MEMS Accelerometer Hardware Design Flaws
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
NCCIC/ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.
According to public reporting, the design flaws may be exploitable by playing specific acoustic frequencies in close proximity to devices containing embedded capacitive MEMS accelerometer sensors. At a specific acoustic frequency it may be possible to induce a vibration within vulnerable accelerometers to alter the sensors’ output in a predictable way. The impact of exploitation would be dependent on the function and operation of host devices, but it is understood that during an attack it may be possible to render affected sensors inoperable. This could result in a denial of service for host devices. During a successful attack, the integrity of measured data by vulnerable sensors could also be compromised. In the worst case attack scenario, it may be possible for an attacker to control sensor output data in a predictable way to achieve some level of control over a host device that primarily operates on unvalidated sensor data.
The exploitability of the hardware design flaws is dependent on many factors to include physical attributes of the host device, how the host device uses the accelerometer data, the accessibility of the host device, as the attack would likely need to be carried out in close proximity to the target system.
ICS-CERT has notified the affected vendors of the public reporting. Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., and Analog Devices Inc. have validated the hardware design flaws. ICS-CERT is issuing this alert to provide early notice of the public reporting.
ICS-CERT is also working with several of the cooperative vendors to identify a list of affected devices that contain vulnerable capacitive MEMS accelerometer sensors.
The following MEMS Accelerometer sensors may be affected:
• Bosch BMA222E,
• STMicroelectronics MIS2DH,
• STMicroelectronics IIS2DH,
• STMicroelectronics LIS3DSH,
• STMicroelectronics LIS344ALH,
• STMicroelectronics H3LIS331DL,
• InvenSense MPU6050,
• InvenSense MPU6500,
• InvenSense ICM20601,
• Analog Devices ADXL312,
• Analog Devices ADXL337,
• Analog Devices ADXL345,
• Analog Devices ADXL346,
• Analog Devices ADXL350,
• Analog Devices ADXL362,
• Murata SCA610,
• Murata SCA820,
• Murata SCA1000,
• Murata SCA2100, and
• Murata SCA3100.
MEMS accelerometer sensors measure tilt, motion, inactivity, and shock vibration, which are embedded in numerous types of devices and equipment, such as: automobiles, cell phones, computer equipment, and machine interfaces. These embedded sensors are deployed across several critical infrastructure sectors, including Communications, Critical Manufacturing, Healthcare and Public Health, Information Technology, and Transportation Systems.
Timothy Trippel, Ofir Weisse, Peter Honeyman, and Kevin Fu from University of Michigan, along with Wenyuan Xu from the University of South Carolina, have reported the hardware design flaws to ICS-CERT.
ICS-CERT is working with the identified sensor manufactures to identify a list of affected products that use the affected capacitive MEMS accelerometers and to determine each vendor’s mitigation plan.
Robert Bosch GmbH has released a security advisory that provides additional information about the hardware design flaws, which is available at the following location:
Robert Bosch GmbH has also provided a link to their Handling, Soldering, and Mounting Instructions document for additional information for their customers:
InvenSense Inc., has offered the following statement:
“Successive generations of InvenSense sensors have demonstrated lower vibration sensitivity. For more critical applications and mitigation of intentional acoustic interference or attacks, host device designers should be aware of and address these issues through host device designs and use of sensors with low vibration sensitivity as appropriate.”
ICS-CERT will update the alert as additional information becomes available.
ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact ICS-CERT at:
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.