Some example UW security lab projects, related to emerging technologies. Tadayoshi Kohno CSE 484, University of Washington

Similar documents
Computer Security and the Internet of Things

Experimental Security Analysis of a Modern Automobile

Security Analysis of modern Automobile

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Security of Safety-Critical Devices

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

University of Tartu. Research Seminar in Cryptography. Car Security. Supervisor: Dominique Unruh. Author: Tiina Turban

Security and Smartness for Medical Sensor Networks in Personalized Mobile Health Systems

Phone: La Jolla, CA Website:

Automotive Intrusion Detection Based on Constant CAN Message Frequencies Across Vehicle Driving Modes

Adversary Models. EECE 571B Computer Security. Konstantin Beznosov

CAN Bus Risk Analysis Revisit

12. Mobile Devices and the Internet of Things. Blase Ur, May 3 rd, 2017 CMSC / 33210

DOWNLOAD OR READ : US CELLULAR ANSWER WIRELESS PDF EBOOK EPUB MOBI

INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES

CS Computer Security in the Physical World:

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

Experimental Security Analysis of a Modern Automobile

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Embedded Automotive Systems Security:

Cybersecurity Solutions for Connected Vehicles

Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies

Keywords - Bluetooth, DTMF, Arduino Pro-Mini, Arduino IDE, power supply, automobile security, Vehicle theft.

Clinical and ICT Cybersecurity Overview and Cases A242-3

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Automotive Attack Surfaces. UCSD and University of Washington

Development of Intrusion Detection System for vehicle CAN bus cyber security

EMBEDDED MAJOR PROJECTS LIST

Cross-Domain Security Issues for Connected Autonomous Vehicles

Connected Medical Devices

The Next Frontier in Medical Device Security

Innovative M-Tech projects list IEEE papers

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

The Car as an Internet-Enabled Device, or how to make Trusted Networked Cars

Cybersecurity: Operating in a Threat Laden World. Christopher Buse, Assistant Commissioner & CISO

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

to Address Cyber Physical Systems Security (CPSSEC)

Securing the future of mobility

ECE 1161/2161 Embedded Computer System Design 2. Introduction. Wei Gao. Spring

Automotive Cyber Security

EMBEDDED MAJOR PROJECTS LIST

Security Concerns in Automotive Systems. James Martin

Automotive Audio Bus A B Transceiver Data Sheet

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

1

Safety and Security for Intelligent Infrastructure

e-pg Pathshala Subject : Computer Science Paper: Embedded System Module: Microcontrollers and Embedded Processors Module No: CS/ES/2 Quadrant 1 e-text

Eliminating Timing Information Flows in a Mix-Trusted System-on-Chip

INTERNET OF THINGS. Presented By Erin Bosman & Julie Park, Morrison & Foerster LLP ACC 14th ANNUAL GC ROUNDTABLE AND ALL DAY MCLE

Chalmers Publication Library

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Problem Solving Current Electronic Product Development Challenges

Medical Device Cybersecurity: FDA Perspective

Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area Network

Network Security Attacks And Countermeasures By Dileep Kumar G

Protecting Global Medical Telemetry Infrastructure

Designing Secure Medical Devices

Wireless Communications And Networks Solution Mark Zhuang

Fast and Vulnerable A Story of Telematic Failures

A Formal Model to Facilitate Security Testing in Modern Automotive Systems

Gateway Architecture for Secured Connectivity and in Vehicle Communication

Examining future priorities for cyber security management

Connected Car Solutions Based on IoT

Wireless Best Kept Secret For Now

The Value of Bipartisanship

Secure and Capable of Data Communication Procedure for Wireless Area Network Supriya 1,Arun Kumar.H 2

Patient Information Security

Introduction to Information Security Dr. Rick Jerz

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Security Defenses for Vulnerable Medical Sensor Network

technology Catalyst For connected CARE Per Ljungberg Director, System and Technology Group Function Technology and Emerging Business Ericsson

