FEATURE
Benefits and Risks of the Internet of Things
By Lisa Stiffler
Technology publications are calling 2015 "the year of the car hack." This summer at DEF CON — one of the world's largest computer-hacker conferences — attendees tested the vulnerability of car computer systems at the first "Car Hacking Village." Members of Congress recently introduced the SPY Car Act, aimed at strengthening security in modern cars.
In other words, the rest of the world is catching up to the University of Washington's Security and Privacy Research Lab. Four years ago, the lab in the UW's Department of Computer Science & Engineering co-led an effort that first exposed weaknesses in car computer systems and demonstrated that hackers could remotely control a vehicle’s brakes, door locks and other functions.
"We like to look in the places that no one else is looking yet," said computer science & engineering professor Yoshi Kohno, who founded the security lab. "You open that area up, and once people start to show up, you move on to the next thing." That trailblazing strategy has put the lab, which Kohno jointly runs with assistant professor Franziska Roesner, at the forefront of computer security and privacy. The UW engineers are international leaders in unmasking problems others haven't considered and helping guide the direction of the entire field. Their findings have driven security improvements in cars, medical devices, electronic voting machines and online browsing.
The lab's work is increasingly influential as computers are installed in countless everyday devices, making our lives better and easier, but also putting us at risk for identity theft and even physical harm. This year alone, more than 530 security breaches have compromised more than 140 million records kept by credit card and insurance companies, hospitals, government agencies and others.
To combat these and other cyber threats, Kohno and Roesner investigate ways that people can co-opt a computerized product or use online information, warping it into something never intended.
Take the car example. The UW researchers, in partnership with alumni Alexei Czeskis and Karl Koscher and computer scientists from the University of California at San Diego, were curious about the security of modern vehicles and their computerized systems. So the teams at each university bought a car and plugged their computers into the vehicle's computer to see if they could decode, and ultimately hijack, the car's software. They did it by listening as the computer systems talked to each other.
"If I go to a foreign country and try to learn the language, one of the best ways to do this is to eavesdrop," Kohno said. Then you "try to repeat things, and see if you get the same reaction."
Once the engineers figured out how to talk to the computer and manipulate its functions while plugged into it, they moved to the next phase: controlling the car remotely. The researchers identified a number of digital entry points including Bluetooth cell-phone devices, satellite radio signals and a cellular network that allows a dealership, for example, to communicate with the car. Through the cell network, they demonstrated that they could remotely take control of the car and drive it.
"We were surprised by how easy some things were" when it came to commandeering the vehicles, Roesner said. But up to that point, the carmakers hadn’t thought to install systems that would make it difficult.
That's no longer the case. The car hacking experiments caught the attention of the National Highway Traffic Safety Administration, and the Society of Automotive Engineers created a cybersecurity taskforce. The federal car-safety legislation can likewise be traced to the work by the UW lab.
While the car hacking work garnered the most public attention, the lab has identified other important security weaknesses. Kohno was an author on the first publications demonstrating the security risks of wirelessly reprogrammable pacemakers and defibrillators. Former Vice President Dick Cheney even had doctors disable the wireless mechanism in his defibrillator due to hacking concerns. Kohno stresses that the benefits of these devices outweigh the security risks and that patients should have no qualms using them. However, he believes that it is important for device manufacturers to improve the security of current and future devices.
Roesner has led groundbreaking work in the area of online data collection, trying to identify who is gathering information and what's being done with it. She led the development of a tool called ShareMeNot. Roesner partnered with the Electronic Frontier Foundation to incorporate ShareMeNot functionality in Privacy Badger, a tool that detects and blocks online advertising and other embedded content that tracks people without their permission.
The lab, which presently has over a dozen affiliated faculty and nine doctoral students, aims to stay one step ahead of the next cybersecurity challenge. Their current interests include the field of "augmented reality," which includes technologies like Google Glass or Microsoft’s HoloLens that takes computer-generated information including graphics, sound or videos and projects it into a real-world setting.
With Kohno's and Roesner's help, many of the UW's Computer Science & Engineering students will graduate with a better understanding of risks posed by hackers. The professors teach an undergraduate course in security and privacy that fills up almost instantly and has a waiting list of a dozen or more. The course essentially turns traditional software development on its head by taking a finished product that works one way and asking how it could be twisted, potentially for nefarious purposes. "It’s kind of a surprising mind switch," Roesner said, but an important one for students to grasp if the industry is going to get a handle on security threats. "In order to build secure systems," she said, "you have to understand how to break them."
CYBER SECURITY RESOURCES
Tips for safeguarding your information and devices:
- Set locks on your phone and computer screens and encryption for your wireless networks.
- Enable two-factor authentication for sensitive accounts so even if someone learns your password, they would also need to have your phone or other personal device to log into the account.
- Limit the ability of third parties to track you while using Firefox or Chrome browsers by installing Privacy Badger.
Learn more at the fall lecture series:
Learn more about Professor Kohno's and Roesner's work at the 2015 Engineering Lecture Series: Robots to Web Trackers: Privacy in the Age of Smart Technology. See Engineering Lecture Series details and visit UWAA to register.