UW Computer Security Research and Course Blog

University of Washington CSE PhD student Dan Halperin et al.’s paper on the security and privacy for pacemakers and implantable defibrillators just received the Best Paper Award at the annual IEEE Symposium on Security and Privacy (a.k.a. the “Oakland” conference).

Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

Our research group (Charlie Reis, Yoshi Kohno, and Steve Gribble from UW CSE, and Nick Weaver from ICSI) has just presented a measurement study showing that many users are receiving web pages that have been modified in-flight.  The pages are changed between the web server and the user’s browser, either by ISPs injecting advertisements, enterprise firewalls injecting script code, or client-side proxies that block popups and ads.  These changes are often unwanted by either publishers or users, and they can also be dangerous: we found that several types of changes introduced bugs and security vulnerabilities into otherwise safe and functional pages.

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.