According to the study, biocontainment facilities in hospitals and laboratories are vulnerable to terrorist attacks.
A team of researchers from University of California, Irvine has found that negative pressure rooms used in hospitals and laboratories to prevent the spread of deadly pathogens can be compromised by an attacker with a smartphone. These spaces are designed to protect against outdoor exposure to harmful microbes.
According to UCI Cyber-Physical Systems security experts, who recently presented their findings at the Computer and Communications Security Conference, mechanisms that control airflow in and out of biocontainment systems can be detected by a tone at a specific frequency, potentially hidden , to be made to function irregularly secretly into a popular song.
“Someone could have a piece of music loaded onto their smartphone playing, or have it streamed from a TV or other audio device in or near a negative pressure room,” said senior co-author Mohammad Al Faruque, UCI Professor of Electrical Engineering and Computer Science. . “If this music is embedded in a tone that matches the resonant frequency of the pressure regulators in one of these rooms, it could cause it to malfunction and let deadly microbes escape.”
The heating, ventilation and air conditioning infrastructure maintains the flow of fresh air into a given space and the contaminated air out of it. HVAC systems in scientific facilities typically include room pressure monitors, which in turn use differential pressure sensors that compare the atmosphere inside and outside rooms.
The researchers said commonly used DPS are vulnerable to remote tampering, posing a previously unrecognized threat to biosecurity facilities. They tested their hypothesis on eight industry-standard DPSs from five manufacturers and showed that all devices operate at resonant frequencies in the audible range and can therefore be manipulated.
“When sound waves collide with the membranes in a DPS, it starts vibrating at the same frequency,” said lead author Anomadarshi Barua, UCI Ph.D. Candidate in Electrical Engineering and Computer Science. “An informed attacker could use this technique to artificially displace the diaphragm, changing the pressure value and causing the entire system to malfunction.”
He said attackers could thwart negative pressure room systems in a variety of ways. They could manipulate them wirelessly or pose as maintenance personnel to place an audio device in or near such a room. “A more sophisticated attack could involve perpetrators embedding sound-emitting technologies in a DPS before it is installed in a biocontainment facility,” Barua said.
In their conference presentation, the researchers proposed several countermeasures to prevent a musical attack on biosecurity facilities. Silencing can be achieved by extending the sampling tube of a DPS vent by up to 7 meters. The team also suggested enclosing the pressure port in a box-like structure. Both of those measures would reduce the sensitivity of the DPS, Barua said.
Al Faruque said that this research project demonstrates the vulnerability of embedded systems to random attacks, but stressed that with a little planning and forethought, facilities could be protected against sabotage.
References: “A Wolf in Sheep’s Clothing: Spreading Deadly Pathogens Under the Disguise of Popular Music” by Anomadarshi Barua, Yonatan Gizachew Achamyeleh and Mohammad Abdullah Al Faruque, November 7, 2022, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.