3

A Wolf in Sheep's Clothing | Proceedings of the 2022 ACM SIGSAC Conference on Co...

 1 year ago
source link: https://dl.acm.org/doi/10.1145/3548606.3560643
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Recommended

The following publications are recommended due to their content which seems relevant to the context of this publication. They were selected using collaborative filtering and automatic topic modelling techniques and algorithms.

ABSTRACT

A Negative Pressure Room (NPR) is an essential requirement by the Bio-Safety Levels (BSLs) in biolabs or infectious-control hospitals to prevent deadly pathogens from being leaked from the facility. An NPR maintains a negative pressure inside with respect to the outside reference space so that microbes are contained inside of an NPR. Nowadays, differential pressure sensors (DPSs) are utilized by the Building Management Systems (BMSs) to control and monitor the negative pressure in an NPR. This paper demonstrates a non-invasive and stealthy attack on NPRs by spoofing a DPS at its resonant frequency. Our contributions are: (1) We show that DPSs used in NPRs typically have resonant frequencies in the audible range. (2) We use this finding to design malicious music to create resonance in DPSs, resulting in an overshooting in the DPS's normal pressure readings. (3) We show how the resonance in DPSs can fool the BMSs so that the NPR turns its negative pressure to a positive one, causing a potential leak of deadly microbes from NPRs. We do experiments on 8 DPSs from 5 different manufacturers to evaluate their resonant frequencies considering the sampling tube length and find resonance in 6 DPSs. We can achieve a 2.5 Pa change in negative pressure from a ~7 cm distance when a sampling tube is not present and from a ~2.5 cm distance for a 1 m sampling tube length. We also introduce an interval-time variation approach for an adversarial control over the negative pressure and show that the forged pressure can be varied within 12 - 33 Pa. Our attack is also capable of attacking multiple NPRs simultaneously. Moreover, we demonstrate our attack at a real-world NPR located in an anonymous bioresearch facility, which is FDA approved and follows CDC guidelines. We also provide countermeasures to prevent the attack.