Software Security Design Principles + Intro to Crypto

Protecting Smart Buildings

The Internet of Things. Steven M. Bellovin November 24,

IT-Security Challenges in the Internet of Things. Christian Graffer Product Manager Endian

Software Security and Intro to Cryptography

Exposing Congestion Attack on Emerging Connected Vehicle based Traffic Signal Control

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

MASP Chapter on Safety and Security

Cyber Surveillance and Threat Intelligence Sharing

Information Security Guide

Automotive Gateway: A Key Component to Securing the Connected Car

Internet of Things Toolkit for Small and Medium Businesses

Managing the Unmanageable: A Risk Model for the Internet of Things

IEEE PROJECTS ON EMBEDDED SYSTEMS

AI and Security: Lessons, Challenges and Future Directions. Taesoo Kim

Medigate and Palo Alto Networks Integration

Automotive Cybersecurity: Meeting the High-Stakes Challenge

Security, Privacy, & User Expectations:

Cybersecurity and Hospitals: A Board Perspective

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

SECURING UNDERWATER WIRELESS COMMUNICATION NETWORK DEVELOPMENT OF A MOBILE EEG-BASED BIOMETRIC AUTHENTICATON SYSTEM

Achieving End-to-End Security in the Internet of Things (IoT)

Kevin Fu Associate Professor Security & Privacy Research Lab UMass Amherst Computer Science

An Experimental Analysis of the SAE J1939 Standard

CONE 2019 Project Proposal on Cybersecurity

CANAuth - A Simple, Backward Compatible Broadcast Authentication Protocol for CAN bus

5g Use Cases. Telefonaktiebolaget LM Ericsson 2015 Ericsson July 2015

IEEE-SA Internet of Things - Security & Standards

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Transcription:

Some example UW security lab projects, related to emerging technologies Tadayoshi Kohno CSE 484, University of Washington

Wireless Implantable Medical Devices Computation and wireless capabilities lead to improved healthcare Question: Are there security and privacy risks with wireless medical devices? If so, how can we mitigate them? Approach: Experimentally analyze the security of a real artifact (implantable defibrillator introduced in 2003; short-range wireless) D. Halperin, et al. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. IEEE Symposium on Security and Privacy, 2008. (University of Washington, University of Massachusetts Amherst, Beth Israel Deaconess Medical Center.)

Wireless Implantable Medical Devices Findings Ability to wirelessly (from close range, ~10cm): Change patient name, diagnosis, implanting hospital, Change / turn off therapies Cause an electrical shock Computation and wireless capabilities lead to improved healthcare Question: Are there security Big and Picture privacy risks with wireless medical devices? Risk today If so, to what patients can is we small do? no reason to be alarmed! Approach: These are Experimentally life saving devices; analyze the the benefits security far outweigh of a real artifact the risks (implantable Still important defibrillator improve introduced security of in future, 2003; short-range more sophisticated wireless) and communicative devices D. Halperin, et al. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. IEEE Symposium on Security and Privacy, 2008. (University of Washington, University of Massachusetts Amherst, Beth Israel Deaconess Medical Center.)

Modern Cars Engine Brakes Dash Steering Wheel speed sensor Telematics Satellite radio Remote door unlock / lock Diagnostics port Example automotive computer network K. Koscher, et al. Experimental Security Analysis of a Modern Automobile. IEEE S&P, 2010. S. Checkoway, et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Usenix Security, 2011. (University of Washington, University of California San Diego.)

Engine Brakes Dash Steering Wheel speed sensor What About Security? Telematics Satellite radio Remote door unlock / lock Diagnostics port? Example automotive computer network K. Koscher, et al. Experimental Security Analysis of a Modern Automobile. IEEE S&P, 2010. S. Checkoway, et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Usenix Security, 2011. (University of Washington, University of California San Diego.)

