Categories
News Publication

New SPLICE Paper on Recurring Device Verification

The most common forms of authentication are passwords, potentially used in combination with a second factor such as a hardware token or mobile app (i.e., two-factor authentication). These approaches emphasize a one-time, initial authentication. Recent work has explored how to provide passive, continuous authentication and/or automatic de-authentication by correlating user movements and inputs with actions observed in an application (e.g., a web browser). The issue with indefinite trust goes beyond user authentication; consider devices that pair via Bluetooth.

The increased adoption of IoT devices and reports of inadequacy of their security makes indefinite trust of devices problematic. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Categories
News

Morgan State receives $3.1M NSF CyberCorps Scholarship

Morgan State University has been recognized for proposing “innovative approaches to cybersecurity education and professional development that […] will support students [and] increase the vitality of cybersecurity preparedness for the nation.” This recognition includes $3.1 million in funding from the National Science Foundation (NSF) through the CyberCorps Scholarship program to provide full scholarships and stipends to students who agree to work in cybersecurity jobs for federal, state, local or tribal governments after graduation.

The CyberCorps Scholarship funding will be used to provide students with a unique educational program in secure embedded systems through the Secure Embedded Systems Scholarship (SES2). The program begins with recruitment, and continues with mentorship and financial support for students pursuing BS, MS, and Ph.D. degrees. SES2 supports students holistically, by leveraging peer and professional mentorship, experimental learning activities, and a comprehensive curriculum in embedded systems.

Congratulations to Morgan State University, the Cybersecurity Assurance and Policy (CAP) Center, and SPLICE PIs Kevin and Michel Kornegay, who will be leading this effort. To learn more, check out NSF’s previous announcement about the CyberCorps Scholarship program here, and the CAP Center at Morgan State’s announcement here.

Categories
News

Finding and reporting a device vulnerability

*Posted on behalf of Adam Vandenbussche, Dartmouth ’22*

My name is Adam and I’m a Dartmouth undergraduate researcher on the SPLICE project. I first became involved with SPLICE as a student in Professor Kotz’s COSC 89.26 SPLICE seminar course last fall. After spending the term reading and discussing papers considering a variety of security and privacy concerns in IoT, our culminating project was to conduct either a security or privacy analysis of an IoT device or to explore a topic of our choosing in an open-ended research project.

I’ve been curious to learn more about medical IoT, considering the particularly sensitive nature of the data this ecosystem produces and manages. For my project, I decided to analyze a Bluetooth-enabled device that, when paired with an accompanying smartphone app,* helps users monitor their medication adherence. To perform thorough testing of the device and app’s main functionalities, I used PCAP Remote  and Android’s adb utility, two open-source packet sniffers, to capture network and Bluetooth packets, respectively. I then analyzed the intercepted data using Wireshark, a popular open-source packet analysis program. 

I discovered a handful of mostly minor security and privacy vulnerabilities while analyzing the collected data, but one vulnerability particularly troubled me. Although the app’s API served most of its endpoints over the encrypted HTTPS protocol, it served two of them—the image upload and download endpoints—over the unencrypted HTTP protocol. The images transmitted over these endpoints could include user’s faces, such as for their profile picture, or medical information, such as images of documents discussing their medication. This lack of encryption to protect the transmission of highly sensitive information gravely threatened user privacy.

As a novice ethical hacker, I felt it important to alert the vendor of this vulnerability to avoid any further compromises of users’ privacy. I first informed the company over email, but much to my chagrin, my initial message—as well as the follow ups I sent 45 and 75 days later—went unanswered. Unfortunately, 90 days after my initial outreach I still had yet to hear from the company. 

My next step was to inform the vendor in writing by mail. Despite sending a registered letter including a report detailing how to reproduce the issue and the post office confirming its delivery, I still received no response from the company.

My last resort was to report the vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the Department of Homeland Security, and hope that they would have more luck getting through. Within a week of submitting my report to CISA, I heard back from the vendor who acknowledged the vulnerability and disabled the implicated features. A day later, I received confirmation from CISA that they had successfully contacted the vendor who patched the issue.

Overall, I was most impressed with CISA’s quick turnaround time and learned a lot about the responsible disclosure process through this experience. It feels good that my work through the SPLICE project has had a direct, positive impact—however small—on the security of a smart product.

* As the disclosure has not been publicized, I will refrain from identifying the vendor. 

Categories
News

Morgan State featured on NSA website

If you’re in the market for a new car, you’ve probably noticed two things recently. The first being that almost all new cars today have electronic components for even the most basic of functionalities. The second being that because cars have these functionalities that require semiconductors (small chips “that manage functions like data storage, graphic rendering, and power consumption in electrical devices”), the recent semiconductor shortage is keeping many new cars on the lots.

If you end up buying that new car (or a relatively new, used car), you will be buying both a transportation and data collection system. “The data collected and recorded is quite broad and includes vehicle speed, passenger count, GPS routes, images from backup cameras, and [personally identifiable information] from connected cell phones. This information stays locally on the vehicle forever and in most cases is uploaded to the [original equipment manufacturer]. Those systems also control critical safety items like brakes. If left unprotected both privacy and lives could be at risk,” says Brian Knighton from the National Security Agency.

That’s where Morgan State comes in. Morgan State University Professor and SPLICE PI, Kevin Kornegay, and his team at the Cybersecurity Assurance and Policy (CAP) Center are working with the NSA’s reverse-engineering tool, Ghidra, to mitigate privacy, cybersecurity, malware, and geolocation vulnerabilities. Their work ensures that the electronic systems are supported and protected throughout the lifetime of the vehicle. Follow the links to learn more about the CAP Center and to read about their partnership with the NSA.

Dr. Kevin Kornegay (front) and Aaron Edmond review Ghidra firmware analysis. (Photo courtesy of Morgan State University)

Categories
News Publication

Landau’s book on contact-tracing apps published

The term “contact tracing” has recently grown in public prominence. Articles, news reports, and Google searches surrounding the phrase have sky-rocketed since the start of the pandemic. As Susan Landau explains in her recently published book People Count: Contact-Tracing Apps and Public Health, “Ending a plague requires more than medication; we need to stop spread.” And for that, contact tracing—test patients, trace their contacts, and have them isolate—is key. But how do you do so with a disease that spreads as quickly as Covid-19 does, with people contagious before they are even aware they are ill?

The pervasiveness of smart phones has led to the deployment of mobile applications designed to aid in the contact-tracing process. In her book, Landau explains how the technologies work, how they can be designed to protect privacy, and what the complex interplay between technology, social needs, and medicine looks like. Landau highlights the need for technical solutions to be created with the guidance of social scientists and public health experts. 

To get a copy of Landau’s book, check out the MIT Press’s website. To learn about Landau’s work at the intersection of technology and society with regards to the SPLICE project, check out the rest of this website.

Susan Landau: SPLICE PI at Tufts University and author of People Count: Contact-Tracing Apps and Public Health

Categories
News Video

Kotz speaks at Science Cafe

If you’ve ever wanted to learn more about your digital privacy and online security and didn’t know who to ask, this Science Cafe NH episode is the one to watch.

In a one-hour long webinar, questions run the gamut of topics, from “Is 1password a good service to use?” to “What should you do if you’re hacked?” and “What are the real risks of sharing family photos and information on Facebook?” Panelists Professor Kotz, Dr. Nora Draper, and Azeddine Jakib give you their straightforward answers to help keep yourself, your families, communities, and broader networks safer.

What’s one way you’ve integrated security and privacy practices in your technological habits to protect yourself and others?

The panelists and moderator for the March 2021 Science Cafe NH