References

  1. 2003. Guidelines for Environmental Infection Control in Health-Care Facilities. (2003). https://www.cdc.gov/infectioncontrol/guidelines/environmental/backgr ound/air.html. (Accessed: 05-01-2022).
  2. 2003. Institute of Occupational Safety and Health (Taiwan). Recommended Guidelines for Inspection of Isolation Wards for SARS Patients. (2003). https: //www.ilosh.gov.tw/1261/1274/1276/8875/?cprint=pt. (Accessed: 05-01-2022).
  3. 2006. American Institute of Architects Guidelines for the Construction of Hospitals and Health Care Facilities. Washington: The Institute. (2006). https: //fgiguidelines.org/wp-content/uploads/2015/08/2001guidelines.pdf. (Accessed: 05-01-2022).
  4. 2006. The Feynman Lectures on Physics Vol. I Ch. 47: Sound. The wave equation. (2006). https://www.feynmanlectures.caltech.edu/I_47.html. (Accessed: 05-01-2022).
  5. 2007. Guidelines for the classiffication and design of isolation rooms in health care facilities, Victorian Advisory Committee on Infection Control. (2007). https://ga lihendradita.files.wordpress.com/2019/11/australia_isolation_rooms_2007.pdf. (Accessed: 05-01-2022).
  6. 2016. SoundWaves | University Physics Volume 1. (2016). https://courses.lumenl earning.com/suny-osuniversityphysics/chapter/17--1-sound-waves/. (Accessed: 05-01-2022).
  7. 2020. Model SRPMRoom Pressure Monitor. (2020). https://www.setra.com/hubf s/Product_Data_Sheets/Setra_Model_SRPM_Data_Sheet.pdf?t=151665759104 8&hsLang=en. (Accessed: 05-01-2022).
  8. 2020. One Vue Sense. (2020). https://www.primexinc.com/en/assets?download =Primex_OneVUE-DiffPressure.pdf. (Accessed: 05-01-2022).
  9. 2020. Room Pressure Monitor. (2020). https://sid.siemens.com/v/u/A6V10322677. (Accessed: 05-01-2022).
  10. 2020. ROOM STATUS MONITOR. (2020). https://www.dwyer-inst.com/PDF_fil es/RSME.pdf. (Accessed: 05-01-2022).
  11. 2020. Sensocon Series A1. (2020). https://www.sensocon.com/uploads/Files/Ins tall16/A1-Digital-Differential-Pressure-Gauge-IOM.pdf. (Accessed: 05-01-2022).
  12. 2020. Series RSM Rom Status Monitor. (2020). https://www.dwyer-inst.com/P DF_files/P_3_RSM.pdf. (Accessed: 05-01-2022).
  13. 2021. Wuhan lab leak theory: How Fort Detrick became a centre for Chinese conspiracies. (2021). https://www.bbc.com/news/world-us-canada-58273322. (Accessed: 05-01-2022).
  14. 2022. Basic Board Mount Pressure Sensors. (2022). https://www.mouser.com /datasheet/2/187/honeywell_sensing_board_mount_pressure_tbp_nbp_ser-1837963.pdf. (Accessed: 05-01-2022).
  15. 2022. BOSSAudio Systems R1002 Car Amplifier - 2 Channel, 200Watts Max Power, 2 4 Ohm Stable, Class AB, Full Range. (2022). https://www.amazon.com/BOSSAudio- R1002-Car-Amplifier/dp/B004S50ZB2/ref=sr_1_2?dchild=1&keywords =200wattaudioamplifier&qid=1588804890&sr=8-2. (Accessed: 05-01-2022).
  16. 2022. Clear Vinyl Tubing. (2022). https://www.homedepot.com/p/UDP-3-16-in-I-D-x-5--16-in-O-D-x-20-ft-Clear-Vinyl-Tubing-T10007004/304185167. (Accessed: 05-01-2022).
  17. 2022. Data SheetP1KPressure Sensor. (2022). https://datasheet.octopart.com/P1K- 2-2X16PA-Kavlico-datasheet-81473203.pdf. (Accessed: 05-01-2022).
  18. 2022. EK-P5: Differential pressure evaluation kit SDP8xx series. (2022). https: //sensirion.com/products/catalog/EK-P5/. (Accessed: 05-01-2022).
  19. 2022. Goldwood Sound Inc. Sound Module. (2022). https://www.amazon.com/G oldwood-Sound-Inc-GT-300PB-1188-2/dp/B071R82KPS. (Accessed: 05-01-2022).
  20. 2022. GT-1188 Tweeter Drivers Replacements for KSN1188A. (2022). https: //www.amazon.com/Goldwood-Sound-Inc-GT-300PB-1188-2/dp/B071R82KPS. (Accessed: 05-01-2022).
  21. 2022. Guardian Space Pressure Monitor. (2022). https://paragoncontrols.com/wpcontent/ uploads/2021/07/SPM-1000-IOM.pdf. (Accessed: 05-01-2022).
  22. 2022. Improving Differential Pressure Diaphragm Seal System Performance and Installed Cost. (2022). https://www.emerson.com/documents/automation/whitepaper-improving-differential-pressure-diaphragm-seal-system-performanceinstalled-cost-rosemount-en-76672.pdf. (Accessed: 05-01-2022).
