Sound Noise on Gyroscopic Sensors - Dongkwan Kim

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

2015. 08. 14.Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim

Electrical Engineering at KAISTSystem Security Lab.

USENIX Security Symposium 2015

Drones (Multi-coptors) Distribution delivery

Search and rescue

Aerial photography

Private hobby

2

Drone, A New Threat Air terrorism using a weaponized drone

3


3

Jul. 2015


3

Jul. 2015

May. 2015


3

Jul. 2015

May. 2015

Apr. 2015


3

Jul. 2015

May. 2015

Apr. 2015

Sep. 2013

Attack Vectors of Drone

4

Drone


4

DronePhysicalattack

High Power Laser

Bumper Drone

Drone Capturing Drone with Net

Shot-gun


4

Drone

Comm.channel

Physicalattack

High Power Laser

Bumper Drone

RF jammingor spoofing


Shot-gun


4

Drone

Comm.channel

Softwarehacking

Physicalattack

High Power Laser

Bumper Drone

Drone Hacking Drone (“Skyjack”)



Shot-gun


4

Drone

Comm.channel

Softwarehacking

PositioningPhysicalattack

High Power Laser

Bumper Drone

GPS Jamming or Spoofing




Shot-gun


4

Drone

Comm.channel

Softwarehacking


High Power Laser

Bumper Drone




Sensingchannel


Shot-gun


4

Drone

Comm.channel

Softwarehacking


High Power Laser

Bumper Drone




Sensingchannel


Shot-gun

How secure is drone against interference on sensing channel?

Drone System

6

WirelessTransmitter

WirelessReceiver

User Controller

Flight Controller

Rotors(with speed controllers)

RF

Drone System

6

WirelessTransmitter

WirelessReceiver

User Controller

Flight Controller


RF

Input

Drone System

6

WirelessTransmitter

WirelessReceiver

User Controller

Flight Controller


RF

Input

Output

Drone System

6

WirelessTransmitter

WirelessReceiver

User Controller

Flight Controller


Sensors(Gyroscope,

etc.

RFIMU

* IMU: Inertial Measurement Unit

InputInput

Output

Gyroscope on Drone Inertial Measurement Unit (IMU)

– A device to measure velocity,orientation, or rotation

– Using a combination of MEMSgyroscopes and accelerometers

7

* MEMS: Micro-Electro-Mechanical Systems




MEMS gyroscope

7





MEMS gyroscope

7


<Conceptual structure of MEMS gyro.>




MEMS gyroscope

7


<Conceptual structure of MEMS gyro.>

(https://www.youtube.com/watch?v=joS6kfjuKQo, https://www.youtube.com/watch?t=45&v=sH7XSX10QkM)

Resonance in MEMS Gyroscope Mechanical resonance by sound noise

– Known fact in the MEMS community

– Degrades MEMS Gyro’s accuracy

– With (resonant) frequencies of sound

8

Resonance in MEMS Gyroscope Mechanical resonance by sound noise

– Known fact in the MEMS community

– Degrades MEMS Gyro’s accuracy

– With (resonant) frequencies of sound

8

MEMS Gyro. with a high resonant frequency to reduce the sound noise effect (above 20kHz)

Experiment Setup

10

Gyro-scope

Laptop

SoundSource

(Speaker)

Arduino

AudioAmplifier

ExternalSoundcard

AnechoicChamber

USB

USB

Read Registers Python

Script

Single ToneSound Noise

Up to 48 kHzwithout aliasing

10cm Sound Frequency: every 100 Hz up to 30 kHz

Up to 24 kHzwithout aliasing

Soundsource

Micro-phone

Gyro-scope

Arduino

Sound Pressure Level= 85~95 dB

(The sound level of

noisy factory orheavy truck)

12

On the target drones

12 EA 12 EA

12 EA

15 kinds of MEMS gyroscopes

Experimental Results (1/3)

Found the resonant frequencies of 7 MEMS gyroscopes

Not found for 8 MEMS gyroscopes

13

Sensor VenderSupporting

AxisResonant freq.

in the datasheet (axis)Resonant freq.

in our experiment (axis)

L3G4200D STMicro. X, Y, Z

No detailed information

7,900 ~ 8,300 Hz (X, Y, Z)

L3GD20 STMicro. X, Y, Z 19,700 ~ 20,400Hz (X, Y, Z)

LSM330 STMicro. X, Y, Z 19,900 ~ 20,000 Hz (X, Y, Z)

MPU6000 InvenSense X, Y, Z30 ~ 36 kHz (X)27 ~ 33 kHz (Y)24 ~ 30 kHz (Z)

26,200 ~ 27,400 Hz (Z)

MPU6050 InvenSense X, Y, Z 25,800 ~ 27,700 Hz (Z)

MPU9150 InvenSense X, Y, Z 27,400 ~ 28,600 Hz (Z)

MPU6500 InvenSense X, Y, Z 25 ~ 29 kHz (X, Y, Z) 26,500 ~ 27,900 Hz (X, Y, Z)


Unexpected output by sound noise (for L3G4200D)

14

Standard deviation of raw data samplesfor 12 L3G4200D chips (X-axis)

Standard deviation of raw data samplesfor 12 L3G4200D chips (Y-axis)



14

7,900 ~8,300Hz





14

7,900 ~8,300Hz

7,900 ~8,300Hz





15

Standard deviation of raw data samplesfor 12 L3G4200D chips (Z-axis)

Raw data samples of one L3G4200D chip(@ 8,000Hz)



15

7,900 ~8,300Hz





15

7,900 ~8,300Hz



What is the impact of abnormal sensor output to the actuation of drone system?

