Sampling Race: Bypassing Timing-Based Analog Active Sensor Spoofing Detection on Analog-Digital Systems

Sensors and actuators are essential components of cyber-physical systems. They establish the bridge between cyber systems and the real world, enabling these systems to appropriately react to external stimuli. Among the various types of sensors, active sensors are particularly well suited to remote sensing applications, and are widely adopted for many safety critical systems such as automobiles, unmanned aerial vehicles, and medical devices. However, active sensors are vulnerable to spoofing attacks, despite their critical role in such systems. They cannot adopt conventional challenge-response authentication procedures with the object of measurement, because they cannot determine the response signal in advance, and their emitted signal is transparently delivered to the attacker as well. Recently, PyCRA, a physical challenge-response authentication scheme for active sensor spoofing detection has been proposed. Although it is claimed to be both robust and generalizable, we discovered a fundamental vulnerability that allows an attacker to circumvent detection. In this paper, we show that PyCRA can be completely bypassed, both by theoretical analysis and by real-world experiment. For the experiment, we implemented authentication mechanism of PyCRA on a real-world medical drop counter, and successfully bypassed it, with only a low-cost microcontroller and a couple of crude electrical components. This shows that there is currently no effective robust and generalizable defense scheme against active sensor spoofing attacks.

[1]  Jacob Fraden,et al.  Handbook of modern sensors , 1997 .

[2]  J. Fraden,et al.  Handbook of Modern Sensors: Physics, Designs, and Applications, 2nd ed. , 1998 .

[3]  Satoshi Hoshino,et al.  Impact of artificial "gummy" fingers on fingerprint systems , 2002, IS&T/SPIE Electronic Imaging.

[4]  Denis Pomorski,et al.  GPS/IMU data fusion using multisensor Kalman filtering: introduction of contextual aspects , 2006, Inf. Fusion.

[5]  George T. Flowers,et al.  Influence of Acoustic Noise on the Dynamic Performance of MEMS Gyroscopes , 2007 .

[6]  G.T. Flowers,et al.  On the Degradation of MEMS Gyroscope Performance in the Presence of High Power Acoustic Noise , 2007, 2007 IEEE International Symposium on Industrial Electronics.

[7]  Nguyen Minh Duc Your face is NOT your password Face Authentication ByPassing Lenovo – Asus – Toshiba , 2009 .

[8]  Todd E. Humphreys,et al.  Receiver-Autonomous Spoofing Detection: Experimental Results of a Multi-Antenna Receiver Defense against a Portable Civil GPS Spoofer , 2009 .

[9]  Stathes Hadjiefthymiades,et al.  A Multi-level Data Fusion Approach for Early Fire Detection , 2010, 2010 International Conference on Intelligent Networking and Collaborative Systems.

[10]  Christophe Champod,et al.  Risk evaluation for spoofing against a sensor supplied with liveness detection. , 2011, Forensic science international.

[11]  George T. Flowers,et al.  A Characterization of the Performance of a MEMS Gyroscope in Acoustically Harsh Environments , 2011, IEEE Transactions on Industrial Electronics.

[12]  Roland Siegwart,et al.  Fusion of IMU and Vision for Absolute Scale Estimation in Monocular SLAM , 2011, J. Intell. Robotic Syst..

[13]  Wilhelm Stork,et al.  Smartphone pedestrian navigation by foot-IMU sensor fusion , 2012, 2012 Ubiquitous Positioning, Indoor Navigation, and Location Based Service (UPINLBS).

[14]  John J. Leonard,et al.  Sensor fusion for flexible human-portable building-scale mapping , 2012, 2012 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[15]  Agostino Martinelli,et al.  Vision and IMU Data Fusion: Closed-Form Solutions for Attitude, Speed, Absolute Scale, and Bias Determination , 2012, IEEE Transactions on Robotics.

[16]  Tomi Kinnunen,et al.  Spoofing and countermeasures for automatic speaker verification , 2013, INTERSPEECH.

[17]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[18]  Wenyuan Xu,et al.  Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Paulo Tabuada,et al.  Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks , 2012, IEEE Transactions on Automatic Control.

[20]  Radislav Smid,et al.  Quality-Based Multiple-Sensor Fusion in an Industrial Wireless Sensor Network for MCM , 2014, IEEE Transactions on Industrial Electronics.

[21]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[22]  Mani Srivastava,et al.  PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks , 2015, CCS.

[23]  Insup Lee,et al.  Sensor attack detection in the presence of transient faults , 2015, ICCPS.