• Advisory ID: BOSCH-2016-0501
  • Published: 14 Mar 2017
  • Last Updated: 14 Mar 2017
  • CVSSv3 Base Score: 2.9

Summary

The BMA222E is a micro-electromechanical system (MEMS) accelerometer which senses tilt, motion, inactivity and shock vibration in cell phones, handhelds, computer peripherals, machine interfaces, virtual reality features, and game controllers.

Kevin Fu notified the Bosch PSIRT that an adversary, in close proximity to a device containing the BMA222E sensor, with the ability to generate acoustic resonance with a requisite frequency and a required amplitude (100-110 db Sound Pressure level), might be able to influence the accelerometer sensor readings of the device.

This is considered as an inherent property of MEMS accelerometers. The audible sound oscillates the surrounding components and material (e.g. housing, circuit board). Therefore a successful modification of sensor readings is rather dependent on several boundary conditions (such as positioning of the BMA222E on the circuit board or distance from other components on the circuit board).

A ‘Handling, soldering & mounting instructions’ document is provided for the BMA222E, which includes recommendations on minimizing the argued effects. As the vulnerability needs to be assessed on the system level (rather than on sensor level) we recommended to contact your end device manufacturer for advice. Per the datasheet, the use of the BMA222E is limited to consumer goods and it is not fit for use in life-sustaining or security sensitive systems.

Affected Products

BMA222E

Workaround

For the BMA222E a ‘Handling, soldering & mounting instructions’ document is provided on [2] and includes recommendations on minimizing argued effects (reducing vibration induced signal generation). No additional solution is currently provided. A few workarounds are presented in [3] however it is necessary for the system integrator to consider and secure all relevant use and misuse cases in the design of their device.

Vulnerability Details

CVSSv3 Base Score 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Vulnerability classification is performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Acknowledgments

Bosch thanks the following for their support and efforts:

  • Kevin Fu and fellow authors for identifying the vulnerability and working with Bosch.
  • ICS-CERT for coordinating the release between the various groups.

Additional Resources

  1. BMA222E - Product Page
  2. Handling, soldering & mounting instructions for BMA222E
  3. WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks
  4. ICS-CERT Alert
  5. For further inquiries on vulnerabilities in Bosch products and solutions, please contact the Bosch RB PSIRT: https://psirt.bosch.com

Revision History

14 Mar 2017: Initial Publication