MEMS Accelerometer Hardware Design Flaws (Update A)
Description
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}
SUMMARY
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site.
ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.
According to public reporting, the design flaws may be exploitable by playing specific acoustic frequencies in close proximity to devices containing embedded capacitive MEMS accelerometer sensors. At a specific acoustic frequency it may be possible to induce a vibration within vulnerable accelerometers to alter the sensors’ output in a predictable way. The impact of exploitation would be dependent on the function and operation of host devices, but it is understood that during an attack it may be possible to render affected sensors inoperable. This could result in a denial of service for host devices. During a successful attack, the integrity of measured data by vulnerable sensors could also be compromised. In the worst case attack scenario, it may be possible for an attacker to control sensor output data in a predictable way to achieve some level of control over a host device that primarily operates on unvalidated sensor data.
The exploitability of the hardware design flaws is dependent on many factors to include physical attributes of the host device, how the host device uses the accelerometer data, the accessibility of the host device, as the attack would likely need to be carried out in close proximity to the target system.
ICS-CERT has notified the affected vendors of the public reporting. Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., and Analog Devices Inc. have validated the hardware design flaws. ICS-CERT is issuing this alert to provide early notice of the public reporting.
ICS-CERT is also working with several of the cooperative vendors to identify a list of affected devices that contain vulnerable capacitive MEMS accelerometer sensors.
The following MEMS Accelerometer sensors may be affected:
• Bosch BMA222E,
• STMicroelectronics MIS2DH,
• STMicroelectronics IIS2DH,
• STMicroelectronics LIS3DSH,
• STMicroelectronics LIS344ALH,
• STMicroelectronics H3LIS331DL,
• InvenSense MPU6050,
• InvenSense MPU6500,
• InvenSense ICM20601,
• Analog Devices ADXL312,
• Analog Devices ADXL337,
• Analog Devices ADXL345,
• Analog Devices ADXL346,
• Analog Devices ADXL350,
• Analog Devices ADXL362,
• Murata SCA610,
• Murata SCA820,
• Murata SCA1000,
• Murata SCA2100, and
• Murata SCA3100.
MEMS accelerometer sensors measure tilt, motion, inactivity, and shock vibration, which are embedded in numerous types of devices and equipment, such as: automobiles, cell phones, computer equipment, and machine interfaces. These embedded sensors are deployed across several critical infrastructure sectors, including Communications, Critical Manufacturing, Healthcare and Public Health, Information Technology, and Transportation Systems.
Timothy Trippel, Ofir Weisse, Peter Honeyman, and Kevin Fu from University of Michigan, along with Wenyuan Xu from the University of South Carolina, have reported the hardware design flaws to ICS-CERT.
MITIGATION
ICS-CERT is working with the identified sensor manufactures to identify a list of affected products that use the affected capacitive MEMS accelerometers and to determine each vendor’s mitigation plan.
Robert Bosch GmbH has released a security advisory that provides additional information about the hardware design flaws, which is available at the following location:
https://psirt.bosch.com/Advisory/BOSCH-2016-0501.html
Robert Bosch GmbH has also provided a link to their Handling, Soldering, and Mounting Instructions document for additional information for their customers:
https://ae-bst.resource.bosch.com/media/_tech/media/application_notes/BST-MAS-HS000-05.pdf
InvenSense Inc., has offered the following statement:
“Successive generations of InvenSense sensors have demonstrated lower vibration sensitivity. For more critical applications and mitigation of intentional acoustic interference or attacks, host device designers should be aware of and address these issues through host device designs and use of sensors with low vibration sensitivity as appropriate.”
--------- Begin Update A Part 1 of 1 --------
Analog Devices has released a security advisory that provides additional information about the hardware design flaws, which is available at the following location:
--------- End Update A Part 1 of 1 --------
ICS-CERT will update the alert as additional information becomes available.
ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
This product is provided subject to this Notification and this Privacy & Use policy.
Vendor
- Robert Bosch GmbH
- STMicroelectronics
- InvenSense Inc.
- Analog Devices Inc.
- Murata Manufacturing Company