For more information, please refer to https://github.com/USSLab

Volttack

Volttack discovers a vulnerability in power supply modules and proposed Volttack attacks. To launch a Volttack attack, attackers may compromise the power source and inject malicious signals through the power supply module, which is indispensable in most devices. Eventually, Volttack attacks may cause the sensor measurement irrelevant to reality or maneuver the actuator in a way disregarding the desired command. To understand Volttack, we systematically analyze the underlying principle of power supply signals affecting the electronic components, which are building blocks to constitute the sensor or actuator modules. The root cause of such a vulnerability stems from the common belief that noises from the power line are unintentional, and our work aims to call for attention to enhancing the security of power supply modules and adding countermeasures to mitigate the attacks.

Github: https://github.com/USSLab/Volttack

Wight

Capacitive touchscreens have become essential interfaces for humans to interact with a variety of consumer electronics, e.g., smartphones, tablets, and even vehicles, reliable touch operation becomes critical for usability and security. “Ghost Touch” indicates the phenomena that a touchscreen outputs fake touches and starts to control the device by itself yet users impose no physical contacts on the screen at all. Unlike existing work that injects ghost touches by conducting radiated EMI over the air or employing a malicious software, we propose WIGHT that can induce malicious touches on the touchscreen by injecting conducted EMI into the charging cable without accessing the USB data line. WIGHT can achieve three types of attacks: injection attacks that create ghost touches without users touching the screen, alteration attacks that change the detected legitimate touch position, and Denial-ofService attacks that prevent the device from identifying legitimate touches.

Github: https://github.com/USSLab/WIGHT

Tpatch

TPatch is a physical adversarial patch triggered by acoustic signals. Unlike other adversarial patches, TPatch remains benign under normal circumstances but can be triggered to launch a hiding, creating or altering attack by a designed distortion introduced by signal injection attacks towards cameras. To avoid the suspicion of human drivers and make the attack practical and robust in the real world, we propose a content-based camouflage method and an attack robustness enhancement method to strengthen it. Evaluations with three object detectors, YOLO V3/V5 and Faster R-CNN, and eight image classifiers demonstrate the effectiveness of TPatch in both the simulation and the real world. We also discuss possible defenses at the sensor, algorithm, and system levels.

Github: https://github.com/USSLab/TPatch

Poltergeist

Poltergeist emits deliberately designed acoustic signals to control the output of an inertial sensor, which triggers unnecessary motion compensation and results in a blurred image, even if the camera is stable. The blurred images can then induce object misclassification affecting safety-critical decision making. We model the feasibility of such acoustic manipulation and design an attack framework that can accomplish three types of attacks, i.e., hiding, creating, and altering objects. Evaluation results demonstrate the effectiveness of our attacks against four academic object detectors (YOLO V3/V4/V5 and Faster R-CNN), and one commercial detector (Apollo). We further introduce the concept of AMpLe attacks, a new class of system-level security vulnerabilities resulting from a combination of adversarial machine learning and physics-based injection of information-carrying signals into hardware.

Github: https://github.com/USSLab/PoltergeistAttack

GhosTouch

GhostTouch attack is the first active contactless attack against capacitive touchscreens. GhostTouchAttack uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the GhostTouchAttack on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouchAttack in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.

Github: https://github.com/USSLab/GhostTouch

CapsPeaker

Capacitors are ubiquitous and indispensable components in electronic devices since they are used for voltage stabilization, filtering, etc. Particularly, Multi-layer Ceramic (MLC) capacitors are dominant due to their high energy density and low cost. we investigate the feasibility of utilizing commodity electronic devices with built-in capacitors to inject malicious voice commands into voice assistants, such as Apple Siri, Xiaomi Art Speaker. Unlike existing work that injects malicious voice commands into voice assistants via a loudspeaker, we propose CapSpeaker that can inject voice commands by converting an electronic device (e.g., a lamp) that are not designed to produce voice into a speaker.

Github: https://github.com/USSLab/CapSpeaker

Prole Score

PROLE is a tool to evaluate the distinctiveness of voiceprint via a content-based metric called PROLE Score. This is the source code of the tool to calculate the PROLE Score on the Web site. We define the PROLE Score as a metric to calculate the distinctiveness of voiceprint and it depends on the model and speech content used to generate the voiceprint. It is well known, voiceprints with high distinctiveness have higher security, so that the PROLE Score can be used to evaluate the security of voiceprints. You can learn about the algorithm of the tool from the paper "OK, Siri" or "Hey, Google": Evaluating Voiceprint Distinctiveness via Content-based PROLE Score in the USENIX Security 2022. And if you use the tool or the method in your work, please add the following citation.

Github: https://github.com/USSLab/PROLE-Score

DolphinAttack

Media Coverage: Wired, BBC News, Mit Tech. Review, Zhejiang University Press, etc.

Dolphinattack modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei, HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile.

Demo, Github

Find more...

EarArray

EarArray is a lightweight method that can not only detect such attacks but also identify the direction of attackers without requiring any extra hardware or hardware modification. Essentially, inaudible voice commands are modulated on ultrasounds that inherently attenuate faster than one of the audible sounds. By inspecting the command sound signals via the built-in multiple microphones on smart devices, EarArray is able to estimate the attenuation rate and thus detect the attacks. We propose a model of the propagation of audible sounds and ultrasounds from the sound source to a voice assistant, e.g., a smart speaker, and illustrate the underlying principle and its feasibility. We implemented EarArray using two specially-designed microphone arrays and our experiments show that EarArray can detect inaudible voice commands with an accuracy of 99% and recognize the direction of the attackers with an accuracy of 97.89%.

Github: https://github.com/USSLab/EarArray

DeWiCam

Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing an increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam , a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets.  We implement DeWiCam on the Android platform and evaluate it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99% within 2.7 s. 

Demo

With the proliferation of smartphones, children often use the same smartphones of their parents to play games or surf Internet, and can potentially access kid-unfriendly content from the Internet jungle. A successful parent patrol strategy has to be user-friendly and privacy-aware. The apps that require explicit actions from parents may not be effective when parents forget to enable them, and the ones that use built-in cameras to detect children may impose privacy violations. We propose iCare, which can identify child users automati- cally and seamlessly as users operate smartphones. In particular, iCare investigates the intrinsic differences of screen-touch pat- terns between child and adult users. We discover that users’ touch behaviors depend on a user’s age. Thus, iCare records the touch behaviors and extracts hand-geometry and finger dexterity features that capture the age information. 

Find more...

Haking the Eye of Tesla

To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human intervention. Although promising and improving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which makes sensors an interface for attacks. Thus, in this project we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the eyes of the cars.

Find more...

FBSleuth

Fake base station (FBS) crime is one typical kind of wireless communication crime which has risen in recent years. The key to enforce the laws on regulating FBS based crime is not only to arrest but also to convict criminals efficiently. To fill in the gap of enforcing the laws on FBS crimes, we design FBSleuth, a FBS crime forensics framework utilizing radio frequency (RF) fingerprints, e.g., the unique characteristics of the FBS transmitters embedded in the electromagnetic signals. In essence, such fingerprints stem from the imperfections of hardware manufacturing and thus represent a consistent bond between an individual FBS device and its committed crime. 

Find more...