Software Analysis Two open-source firmware programs

– Multiwii project

– ArduPilot project

16




Rotor control algorithm

16




Rotor control algorithm

16

Proportional-Integral-Derivative control

Target Drones Target drone A (DIY drone)

– Gyroscope: L3G4200D

– Resonant freq.: 8,200 Hz

– Firmware: Multiwii

Target drone B (DIY drone)

– Gyroscope: MPU6000

– Resonant freq.: 26,200 Hz

– Firmware: ArduPilot

18

(Audible sound range) (Ultra sound range)

Attack DEMO

19

Attack DEMO (Target drone A)

21

Raw data samples of the gyroscope


21

Raw data samples of the gyroscope Rotor control data samples

Flight Controller

Input Output


21

Raw data samples of the gyroscope Rotor control data samples

Flight Controller

Input Output

Altitude data samples from sonar

Attack Results

22

Result of attacking two target drones

Target Drone A Target Drone B

Resonant Freq. (Gyro.) 8,200 Hz (L3G4200D) 26,200 Hz (MPU6000)

Affected Axes X, Y, Z Z

Attack Result Fall down -

Attack Results

22

Result of attacking two target drones

Target Drone A Target Drone B

Resonant Freq. (Gyro.) 8,200 Hz (L3G4200D) 26,200 Hz (MPU6000)

Affected Axes X, Y, Z Z

Attack Result Fall down -

X- and Y-axis = vertical rotation (more critical effect on stability)

Z-axis = horizontal orientation

Attack Distance The minimum sound pressure level in our experiments

– About 108.5 dB SPL (at 10cm)

24



Theoretically, 37.58m using a sound source that can generate 140 dB SPL at 1m

24



Theoretically, 37.58m using a sound source that can generate 140 dB SPL at 1m

24 (http://www.lradx.com/wp-content/uploads/2015/05/LRAD_Datasheet_450XL.pdf)

<450XL of LRAD Corporation>

Attack Scenarios Drone to Drone Attack

Sonic Weapons

Sonic Wall/Zone

25

Limitations (1/2)

Aiming at a 3- dimensional moving object

26

Limitations (1/2)


26

Speakerarray

Audio amp.

Limitations (1/2)


26

Speakerarray

Audio amp. Long Range

Acoustic Device

for police

Limitations (2/2)

No accumulated effect or damage

27

Simple sonic wall(3m-by-2m, 25 speakers)

Countermeasure

28

Countermeasure Physical isolation

– Shielding from sound

– Using four materials

Paper box

Acrylic panel

Aluminum plate

Foam

28

Countermeasure Physical isolation

– Shielding from sound

– Using four materials

Paper box

Acrylic panel

Aluminum plate

Foam

28

Standard deviation of raw data samples for one L3G4200D chip (averaged for 10 identical tests)

Conclusion A case study for a threat caused by sensor input

– Finding mechanical resonant frequencies from 7 kinds of MEMS gyro.

– Analyzing the effect of this resonance on the firmware of drones

– Demonstrating to attack drones using sound noise in the real world

– Suggesting several attack scenarios and defenses

30






Future work

– Developing a software based defense (without hardware modifications)

– Against sensing channel attacks for drones or embedded devices

30






Future work

– Developing a software based defense (without hardware modifications)

– Against sensing channel attacks for drones or embedded devices

30

Sensor output should not be fully trusted.(Not only by natural errors, but also by attackers)

31

[email protected]

APPENDIXES

32

Sensor Definition

– To detect physical properties in nature

– To convert them to quantitative values

33

Sensor Definition



New channel to attack (for attacker)

33

Sensor Definition



New channel to attack (for attacker)

33

Sensing & Actuation System

Network traffic

Software update

Sensor reading

Attack Vectors of Sensor Three interfaces

34

SensorPhysical

quantitiesSystem

(Processor)


– Sensitive to legitimate (physical) quantities

34

Sensor

Legitimatechannel Physical

quantitiesSystem

(Processor)



– Insensitive to other (physical) quantities

34

Sensor

LegitimatechannelNon-

legitimatechannel

Physicalquantities

System(Processor)




– Need to send data to the system

34

Sensor


legitimatechannel

Physicalquantities

System(Processor)





34

Sensor


legitimatechannel

Physicalquantities

System(Processor)

Data/Signalinjection

Interference orperformance degradation

Sensing data injection





34

Sensor


legitimatechannel

Physicalquantities

System(Processor)




EMI injection attackfor defibrillator and BT headset

(S&P 2013)





34

Sensor


legitimatechannel

Physicalquantities

System(Processor)





(S&P 2013)

Spoofing attack for ABS in a car

(CHES 2013)





34

Sensor


legitimatechannel

Physicalquantities

System(Processor)





(S&P 2013)

Spoofing attack for ABS in a car

(CHES 2013)

Our work

Sound Noise Source Sound Pressure Level (SPL) and Total Harmonics Distortion plus

Noise (THD+N) measurement

35

Microphone(Brüel & Kjær4189-A-021)

SoundMeasurementInstrument

(NI USB-4431)

below 2% THD+N

85~95 dB SPL

(The sound level ofnoisy factory or

heavy truck)

36

Paperbox Acrylic

panel

Aluminumplate Foam

Sound Noise on Gyroscopic Sensors - Dongkwan Kim

Documents

Transcript of Sound Noise on Gyroscopic Sensors - Dongkwan Kim