Ghost Talk: Mitigating {EMI} Signal Injection Attacks against Analog Sensors
Denis Foo Kune

Citation
Denis Foo Kune. "Ghost Talk: Mitigating {EMI} Signal Injection Attacks against Analog Sensors". Tutorial, 21, October, 2013.

Abstract
Electromagnetic interference (EMI) affects circuits by inducing voltages on conductors. Analog sensing of signals on the order of a few millivolts is particularly sensitive to interference. This work (1) measures the susceptibility of analog sensor systems to signal injection attacks by intentional, low-power emission of chosen electromagnetic waveforms, and (2) proposes defense mechanisms to reduce the risks. These experiments use specially crafted EMI at varying power and distance to measure susceptibility of sensors in implantable medical devices and consumer electronics. Results show that at distances of 1-2m, consumer electronic devices containing microphones are vulnerable to the injection of bogus audio signals. Measurements show that in free air, intentional EMI under 10W can inhibit pacing and induce defibrillation shocks at distances up to 1-2m on implantable cardiac electronic devices. However, with the sensing leads and medical devices immersed in a saline bath to better approximate the human body, the same experiment decreased to under 5cm.

Defenses range from prevention with simple analog shielding to detection with a signal contamination metric based on the root mean square of waveform amplitudes. A contribution to securing cardiac devices includes a novel defense mechanism that probes for forged pacing pulses inconsistent with the refractory period of cardiac tissue.

Denis Foo Kune is a visiting scholar at the University of Michigan in SPQR, the Security and Privacy Research Group Lab. He received his PhD from the University of Minnesota in 2012, and his thesis focused on improving security on the wireless medium. He looked at electromagnetic interference attacks on time-varying voltage sensors and vulnerabilities on wireless WAN protocols.

Electronic downloads

Internal. This publication has been marked by the author for TerraSwarm-only distribution, so electronic downloads are not available without logging in.

Citation formats

• HTML

  Denis Foo Kune. <a
  href="http://www.terraswarm.org/pubs/105.html"
  ><i>Ghost Talk: Mitigating {EMI} Signal Injection
  Attacks against Analog Sensors</i></a>,
  Tutorial,  21, October, 2013.

• Plain text

  Denis Foo Kune. "Ghost Talk: Mitigating {EMI} Signal
  Injection Attacks against Analog Sensors". Tutorial, 
  21, October, 2013.

• BibTeX

  @tutorial{FooKune13_GhostTalkMitigatingEMISignalInjectionAttacksAgainst,
      author = {Denis Foo Kune},
      title = {Ghost Talk: Mitigating {EMI} Signal Injection
                Attacks against Analog Sensors},
      day = {21},
      month = {October},
      year = {2013},
      abstract = {Electromagnetic interference (EMI) affects
                circuits by inducing voltages on conductors.
                Analog sensing of signals on the order of a few
                millivolts is particularly sensitive to
                interference. This work (1) measures the
                susceptibility of analog sensor systems to signal
                injection attacks by intentional, low-power
                emission of chosen electromagnetic waveforms, and
                (2) proposes defense mechanisms to reduce the
                risks. These experiments use specially crafted EMI
                at varying power and distance to measure
                susceptibility of sensors in implantable medical
                devices and consumer electronics. Results show
                that at distances of 1-2m, consumer electronic
                devices containing microphones are vulnerable to
                the injection of bogus audio signals. Measurements
                show that in free air, intentional EMI under 10W
                can inhibit pacing and induce defibrillation
                shocks at distances up to 1-2m on implantable
                cardiac electronic devices. However, with the
                sensing leads and medical devices immersed in a
                saline bath to better approximate the human body,
                the same experiment decreased to under 5cm.
                <p>Defenses range from prevention with simple
                analog shielding to detection with a signal
                contamination metric based on the root mean square
                of waveform amplitudes. A contribution to securing
                cardiac devices includes a novel defense mechanism
                that probes for forged pacing pulses inconsistent
                with the refractory period of cardiac tissue.</p>
                <p>Denis Foo Kune is a visiting scholar at the
                University of Michigan in SPQR, the Security and
                Privacy Research Group Lab. He received his PhD
                from the University of Minnesota in 2012, and his
                thesis focused on improving security on the
                wireless medium. He looked at electromagnetic
                interference attacks on time-varying voltage
                sensors and vulnerabilities on wireless WAN
                protocols.</p> },
      URL = {http://terraswarm.org/pubs/105.html}
  }
  

Posted by Christopher Brooks on 18 Sep 2013.