  23. 2022. Integrated Silicon Pressure sensor On-Chip Signal Conditioned, Temperature Compensated and Calibrated. (2022). https://media.digikey.com/pdf/Data %20Sheets/Freescale%20Semi/MPVZ5004G.pdf. (Accessed: 05-01-2022).
  24. 2022. Introduction to Dynamic Pressure Sensors. (2022). https://www.pcb.com/ resources/technical-information/introduction-to-pressure-sensors. (Accessed: 05-01-2022).
  25. 2022. Keysight / Agilent 33120A Function / Arbitrary Waveform Generator, 15 MHz. (2022). https://www.keysight.com/us/en/product/33120A/function--arbitrary-waveform-generator-15-mhz.html. (Accessed: 05-01-2022).
  26. 2022. P993 Low Range Differential Pressure PCB Mount Sensor. (2022). https: //www.sensata.com/sites/default/files/a/sensata-p993%20series-differential%20 pressure%20mount%20sensor-datasheet.pdf. (Accessed: 05-01--2022).
  27. 2022. Piezoelectric Tweeter HornToToT. (2022). https://www.amazon.com/T oToT-Ultrasonic-Speaker-Loudspeaker-Piezoelectric/dp/B07RW7ZNB4/re f=sr_1_3?dchild=1&keywords=ultrasonicspeaker&qid=1588806704&sr=8-3. (Accessed: 05-01-2022).
  28. 2022. Pressure Sensing 101 -- Absolute, Gauge, Differential & Sealed pressure. (2022). https://esenssys.com/differences-between-pressure-sensors/. (Accessed: 05-01-2022).
  29. 2022. Samusng Galaxy S10. (2022). https://www.samsung.com/global/galaxy/ga laxy-s10//. (Accessed: 05-01-2022).
  30. 2022. The SDP800 Series. (2022). https://sensirion.com/media/documents/0995 67E0/6166D20B/Sensirion_Differential_Pressure_Sensors_Chart_SDP800Series. pdf. (Accessed: 05-01-2022).
  31. 2022. SDP831-500Pa - Digital DP sensor. (2022). https://sensirion.com/products /catalog/SDP831-500Pa/. (Accessed: 05-01-2022).
  32. 2022. SERIES A1 Digital Differential Pressure Gauge. (2022). https://www.se nsocon.com/uploads/Files/English/Sensocon-Series-A1-Digital-Differential- Pressure-Gauge-Datasheet.pdf. (Accessed: 05-01-2022).
  33. 2022. Sound Meter. (2022). https://play.google.com/store/apps/details?id=kr.sira. sound&hl=en. (Accessed: 05-01-2022).
  34. 2022. Static pressure pickup. (2022). https://www.dwyer-inst.com/Product/Press ure/RoomStatusMonitors/SeriesRSME#accessories. (Accessed: 05-01-2022).
  35. 2022. Theory of Second-Order Systems. (2022). https://www.uml.edu/docs/Sec ond-Theory_tcm18-190098.pdf. (Accessed: 05-01-2022).
  36. 2022. TruStability® Board Mount Pressure Sensors. (2022). https://www.mouser .com/datasheet/2/187/honeywell-sensing-trustability-board-mount-pressur-1228675.pdf. (Accessed: 05-01-2022).
  37. 2022. Ultrasonic Signal Generator Module. (2022). https://www.kemo-electronic .de/en/Car/Modules/M048N-Ultrasonic-Generator.php. (Accessed: 05-01-2022).
  38. 2022. Which Loudspeakers are Loudest? (2022). https://www.razmobility.co m/assistive-technology-blog/which-loudspeakers-are- loudest/. (Accessed: 05-01-2022).
  39. Avnet Abacus. 2021. Pressure sensors: The design engineers guide. Avnet Reach Further (2021).
  40. J.R. Appelbaum, L. Poitras, M. Rosenbach, C. Stöcker, J. Schindler, and H. Stark. 2013. Inside TAO: documents reveal top NSA hacking unit. Der Spiegel (29 12 2013).
  41. Ivan Bajsic, Joe Kutin, and Toma agar. 2007. Response time of a pressure measurement system with a connecting tube. Instrumentation Science and Technology 35, 4 (2007), 399--409.
  42. John G. Bartlett. 2012. 20 - Bioterrorism. In Goldman's Cecil Medicine (Twenty Fourth Edition) (twenty fourth edition ed.), Lee Goldman and Andrew I. Schafer (Eds.). W.B. Saunders, Philadelphia, 84--88. https://doi.org/10.1016/B978-1-4377-1604-7.00020-8
  43. Judene M Bartley, Russell N Olmsted, and Janet Haas. 2010. Current views of health care design and construction: Practical implications for safer, cleaner environments. American Journal of Infection Control 38, 5 (2010), S1--S12.
  44. Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2020. Hall Spoofng: A {Non-Invasive} {DoS} Attack on {Grid-Tied} Solar Inverter. In 29th USENIX Security Symposiumi (USENIX Security 20). 1273--1290.
  45. Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2020. Special session: Noninvasive sensor-spoofing attacks on embedded and cyber-physical systems. In 2020 IEEE 38th International Conference on Computer Design (ICCD). IEEE, 45--48.
