Sound waves could potentially be used to hack our gadgets

UPDATE: After this story broke, Fitbit sent a statement in response to us mentioning a MEMS accelerometer being spooked into counting ghost steps, and they were quite reassuring. 

A spokesperson for the fitness tracking giant explained, "To be clear, this is not a compromise of Fitbit user data and users should not be concerned that any data has been accessed or disclosed.  What is being described is simply a way to game the system. We believe that any attempt to get credit for steps not actually taken, however clever, deprives the user of the very real benefits of living a more active, healthier life. We continue to explore solutions that help mitigate the potential for this type of behavior."

As technology improves, so does the sophistication of cyber attacks, making it harder and harder to secure our devices from hackers.

And now there’s a new tool available to hackers to bolster their arsenal, and it’s simple and pretty cheap to implement – sound.

Researchers at the University of Michigan and University of South Carolina released a paper on Tuesday detailing how sound waves can be used to control accelerometers – the sensors in wearables and phones which determine when you’re moving and at what speed – which are used in millions of gadgets including phones, fitness trackers, cars, medical equipment and connected internet of things devices.

A $5 speaker was used to blast sound waves from “malicious” music files at 20 different accelerometers from five manufacturers, spooking the sensors and causing the devices to malfunction.

“It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words,” Kevin Fu, one of the authors of the paper and associate professor at the University of Michigan, told the New York Times. “You can think of it as a musical virus.”

The hacks

The researchers used the resonating frequency from the audio files to perform some simple hacks, like causing one accelerometer to spell out the word ‘Walnut’ in a graph and a Fitbit to record ghost steps. They were able to affect 75% of the sensors, and actually control 65% of them.

However, this simple tool could (possibly) do far more damage than registering a few extra steps that nobody took.

A Samsung Galaxy S5 running an app that controls a car’s steering via phone tilts was subjected to an acoustic attack, allowing the car to be piloted without moving the phone.

Acoustic attacks aren’t really new. A paper published in 2015 documents how a team at the Korea Advanced Institute of Science and Technology crashed a drone using sound waves to affect its gyroscopes.

But it’s important to remember that this research is just a proof of concept that's been used to highlight the security risks that popular consumer products are prone to. It doesn’t necessarily mean we’ll soon find hackers using opera to attack our gadgets.

Sharmishta Sarkar
Managing Editor (APAC)

While she's happiest with a camera in her hand, Sharmishta's main priority is being TechRadar's APAC Managing Editor, looking after the day-to-day functioning of the Australian, New Zealand and Singapore editions of the site, steering everything from news and reviews to ecommerce content like deals and coupon codes. While she loves reviewing cameras and lenses when she can, she's also an avid reader and has become quite the expert on ereaders and E Ink writing tablets, having appeared on Singaporean radio to talk about these underrated devices. Other than her duties at TechRadar, she's also the Managing Editor of the Australian edition of Digital Camera World, and writes for Tom's Guide and T3.