PhyFuzz: Detecting Sensor Vulnerabilities with Physical Signal Fuzzing

Sensor vulnerabilities can be exploited by physical signal attacks to cause erroneous sensor measurements, endangering systems that rely on sensors to make critical decisions. While hundreds of existing studies have discovered numerous sensor vulnerabilities, they are all driven by manual expert analysis and require a time-consuming process of trial and error. The absence of automated approaches to assist in the detection of sensor vulnerabilities has posed a major roadblock to bridging the gap between sensor security research and industrial applications. In this paper, we propose PhyFuzz, a new emphphysical signal fuzzing paradigm that relies on physical testing signals to detect existing and potentially new types of sensor vulnerabilities without human in the loop. To cope with the unprecedented challenges of fuzzing with physical signals, such as the infinite searching space of signal parameters and the black-box design of diverse sensor hardware, we design a unique fuzzing algorithm that enables efficient testing signal construction and effective feature discretization for sensor vulnerability identification and assessment. We implement PhyFuzz as a prototype that can support fuzz testing with acoustic, laser, and electromagnetic signals. Our experiment shows that it can identify 46 vulnerabilities on 13 sensors of 9 different types, including 6 undisclosed cases.