  46. Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2021. The Hall Sensor Security. (2021).
  47. Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2022. HALC: A Realtime In-sensor Defense against the Magnetic Spoofing Attack on Hall Sensors. In 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022).
  48. Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2022. PreMSat: Preventing Magnetic Saturation Attack on Hall Sensors. In International Conference on Cryptographic Hardware and Embedded Systems (TCHES 2022).
  49. Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2022. Sensor Security: Current Progress, Research Challenges, and Future Roadmap (Invited Paper). In International Conference on Computer-Aided Design (ICCAD 2022).
  50. Connor Bolton, Sara Rampazzi, Chaohao Li, Andrew Kwong, Wenyuan Xu, and Kevin Fu. 2018. Blue note: How intentional acoustic interference damages availability and integrity in hard disk drives and operating systems. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 1048--1062.
  51. Sujit Rokka Chhetri et al. 2019. Tool of Spies: Leaking your IP by Altering the 3D Printer Compiler. IEEE Transactions on Dependable and Secure Computing (2019).
  52. Sujit Rokka Chhetri, Jiang Wan, and Mohammad Abdullah Al Faruque. 2017. Cross-domain security of cyber-physical systems. In 2017 22nd Asia and South Pacific design automation conference (ASP-DAC). IEEE, 200--205.
  53. Raymond YWChinn and Lynne Sehulster. 2003. Guidelines for environmental infection control in health-care facilities; recommendations of CDC and Healthcare Infection Control Practices Advisory Committee (HICPAC). (2003).
  54. Stanley Corrsin. 1947. Extended Applications of the Hot-Wire Anemometer. Review of Scientific Instruments 18, 7 (1947), 469--471.
  55. Robert E Curry and Glenn B Gilyard. 1990. Experimental Characterization of the Effects of Pneumatic Tubing on Unsteady Pressure Measurements. NASA Technical Memorandum 41 (1990), 71.
  56. Drew Davidson, Hao Wu, Rob Jellinek, Vikas Singh, and Thomas Ristenpart. 2016. Controlling {UAVs} with Sensor Input Spoofing Attacks. In 10th USENIX workshop on offensive technologies (WOOT 16).
  57. Finn and Inc. Conway. 2020. Room Pressure Monitors and Environmental Monitors. (2020). https://finnandconway.com/news/18694/setra-critical-roompressure-monitors. (Accessed: 05-01-2022).
  58. Anna Goldenberg, Galit Shmueli, Richard A Caruana, and Stephen E Fienberg. 2002. Early statistical detection of anthrax outbreaks by tracking over-the-counter medication sales. Proceedings of the National Academy of Sciences 99, 8 (2002), 5237--5240.
  59. JC Greenwood and DWSatchell. 1988. Miniature silicon resonant pressure sensor. In IEE Proceedings D (Control Theory and Applications), Vol. 135. IET, 369--372.
  60. David Halliday, Robert Resnick, and Jearl Walker. 2013. Fundamentals of physics. John Wiley & Sons.
  61. Xiangguang Han, Qi Mao, Libo Zhao, Xuejiao Li, Li Wang, Ping Yang, Dejiang Lu, Yonglu Wang, Xin Yan, Songli Wang, et al. 2020. Novel resonant pressure sensor based on piezoresistive detection and symmetrical in-plane mode vibration. Microsystems & nanoengineering 6, 1 (2020), 1--11.
  62. Jan Hjelmgren. 2002. Dynamic measurement of pressure.-A literature survey. (2002).
  63. Paul A Jensen, Lauren A Lambert, Michael F Iademarco, and Renee Ridzon. 2005. Guidelines for preventing the transmission of Mycobacterium tuberculosis in health-care settings, 2005. (2005).
  64. Denis Foo Kune, John Backes, Shane S Clark, Daniel Kramer, Matthew Reynolds, Kevin Fu, Yongdae Kim, andWenyuan Xu. 2013. Ghost talk: Mitigating EMI signal injection attacks against analog sensors. In 2013 IEEE Symposium on Security and Privacy. IEEE, 145--159.
  65. Shelly L Miller, Nicholas Clements, Steven A Elliott, Shobha S Subhash, Aaron Eagan, and Lewis J Radonovich. 2017. Implementing a negative-pressure isolation ward for a surge in airborne infectious patients. American journal of infection control 45, 6 (2017), 652--659.
