MEMS Accelerometer Hardware Design Flaws (Replace A) All information products included in https://us-cert.

MEMS Accelerometer Hardware Design Flaws (Replace A) All information products included in https://us-cert.cisa.gov/ics are supplied "as is" for informational purposes only. The Division of Homeland Security (DHS) does not present any warranties of any form relating to any data contained within. DHS doesn't endorse any business services or products, referenced on this product or in any other case. Additional dissemination of this product is governed by the Site visitors Mild Protocol (TLP) marking in the header. For more details about TLP, see https://us-cert.cisa.gov/tlp/.

This up to date alert is a observe-as much as the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT net site.

ICS-CERT is conscious of public reporting of hardware design flaws in some capacitive micro-electromechanical programs (MEMS) accelerometer sensors, that are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Firm.

In keeping with selsyn motor , the design flaws could also be exploitable by playing specific acoustic frequencies in shut proximity to units containing embedded capacitive MEMS accelerometer sensors. At a particular acoustic frequency it could also be potential to induce a vibration inside vulnerable accelerometers to alter the sensors’ output in a predictable manner. The influence of exploitation could be dependent on the perform and operation of host devices, but it is understood that throughout an assault it may be attainable to render affected sensors inoperable. This might end in a denial of service for host devices. Throughout a profitable attack, the integrity of measured information by susceptible sensors could also be compromised. Within the worst case attack scenario, it could also be attainable for an attacker to control sensor output data in a predictable means to realize some degree of management over a number gadget that primarily operates on unvalidated sensor knowledge.

The exploitability of the hardware design flaws is dependent on many components to include bodily attributes of the host system, how the host system uses the accelerometer information, the accessibility of the host system, as the assault would probably have to be carried out in shut proximity to the target system.

ICS-CERT has notified the affected distributors of the general public reporting. Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., and Analog Gadgets Inc. have validated the hardware design flaws. ICS-CERT is issuing this alert to provide early notice of the public reporting.

ICS-CERT can be working with several of the cooperative vendors to identify an inventory of affected devices that include vulnerable capacitive MEMS accelerometer sensors.

The next MEMS Accelerometer sensors could also be affected:
• Bosch BMA222E,

• STMicroelectronics MIS2DH,
• STMicroelectronics IIS2DH,

• STMicroelectronics LIS3DSH,
• STMicroelectronics LIS344ALH,

• STMicroelectronics H3LIS331DL,
• InvenSense MPU6050,

• InvenSense MPU6500,
• InvenSense ICM20601,

• Analog Units ADXL312,
• Analog Devices ADXL337,

• Analog Devices ADXL345,
• Analog Devices ADXL346,

• Analog Units ADXL350,
• Analog Devices ADXL362,

• Murata SCA610,
• Murata SCA820,

• Murata SCA1000,
• Murata SCA2100, and

• Murata SCA3100.
MEMS accelerometer sensors measure tilt, movement, inactivity, and shock vibration, which are embedded in numerous types of devices and tools, corresponding to: vehicles, cell telephones, laptop tools, and machine interfaces. These embedded sensors are deployed across several vital infrastructure sectors, including Communications, Crucial Manufacturing, Healthcare and Public Well being, Info Technology, and Transportation Programs.

Timothy Trippel, Ofir Weisse, Peter Honeyman, and Kevin Fu from University of Michigan, together with Wenyuan Xu from the College of South Carolina, have reported the hardware design flaws to ICS-CERT.

MITIGATION
ICS-CERT is working with the identified sensor manufactures to determine a listing of affected merchandise that use the affected capacitive MEMS accelerometers and to find out each vendor’s mitigation plan.

Robert Bosch GmbH has launched a security advisory that gives further information in regards to the hardware design flaws, which is offered at the next location:

https://psirt.bosch.com/Advisory/BOSCH-2016-0501.html
Robert Bosch GmbH has also provided a link to their Handling, Soldering, and Mounting Instructions doc for additional info for his or her clients:

https://ae-bst.useful resource.bosch.com/media/_tech/media/utility_notes/BST-MAS-HS000-05.pdf
InvenSense Inc., has provided the next statement:

“Successive generations of InvenSense sensors have demonstrated lower vibration sensitivity. For more vital functions and mitigation of intentional acoustic interference or assaults, host device designers should remember of and address these issues by means of host gadget designs and use of sensors with low vibration sensitivity as appropriate.”

--------- Begin Replace An element 1 of 1 --------
Analog Gadgets has launched a security advisory that gives additional info concerning the hardware design flaws, which is accessible at the following location:

http://www.analog.com/media/en/Other/Help/product-safety-response/ADI_Response-ICS_Alert-17-073-01.pdf

--------- End Replace A part 1 of 1 --------
ICS-CERT will replace the alert as additional data turns into accessible.

ICS-CERT additionally provides a control programs recommended practices web page on the ICS-CERT internet site. Several really helpful practices are available for reading or obtain, including Enhancing Industrial Management Programs Cybersecurity with Defense-in-Depth Methods.

Organizations that observe any suspected malicious activity ought to comply with their established internal procedures and report their findings to ICS-CERT for monitoring and correlation in opposition to other incidents.

Contact Information
For any questions related to this report, please contact the CISA at:

E-mail: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870
For industrial management systems cybersecurity info: https://us-cert.cisa.gov/ics or incident reporting: https://us-cert.cisa.gov/report

CISA continuously strives to enhance its products and services. You will help by selecting one of the links under to provide suggestions about this product.