Approach Bought two, 2009-edition modern sedans UW team bought one, kept in Seattle UC San Diego team bought one, kept in San Diego Work published in 2010 and 2011 (Recently new works published by others) K. Koscher, et al. Experimental Security Analysis of a Modern Automobile. IEEE S&P, 2010. S. Checkoway, et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Usenix Security, 2011. (University of Washington, University of California San Diego.)

Findings Adversary able to communicate on car s internal computer network can affect many components within the car, e.g., dash, lighting, engine, transmission, brakes, HVAC, Adversary can gain ability to communicate on car s internal computer network without every physically touching the car through remote compromise

Road Test: Apply Brakes K. Koscher, et al. Experimental Security Analysis of a Modern Automobile. IEEE S&P, 2010. S. Checkoway, et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Usenix Security, 2011. (University of Washington, University of California San Diego.)

Road Test: Disengaging Brakes K. Koscher, et al. Experimental Security Analysis of a Modern Automobile. IEEE S&P, 2010. S. Checkoway, et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Usenix Security, 2011. (University of Washington, University of California San Diego.)

End-to-end Theft Example Call car, exploit vulnerabilities to implant new software, car connects (over Internet) to UW server, then run theft program

End-to-end Surveillance Example Call car, exploit vulnerabilities to implant new software, car connects (over Internet) to UW server, initiate surveillance

Automobile Sensors and Privacy Background: Numerous sensors in modern cars Sensor data may flow to various companies (car manufacturer, insurance company) Question: Can we identify drivers, even with access to the most basic sensors already installed in cars? Answer: Yes, with high degree of accuracy among a small set of drivers M. Enev, et al. Automobile Driver Fingerprinting. Privacy Enhancing Technology Symposium, 2016. (University of Washington.)

Home Powerline Monitoring Background Significant focus on powerline sensing for activity recognition Prior works: Can determine when specific appliances are in use Privacy debate: does powerline sensing compromise privacy? Our work: Infer information about what TV show is being watched M. Enev, et al. Televisions, Video Privacy, and Powerline Electromagnetic Interference. ACM Conference on Computer and Communications Security, 2011. (University of Washington.)

Children s Toys Increasing computation in children s toys too Question: What are their security weaknesses? Finding: Easy for unauthorized party to remotely access and control these toys Lesson: Security not forefront in consumer / developer minds T. Denning, et al. A Spotlight on Security and Privacy Risks with Future Household Robots: Attacks and Lessons. International Conference on Ubiquitous Computing, 2009. (University of Washington.)

Home Automation Door Lock Window Shades Home Automation Controller Dimmer CFL Light Bulb Internet Background: Home automation systems allow remote control and monitoring of home appliances Well known issue: Once compromise controller, can compromise any connected device (e.g., door lock, window shades) Less well known: Can use devices as stepping stones to devices without traditional network connections (e.g., pop CFL light bulbs) Lesson: Must consider security implications of exploits to other devices T. Oluwafemi, et al. Experimental Security Analyses of Non-Networked Compact Fluorescent Lamps: A Case Study of Home Automation Security. Learning from Authoritative Security Experiment Results (LASER), 2013. (University of Washington.)

Stepping Back Goal: Improve security of future technologies This talk: Example known risks with IoT type devices Opportunities: Domain-specific defenses Generic defenses Key directions / issues: Threat modeling and risk evaluation including privacy (and information leakage), safety, and stepping stones Including thinking of actors involved and non-traditional interactions (e.g., light bulbs) Software updates and the Zombie problem

Thanks! Automotive computer security (UW, UC San Diego) Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage Automotive driver fingerprinting (UW) Miro Enev, Alex Takakuwa, Karl Koscher TV video fingerprinting (UW) Miro Enev, Sidhant Gupta, Shwetak Patel

Thanks! Toy computer security (UW) Tamara Denning, Cynthia Matuszek, Karl Koscher, Joshua R. Smith Home automation security (UW) Temitope Oluwafemi, Sidhant Gupta, Shwetak Patel Medical device computer security (UW, UMass Amherst (Michigan), BIDMC) Dan Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, William H. Maisel

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback