UW Computer Security Research and Course Blog

Exoskeletons look impressive in movies. They look impressive in real life also. Electronics reads brain signals sent to muscles and cause actuators to move, thus ‘amplifying’ human strength. Exoskeletons are close to get mass-produced and available to people around the world. Since there are no datasheets or use instructions publcly available yet, I will briefly mention potential general security implicatons associated these devices, as we will inevitably see them in the market very soon.

It is crucial for manufacturers to ensure safety of the wearer. In addition, it is important to address safety of people other than the wearer who can come into contact with this machinery.
Potential adversaries can be those who wants to harm the person wearing it. Besides that, goal of an adversary can be to cause harm to people other than the wearer, or, in general, cause harm to property.

The following are just a few of potential weaknesses that need to be addressed.
Self-supporting mechanism: since most exoskeletons will support its own weight and are quite powerful, it is potentially possible to control it and cause it walk on its own, possibly with human inside.
Physical access to programmable controllers and circuitry can allow adversary to reprogram or embed own controllers.
Actuators in particular: different people can have different ranges of joint movement. Incorrect range can break wearer’s bones or strain muscles, unless there are secure adjustable physical restrictions. If there are such adjustable physical restrictions they can be changed by adversary.
If attachable to computer or network for service, or reprogramming, most problems associated with securing personal computers and communications apply.

Besides regular ensuring integrity of the system, and bug-free software, here are some key measures that any exoskeleton should have implemented to address security threats. Obviously, any adjustments, including physical should be done with secure authentication of a user. Good shielding can be used to protect from outside electromagnetic fields that might cause system to digress from normal operation.
It is important to detect big jumps of voltage/current in the system and disable the system, as it is done in power wheelchair controls, but as opposed to wheelchair, more attention should be paid to gracefully shutting down, as incorrect disabling can cause person to fall down causing injuries to himself or people around.
It should be easy to escape the suit in case of a danger and there should be multiple disabling mechanisms available to the user.

These devices will have a big impact on society. Should police start carrying EMP guns? Exoskeletons can be of tremendous use  to address people’s health problems, for example, or can become quite threatening in malicious person’s hands. There are obvious differences from existing personal machinery. Extreme flexibility pose big dangers if not addressed properly. Whereas car or wheelchair can be stopped by railing, exoskeleton could climb over it.

For years there have been research going on in neurobiological field with attempts to decode images from the brain activity. In 1999, University of California, Berkley, has been able to reconstruct the video images from cat’s observed brain activity.

However, recently scientists in Japan decided to take the idea to even more advanced level (article). Researchers at the ATR Computational Neuroscience Laboratories succeeded in processing and displaying images directly from the human brain. This sort of visualization has not been achieved before. Researchers’ goal is to apply this technology, and eventually be able to record and replay subjective images that people perceive, such as dreams or memories associated with objects and places.

This sort of decoding is described to be subjective. When people perceive an object, the image is converted into electrical signal that goes to the brain’s visual cortex. To decode such messages, first the subject has to train the device that is used for experiment, and associate object representations with the location and type of brain signal. Later, when such signals are observed, it might be possible to decode them, and this way to visualize the thought of a human.

So far subjects have demonstrated walking in a virtual world with the character controlled by brain waves. Similar gaming head sets are expected to appear on the market soon.

Also, researchers were able to reconstruct the image representation of the letters from the word “neuron” by decoding the brain activity of the subjects (article). To figure out people’s individual brain patterns and to train interpreting devices about 400 different still images were previously shown to the subject.  

Although some people believe that research is still too far from creating a colored quality video from brain signals, researchers continue advancing in the area, and think that technology “could eventually display on a computer screen what people have on their minds”. (Read on …)

Online advertisement is the lifeblood of the internet.  Without it, sites such as Facebook, Myspace, Google, etc. would go out of business. Approximately a year ago, Google alone reached over 1.1 billion unique users in a month(see 1)–and they had only 35% of the market at that point; this does not however imply that advertisers were reaching 3.14 billion users, as most top advertisers would reach the same users [note that Google also owns the #2, doubleclick].

With most major sites tied to the success of advertisers, there comes a tradeoff between appeasing advertisers and appeasing users.  The sites which appease advertisers impose interstitials, spyware, and popups.  By doing so, they increase the revenue advertisers are willing to pay, and they hope that their content is sufficiently interesting that users will wade through the ads regardless.  Other sites attempt to appease the users, and keep ads as unintrusive as possible, hoping that they will get more users due to the superior user experience, and that users will investigate ads because they care about the funding of the site and out of genuine interest in the ad.  The advertisers we are interested in here are the first category.

Security Goals

• Advertisement should not harm the user passively (example: user opens page, spyware automatically installed)
• Advertisement should not harm the user actively (i.e., the user clicks the ad and something bad happens)
• Advertisement should not hijack space against the desire of the site owner (example (from 2): picture)

Adversaries and Threats

• Malicious advertisers

Typically, these advertisers will be interested in installing adware/spyware/malware on a user’s computer.  This software will generally be responsible for browser hijacks, unexplained popup ads, and sometimes even credit card/identity theft.  A malicious advertiser is defined here as someone who commits these acts against the wish of the vendor and publisher.  Typically such an advertiser can only get away with such acts until the vendor or publisher is notified and takes actions to remedy it.

• Malicious publishers

This is where a publisher deliberately puts spyware, or other harmful software, on their site with the goal of infecting their users.  They will expect to get a cut of whatever money is made due to such actions.  This can be very difficult to predict, as a site may be benevolent until it runs into financial difficulties, or the user gets tired and wants to move on, but not before maximizing profits.

• Malicious vendors

This is less of an issue for those going with major vendors such as AdWords, but if a publisher chooses to use a small-scale advertising site, then they may run into a vendor who voluntarily uses such tactics as described above.

• Malicious Third Parties

Here, a third party is anyone not involved in the advertisement process.  A virus writer who sends out e-mails with a virus which infects people with malware which hijacks google.com when the user tries to search would be an example of a third party.

Potential Weaknesses

• Most sites give a limited amount of ability for users to provide feedback about advertisement–if an advertiser is infecting people with malware, it may take some time for it to be known and remedied.  In the meantime, countless users may be infected.
• Browser holes are common.  By utilizing one of these holes, a user may be silently infected.
• Ads can be difficult to reproduce.  They are randomly rotated, so merely linking to a page on which one got infected gives no guarantee that the investigator will see the same ad which caused the infection, leading him/her to believe it was a false report.
• Third parties are good at infecting people.  This can be shown by how many people get viruses through merely opening attachments, for example.
• Publishers are not very accountable for their actions.  Generally speaking, the worst that will happen to a publisher is that he/she will lose the userbase of the site.  Legal action is nearly unheard of, and so there is little at stake for the publisher who merely wants to make a quick buck and move on.

Defenses

• Ensure that browsers/operating systems are up to date.  A fully updated user is rarely the user who gets targeted–most infections are due to vulnerabilities for which a patch already exists (not all, obviously).
• Use an adblocking extension which prevents content from loading off known advertising domains.
• Use firewalls/anti-virus.
• Allow users to complain directly to the vendor about ads instead of requiring the publisher to do so (obviously, this step only works for malicious advertisers, not malicious publishers/vendors).
• Only allow pre-screened (by the publisher) ads to appear. Unfortunately, this may severely limit the strength of the advertising, and requires a benevolent vendor/observant publisher.

The Future

With the current major browsers, most security threats can be blocked by fully updating them and using intelligent browsing habits.  The main risk is for those who either a) trust the publisher too much or b) are not careful users (the kind of people who see a download for a “toolbar required to display the content” and decide to download it, then end up infected).

It seems unlikely that online advertising will significantly change in the future.  There will be new technologies which can be exploited and new vulnerabilities, but online advertising is here to stay as the future of the internet.  Despite the backing-off of many advertisers with the weakening economy, advertising still remains a strong industry overall.  Major companies such as Google are relatively restricted ethically, due to their ease of accountability and need to maintain a reasonable public image.  Smaller vendors will remain the primary risk, due to their lack of concern about public relations and potential for lack of adequate staffing (leading to malicious advertisers having a long run).

Terms Used:

interstitial – a page (almost always advertising) which appears instead of the expected content.  The user is usually automatically forwarded after a certain amount of time, or he/she can click on a link which leads to the expected page.

publisher – the site on which the ad is served.  So, if an ad appears on mysite.com, then mysite.com is the publisher.

vendor – the company responsible for connecting advertiser and publisher.  Google Adwords is a major vendor.

Sources:

1: Attributor

2: Ben Edelman

As mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database called Google Health.  Today, IBM and Google announced that they have made software to allow PDAs to upload information to health care databases such as Google Health.  Google Health centralizes medical records for its users, by storing records entered manually or aggregating data from other related medical databases; the individual users decide who is authorized to access their records.  The new software can allow doctors to update patient information more quickly, and facilitates information sharing between health care providers.  As well as the obvious applications for sharing information between health care providers, the Computerworld article on this technology suggests that the new software would allow authorized people to keep track of the health of an ill family member more easily, as the doctors add updates to the database more quickly.  From the article, it was not obvious whether or not the software would also allow mobile devices to download records from the databases.

(Read on …)

According to New Scientist, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a “phonebook for the internet.” Users will only be able to register contact information, and this information will be accessible directly from DNS servers. In addition, Telnic has made available an API that can be used to extract and process this information. While this might make social networking as well as getting in contact with people easier than ever, it poses the possibility of some serious security risks.

(Read on …)

The iPhone has already had a security review and is similar to the iPod Touch, but I’m going to focus more on the security when someone has physical access to the device.  There are a number of security measures that are or can be used on the iPod Touch to limit access to certain features.  The iPod Touch, probably similar to the iPhone, contains a lot of personal information as well as access to iTunes and the App Store.

The two main assets of on the iPod Touch are the personal information on the iPod such as photos, emails, contacts, notes, and schedules, and the access to iTunes and the App Store.  The owner of the iPod Touch may have some sensitive photos or emails that should remain secret.  iTunes and App Store accounts are usually linked to a credit card.  The owner wouldn’t want other people to make unauthorized purchases.  The iPod has a lot of functionality, and it’s not always clear what information is sensitive and what isn’t.

The security goal here is to restrict or limit access to sensitive information as well as prevent unauthorized actions such as purchases from happening.  At the same time, all the functionality has to be easy enough to use.

So two potential adversaries could be a nosy or prankster friend or someone who has physically stolen the iPod.  A friend might want to snoop around your personal information or perhaps jokingly purchase an “adult” app or change your wallpaper to David Hasslehoff.  Someone who has stolen your iPod may want to purchase apps and music using your account and credit card.

So the iPod has a few security measures.  Functionality of the iPod can be password protected with a 4-digit number.  When an iPod is locked (which typically can happen when a period of inactivity occurs), it asks for a 4-digit number to unlock the iPod.  This is only the case when the setting is activated.  Also, access to the App Store or iTunes is also password protected, but this time with an iTunes password, which is likely more complicated and can contain letters and numbers from a full keyboard.

Now there are a few ways to exploit these two security features.  Since the iPod Touch is a touch screen device, there are often smudge marks left from oil on fingers.  With a 4-digit password, it can be easy to spot the 4 smudges on the screen that may possibly be the password.  Also, with the iTunes password or any password in general, there may be smudges, but more and with less spacing.  However, as a convenient to the user, password input always shows the last letter that was pressed for a couple seconds.  Normally on a desktop or laptop computer, the password shows up as asterisks.  The iPod does the same eventually, but the last letter entered always shows up readable.  Someone looking over the shoulder can easily decipher the password.  Also, the pressing of each letter with just thumbs is much easier to read than when you have all ten fingers on a keyboard.  Additionally, once the password has been entered, it remains valid for several minutes before requesting the password be inputted again.  This allows an attacker to purchase apps or music right after the user has entered the password and finished with their legitimate purchases.

There are several potential ways to prevent these exploits.  If a different, more smudge resistant screen was used, it may be more difficult to detect the password input.  Also, suppressing the last letter of the password showing as an option would be good.  Or even better, don’t show any asterisks so eavesdroppers can’t see how long the password is either.  Additionally, perhaps a biometric scanner using a touch screen may some day be possible.

So the question really is, how much security do you need?  I imagine the information on an iPod Touch isn’t terribly sensitive in most cases.  And with a device like that, it will typically be in close proximity and unlikely to be accessed by an adversary without going unnoticed.  The level of security already implemented seems appropriate for the value and sensitivity of the assets.  However, it would be nice if there was a quick and easy way to password protect certain apps like email or photos with just the 4-digit number.

As technology grows, more and more information and functionality will be implemented in smaller and smaller devices.  As a result, the value of the assets may grow as well.  Blackberries have typically contained much sensitive information.  The recent Blackberry Storm has featured touch screen.  Along with the growing of assets contained in small devices, the security features currently available may become inadequate.  It’s interesting to see more and more fingerprint scanners showing up in laptops.  It seems people are aware that portable devices can contain sensitive information and can be stolen quite easily.  It will be interesting to see what kind of new security measures may be implemented on touch screen devices in the future.

Ford Motor Company has stated that the 2010 Focus Coupe will be equipped with a technology called MyKey. Designed for parents wishing to ensure teenagers practice safe driving, the technology restricts certain actions such as driving too quickly. As currently announced, the system can restrict the vehicle speed to 80 mph, limit the audio speakers to 44% of maximum, and give constant audible alerts if seat belts are not worn. Read about the MyKey system here.

