In their paper, the researchers describe how they added fake steps to a Fitbit fitness monitor and played a “malicious” music file from the speaker of a smartphone to control the phone’s accelerometer. That allowed them to interfere with software that relies on the smartphone, like an app used to pilot a radio-controlled toy car.
“It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words” and enter commands rather than just shut down the phone, said Kevin Fu, an author of the paper, who is also an associate professor of electrical engineering and computer science at the University of Michigan and the chief executive of Virta Labs, a company that focuses on cybersecurity in health care. “You can think of it as a musical virus.”
The flaw, which the researchers found in more than half of the 20 commercial brands from five chip makers they tested, illustrates the security challenges that have emerged as robots and other kinds of digital appliances have begun to move around in the world.