These researchers can hack your phone with sound waves

This hack is more cool than scary, but it shows how hard it is to anticipate every security flaw in our increasingly complex devices.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
A University of Michigan researcher points a speaker at an accelerometer, which can send false readings to a phone, fitness tracker or other device.

A University of Michigan researcher points a speaker at an accelerometer, which can send false readings to a phone, fitness tracker or other device.

Joseph Xu/University of Michigan

Did you hear that? Your phone could be hacked with sound waves.

Researchers at the University of Michigan released a paper Tuesday (PDF) explaining how audio tones can send false readings to devices through the devices' accelerometers. Accelerometers are those sensors in phones, fitness trackers, and tons of other tech toys that tell our devices where they are in space. Any device with an accelerometer could potentially be vulnerable to this kind of hacking attack.

University of Michigan researcher Timothy Trippel said our devices rely on their sensors just like we rely on our ears, eyes and noses. Sending confusing information to those sensors can wreak havoc.

"If autonomous systems can't trust their senses, then the security and reliability of those systems will fail," Trippel said in a statement.

Sound wave attacks aren't new -- researchers at the Korea Advanced Institute of Science and Technology have crashed quadcopter drones with a similar approach, for example (here's a video). But they show how hard it is to totally secure an internet-connected device, whether it's your toy drone, your fitness tracker, or your pacemaker.

The results of the hacks the Michigan researchers demonstrated are minor. They caused a Samsung Galaxy S5 to spell out the word "WALNUT" in a graph of the accelerometer's readings (which the user wouldn't likely see), and they tricked a Fitbit fitness tracker into recording steps that no one was taking.

But the fact is, something as simple as sound waves can make your devices do something you didn't ask them to do. You probably don't like the sound of that.

Accelerometers are vulnerable to the attack because they vibrate. The attack works by hitting the accelerometer with a sound wave that matches the frequency of that vibration. A hacker could use the attack to destroy the accelerometer, but the University of Michigan researchers decided to do one better -- they made phones and Fitbits behave strangely.

They can do this because accelerometers send signals to the devices they live inside, telling them to record information or take action.

Samsung didn't respond to a request for comment. Fitbit said in an emailed statement that the attack doesn't put user information at risk.

"What is being described is simply a way to game the system," the statement reads. "We continue to explore solutions that help mitigate the potential for this type of behavior."

The researchers suggest some low-frills ways to protect accelerometers from Sonic the Hacker, including putting some sound-dampening foam around the sensors.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.

Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.