  66. A Nagiub, Elias Soupos, and Hassan Nagib. 1999. Characterization of a MEMS acoustic/pressure sensor. In 37th Aerospace Sciences Meeting and Exhibit. 520.
  67. PE Paul Ninomura and PE Richard Hermans. 2008. Ventilation standard for health care facilities. ASHRAE Journal 50, 10 (2008), 52--57.
  68. George F Risi, Marshall E Bloom, Nancy P Hoe, Thomas Arminio, Paul Carlson, Tamara Powers, Heinz Feldmann, and Deborah Wilson. 2010. Preparing a community hospital to manage work-related exposures to infectious agents in biosafety level 3 and 4 laboratories. Emerging infectious diseases 16, 3 (2010), 373.
  69. Ishtiaq Rouf, Rob Miller, Hossen Mustafa, Travis Taylor, Sangho Oh, Wenyuan Xu, Marco Gruteser, Wade Trappe, and Ivan Seskar. 2010. Security and Privacy Vulnerabilities of {In-Car} Wireless Networks: A Tire Pressure Monitoring System Case Study. In 19th USENIX Security Symposium (USENIX Security 10).
  70. Xun Shen, Yahui Zhang, and Tielong Shen. 2019. Cylinder pressure resonant frequency cyclic estimation-based knock intensity metric in combustion engines. Applied Thermal Engineering 158 (2019), 113756.
  71. Bill Snyder. 2014. Snowden: The NSA planted backdoors in cisco products. InfoWorld 15 (2014).
  72. Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. 2015. Rocking drones with intentional sound noise on gyroscopic sensors. In 24th USENIX Security Symposium (USENIX Security 15). 881--896.
  73. Pawel Swierczynski, Marc Fyrbiak, Philipp Koppe, Amir Moradi, and Christof Paar. 2017. Interdiction in practice-Hardware Trojan against a high-security USB flash drive. Journal of Cryptographic Engineering 7, 3 (2017), 199--211.
  74. Lisa Ta, Laura Gosa, and David A Nathanson. 2019. Biosafety and biohazards: understanding biosafety levels and meeting safety requirements of a biobank. Biobanking (2019), 213--225.
  75. Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu. 2017. WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks. In 2017 IEEE European symposium on security and privacy (EuroS&P). IEEE, 3--18.
  76. Ying-Huang Tsai, Gwo-Hwa Wan, Yao-Kuang Wu, and Kuo-Chien Tsao. 2006. Airborne severe acute respiratory syndrome coronavirus concentrations in a negative-pressure isolation room. Infection Control & Hospital Epidemiology 27, 5 (2006), 523--525.
  77. Yazhou Tu, Zhiqiang Lin, Insup Lee, and Xiali Hei. 2018. Injected and delivered: Fabricating implicit control over actuation systems by spoofing inertial sensors. In 27th USENIX Security Symposium (USENIX Security 18). 1545--1562.
  78. Yazhou Tu, Vijay Srinivas Tida, Zhongqi Pan, and Xiali Hei. 2021. Transduction Shield: A Low-Complexity Method to Detect and Correct the Effects of EMI Injection Attacks on Sensors. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 901--915.
  79. Chris P Underwood. 2002. HVAC control systems: Modelling, analysis and design. Routledge.
  80. Lonneke Van der Velden. 2015. Leaky apps and data shots: Technologies of leakage and insertion in NSA-surveillance. Surveillance & Society 13, 2 (2015), 182--196.
  81. Tian Wang, Meihui Gong, Xiaoyu Yu, Guangdong Lan, and Yunbo Shi. 2021. Acoustic-pressure sensor array system for cardiac-sound acquisition. Biomedical Signal Processing and Control 69 (2021), 102836.
  82. ZhengboWang, KangWang, Bo Yang, Shangyuan Li, and Aimin Pan. 2017. Sonic gun to smart devices: Your devices lose control under ultrasound/sound. BlackHat USA (2017).
  83. MB Wilkinson andMOutram. 2009. Principles of pressure transducers, resonance, damping and frequency response. Anaesthesia & Intensive Care Medicine 10, 2 (2009), 102--105.
  84. Chen Yan, Wenyuan Xu, and Jianhao Liu. 2016. Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle. Def Con 24, 8 (2016), 109.
  85. Renchi Yan, Teng Xu, and Miodrag Potkonjak. 2014. Semantic attacks on wireless medical devices. In SENSORS, 2014 IEEE. 482--485. https://doi.org/10.1109/ICSE NS.2014.6985040
  86. Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu. 2017. Dolphinattack: Inaudible voice commands. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 103--117.

Comments

0 Comments

About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK