGraw-Hill. Google ScholarDigital Library
- H.W. Ott. 1988. Noise reduction techniques in electronic systems. Wiley.Google Scholar
- Nicolas MORA PARRA. 2016. Contribution to the study of the vulnerability of critical systems to Intentional Electromagnetic Interference (IEMI). Ph.D. Dissertation. École Polytechnique FéDéRale De Lausanne.Google Scholar
- C.R. Paul. 2006. Introduction to Electromagnetic Compatibility. Wiley. Google ScholarDigital Library
- William A Radasky, Carl E Baum, and Manuem W Wik. 2004. Introduction to the special issue on high-power electromagnetics (HPEM) and intentional electromagnetic interference (IEMI). IEEE Transactions on Electromagnetic Compatibility 46, 3 (2004), 314--321.Google ScholarCross Ref
- J.M. Redouté and M. Steyaert. 2009. EMC of Analog Integrated Circuits. Springer. Google ScholarDigital Library
- Alan Rich. 1983. Shielding and Guarding. Analog Dialogue 17, 1 (1983).Google Scholar
- S. G. Beebe S. Cao, J. H. Chun and R. W. Dutton. 2010. ESD Design Strategies for High-Speed Digital and RF Circuits in Deeply Scaled Silicon Technologies. IEEE Transactions on Circuits and Systems I: Regular Papers 57, 9 (2010), 2301--2311. Google ScholarDigital Library
- Richard B Schulz. 1968. ELF and VLF shielding effectiveness of high-permeability materials. IEEE Transactions on Electromagnetic Compatibility 1 (1968), 95--100.Google ScholarCross Ref
- OSRAM Opto Semiconductors. 2015. Silicon PIN Photodiode with Daylight Blocking Filter SFH 235 FA. (2015), 9 pages.Google Scholar
- Daniel H Sheingold. 1986. Analog-digital conversion handbook. Vol. 16. PrenticeHall Englewood Cliffs, NJ. Google ScholarDigital Library
- Yasser Shoukry, Paul Martin, Paulo Tabuada, and Mani Srivastava. 2013. Noninvasive spoofing attacks for anti-lock braking systems. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 55--72. Google ScholarDigital Library
- Yasser Shoukry, Paul Martin, Yair Yona, Suhas Diggavi, and Mani Srivastava. 2015. PyCRA: Physical challenge-response authentication for active sensors under spoofing attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1004--1015. Google ScholarDigital Library
- Y. So, W. Kim, J. Kim, Y. J. Yoon, and J. Park. 2016. Double-slot antipodal vivaldi antenna for improved directivity and radiation patterns. In 2016 International Symposium on Antennas and Propagation (ISAP). 382--383.Google Scholar
- Stormwise. 2018. Ultra Low Frequency Antennas for 150 Hz to 1.5 KHz. http://www.stormwise.com/index.html. (2018).Google Scholar
- Junko Takahashi, Yu-ichi Hayashi, Naofumi Homma, Hitoshi Fuji, and Takafumi Aoki. 2012. Feasibility of fault analysis based on intentional electromagnetic interference. In Electromagnetic Compatibility (EMC), 2012 IEEE International Symposium on. IEEE, 782--787.Google ScholarCross Ref
- Aaron D Taylor. 2011. Microcontroller (8051-core) instruction susceptibility to intentional electromagnetic interference (IEMI). Master's thesis. University of New Mexico.Google Scholar
- Texas Instruments. 2014. TM4C123GH6PM Microcontroller. (2014). Datasheet.Google Scholar
- Yamarita Villavicencio, Francesco Musolino, and Franco Fiori. 2009. Electrical model of a microcontroller for EMC analysis. In Proc. Int. workshop of EMC for ICs (EMCCOMPO 09). 38.Google Scholar
- David Voltmer. 2007. Fundamentals of Electromagnetics. Vol. 2. 1--217 pages.Google Scholar
- D.R. White. 1986. A Handbook on Electromagnetic Shielding Materials and Performance. Interference Control Technologies.Google Scholar
- Chen Yan, X Wenyuan, and Jianhao Liu. 2016. Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle. DEF CON (2016).Google Scholar
- Qin Yu, Thomas W. Holmes, and Krishna Naishadham. 2002. RF equivalent circuit modeling of ferrite-core inductors and characterization of core materials. IEEE Transactions on Electromagnetic Compatibility 44, 1 (2002), 258--262.Google ScholarCross Ref
Index Terms
- Electromagnetic Induction Attacks Against Embedded Systems
Recommendations
Secure Traffic Lights: Replay Attack Detection for Model-based Smart Traffic Controllers
AutoSec '20: Proceedings of the Second ACM Workshop on Automotive and Aerial Vehicle SecurityRapid urbanization calls for smart traffic management solutions that incorporate sensors, distributed traffic controllers and V2X communication technologies to provide fine-grained traffic control to mitigate congestion. As in many other cyber-physical ...
Modeling and control of Cyber-Physical Systems subject to cyber attacks: A survey of recent advances and challenges
Highlights- In general, the cyber-attacks in the literature can be classified into three main types: denial of service (DoS) attacks, deception attacks, and replay ...
AbstractCyber Physical Systems (CPS) are almost everywhere; they can be accessed and controlled remotely. These features make them more vulnerable to cyber attacks. Since these systems provide critical services, having them under attack would ...
Towards clock skew based services in wireless sensor networks
Clock skew, an inherent property of clock crystals of physical devices, is defined as the rate of deviation of a device clock from the true time. The frequency of a device's clock actually depends on its environment, such as the temperature, humidity, ...
Comments