The curious vulnerabilities of ordinary MEMS

Using simple tools such as lasers and music to trick voice assistants and motion sensors.

Using simple tools such as lasers and music to trick voice assistants and motion sensors.

Digital devices now have “sense organs” to help them interact with the physical world. On the one hand, that’s awfully convenient for users. But on the other hand, it creates new threats, and they’re often quite unexpected ones. Even though electronic sensors are functionally similar to their human analogs, they are still very different in terms of design and capabilities — and designers don’t always take those differences into account.

Consider, for example, ultrasound commands, which are inaudible to humans, but which voice assistants hear and obey. Well, hacking a voice-responsive assistant with the help of sound, even if that sound is inaudible to human ears, is at least fairly predictable. But what about using light?

Hearing light: MEMS microphones and their glitches

If a voice command is transformed into a flicker of a laser beam pointed at a voice assistant’s microphone, the assistant will detect and comply with the request. Researchers from the University of Electro-Communications (Chofu, Japan) and the University of Michigan made the discovery. They injected commands into gadgets from a distance of several dozen meters. The only necessary condition is direct visibility between the source of the laser beam and the mike.

The researchers tested the laser-based attack on smart speakers, smartphones, tablets, and other devices running Amazon Alexa, Apple Siri, or Google Assistant. The trick worked for them all, but the distance at which the mike would detect the signal varied from 5 to 110 meters. In theory, reach may be further increased with a laser powerful enough and a proper lens.

The video below (as an illustration of what can be achieved using the method) shows the researchers, who trick a Google Home smart speaker into opening the garage door of the building next door.

Why MEMS microphones respond to light

The laser attack is possible because of the design of microphones in gadgets. Most modern microphones featured in smart electronics are what is called microelectromechanical systems (MEMS), miniature devices in which the electronic and mechanical components are merged into one intricate design.

MEMS-based sensors are mass-produced using the same technologies as for computer chips, mostly of the same material — silicon — and with the same degree of miniaturization (their individual parts are measured in micrometers or even nanometers). MEMS sensors are also very inexpensive, so they have already ousted the majority of other sensors and miniature devices operating at the junction of the electronics and physical worlds.

The main sensing element of a MEMS mike is a superfine membrane about a hundredth the thickness of a human hair. The sound waves make the membrane vibrate, so the space between it and the fixed part of the sensor alternately expands and shrinks. The membrane and the fixed base of the sensor together form a condenser, so the variation of the distance between them translates to capacitance variation. These variations are easy to measure and record, so later they can be transformed into audio.

A beam of light, too, can create waves that cause the sensitive membrane to vibrate. The so-called photoacoustic effect has been known since the late nineteenth century. It was then that Scottish scientist Alexander Graham Bell, best known for patenting the telephone, invented the photophone — a device that used a light beam to exchange audio messages at a distance of several hundred meters.

The photoacoustic effect occurs mostly because light heats the objects exposed to it. When heated, objects expand, and when they cool down they recover their original size. So, exposed to the flicker of a laser beam, they change in their dimensions. You’ll never notice it, but MEMS sensors are minuscule, so they can sense even microscopic action. They therefore sense vibrations and transform them into a sound recording, which is then recognizable as a voice command.

The music of motion: A MEMS accelerometer’s audio sensitivity

Lots of sensors other than microphones — for example, motion sensors such as gyroscopes and accelerometers — use MEMS technology. You can find such sensors in cardiac pacemakers, car air bags, and many other items. They also control screen orientation in smartphones and tablets. They are also subject to some fancy trickery.

A couple of years ago, researchers from the Universities of Michigan and South Carolina staged an experiment in which they controlled accelerometers, which normally respond to motion, with sound.

Why MEMS accelerometers respond to sound

Accelerometer sensors detect motion by calculating displacement of microscopic load. Sound waves can cause the load to vibrate, thus tricking the accelerometer into thinking it’s moving. The researchers tested some 20 popular accelerometer models and found that three-quarters of them were susceptible to sound input.

As part of their study, they had a Fitbit fitness tracker count fake steps and used a smartphone lying flat on a table to maneuver a radio-controlled car. (The car normally responds to the gadget’s position, but in this case, music playing on the device fooled the smartphone’s sensor.)

Inhaling helium: iPhones knocked out

Not all MEMS glitches require laboratory conditions to manifest themselves. During installation of a new MRI scanner at a US clinic, employees found that their cell phones were not working. Investigation revealed that only Apple devices were affected by the problem. The culprit was the liquefied helium used to chill some of the machine’s components. Some gas leaked out, and was blown around the clinic — and that was enough to knock out the iPhones.

Why iPhones stop working because of helium

Unlike the clinic’s other systems, in which MEMS are used but are not critical for performance, Apple Watches and iPhones 6 and higher use MEMS for the system clock.

Inside the MEMS is a vacuum needed for normal operation. To keep the vacuum intact, the chips are sealed with a thin layer of silicon. But helium molecules are small enough to penetrate the silica scale and interfere with the normal operation of the microscopic resonator inside the chip, driving electronics crazy and causing the iPhone to turn off instantly.

Apple recognizes that its gadgets are sensitive to helium; their user manuals include a warning about that: “Exposing iPhone to environments having high concentrations of industrial chemicals, including near evaporating liquefied gasses such as helium, may damage or impair iPhone functionality.” Such situations are so rare, though, that few people ever think about them.

After some time away from the irritant — some needed up to several days — most of the damaged devices returned to normal. The maker of the MEMS sensors used in iPhones says newer generations of the units are not susceptible to this kind of malfunction.

Take good care of your gadgets

The MEMS vulnerabilities described above are the exception rather than the rule. That said, we recommend keeping your gadgets away from canisters of helium. Just in case.

Tips