An amplitude-modulated laser can be used to generate false, yet coherent acoustic signals on the outputs of MEMS microphones. While this vulnerability has ramifications on the security of cyber-physical systems that trust these microphones, the physical explanation of this effect remained a mystery. Without an understanding of the physical phenomena contributing to this signal injection, it is difficult to design effective and reliable defenses. In this work, we show the degree to which the mechanisms of thermoelastic bending, thermal diffusion, and photocurrent generation are used to inject signals into MEMS microphones.
We provide models for each of these mechanisms, develop a procedure to empirically determine their relative contributions, and highlight the effects on eight commercial MEMS microphones. We accomplish this with a precise setup to isolate each mechanism using several laser wavelengths and a vacuum chamber. The results indicate that the injected signal on the microphone is dependent on the wavelength of the incoming light, where long wavelengths (such as a 904~nm infrared laser) exploit photoelectric effects on the ASIC, while short wavelengths (such as a 450~nm blue laser) exploit photoacoustic effects on the diaphragm and surrounding air. This understanding leads to recommendations for future laser-resistant microphone designs with improvements to glob top application, reducing the material asymmetries within the MEMS structure, and adding simple light or temperature sensors for injection detection. Based on the fundamental causality, we also suggest potential vulnerabilities within other sensors with similar characteristics to MEMS microphones, such as conventional microphones, ultrasonic sensors, and inertial sensors.