While MyKey is aiming for the parent/teenage child crowd, other products exist which automatically limit vehicle speed based on the current road. Using GPS and a database of known speed limits, these devices either limit the vehicle speed or issue a warning when driving over the limit. In all cases I’ve seen, these devices can be overridden, unlike the Ford MyKey. An example of one of these speed limiters would be the Wisespeed, by Imita.
(Read on …)

Every day there are more online backup options: Mosy.com, Xdrive, Adrive.  This is a significant security concern that should be more respected.  These online backup solutions offer encrypted data transmission and strong firewalls.  Although companies may say they are 100% secure, this is not a guarantee any organization can reasonable make.  A system can never be completely secure.  A system can only be free of known exploits.  Commonly, large companies have their servers hacked and data stolen.  This happens to companies as large as Comcast, Novell, Citibank, and  Microsoft.  Even if certain online backup solutions are 100% secure, this would not ensure that all other are and will be in the future.  An attacker who gains access to an online backup server would have access to varied and immense data.

Assets &Security Goals:
–Online backups should be as removed from corporate external networks by multiple levels of protection once stored.
–Companies should seriously consider whether it would be okay if their data leaked, and what would be the consequences for customers.

Adversaries and threats:
–Enemies: Any rival to a company or person who uses online backup.
–Experienced Adverseries: Hackers with unreleased exploits to access servers owned by Mozy and other backup solutions.

Potential weaknesses:
–A port scan of all online backup company servers would likely reveal a vulnerability somewhere.
–A dictionary attack could be conducted on Mozy log-ins.

Defenses:
–The provider should remove the data from network access once backed-up.
–Do not use online backup if you require the data to be confidential or it could be used to the advantage of a rival.

Likely online backup will become more ubiquitous as all emerging technologies.  When it becomes more prevalent, this issue will become a strong privacy concern.

With rumors of Amazon revealing their next Kindle on Monday (an honor Engadget, along with other blogs has already done for them), and as a user of the first Kindle, I figured that with its numerous features, communication methods, and potential appeal, it was an appropriate time to do a security review of the system. And as an irrelevant aside, I think the new model is really ugly.

The Kindle is an e-book reader, one of two primary contenders in the market at this point in time (the other being the Sony Reader). Like its competition, it features an E-paper screen, which is ideal for this application due to the fact that it requires no harsh backlight, and requires no power to maintain image – only to change image. In addition to being able to store and display ebooks (in unsecured Mobipocket, plain text, or proprietary Amazon format), the Kindle’s most fascinating feature is its EVDO antenna. Through Sprint, the Kindle provides free data transfer. The primary function here is to provide access to a wireless Amazon store from which users can purchase and download DRM-secured ebooks, but there is also a primitive web browser in the software.

Assets & Security Goals:

• Preventing users from stealing books is the primary business security concern for Amazon. There is a twofold issue here: there is the potential for users to snoop in on the wireless transmission of the book itself, but there is also the potential of a user to steal the book once it is on the device – hence, there needs to be both wireless security and DRM on the final file.
• Protecting the privacy of the user is a concern for the users of the device – while there aren’t any explicit laws protecting people’s reading history as there are for television and movies, what a person is reading on the device should still remain private to that user.
• Providing security for the user while they browse the web is another concern that involves specifically the consumer rather than Amazon – this should be a simple matter of implementing existing security standards for the web.

Adversaries & Threats

• People who would like to pirate content are again the primary thread to Amazon’s business on the Kindle. Protecting the ebook files in transit and storage should stop them from stealing Amazon ebooks, though given the Kindle’s capability of reading generic unsecured Mobipocket files, people could just as easily pirate those and drop them on the device over USB.
• People who would like to steal users’ information are easier to defend against. They may want to steal credit card information as transactions occur, or find out what a user is reading. If the victim has sensitive material, such as corporate documents and manuals, or manuscripts for unpublished books, these may be a target.
• People who want to cause hard to the user, either by purchasing books on their device without permission, or cause them to lose the books they currently have. These people don’t have as much work to do as the previous, as it is easier to cause harm than it is to steal information.

Potential weaknesses

• Theft – should an attacker gain physical control over the device, there is virtually nothing that could be done to stop him/her from purchasing items on the tab of the actual user, accessing any pages with the web browser that may have saved passwords or cookies, and learning what the user has been reading – including reading sensitive material as described earlier.
• The display is perhaps a surprising point of attack. However, as a user of the first Kindle, I have noticed that at times when the unit shuts off and blanks its screen, a trace amount of ink is left visible, enough so that display text is still visible. Given that the display works on the principle of magnetically charging droplets of ink, it might be that with magnetically sensitive instruments it would be possible to learn even more of what a display has shown. Given that sensitive documents or manuscripts may have been read on the device prior to its shutoff, and especially that it contains a web browser which could be used to browse sensitive material such as bank accounts, not to mention that passwords are inputted similarly to cell phones – with the last character inputted remaining visible until the next is typed – this could be a serious attack vector if enough study is put into the physics of the display.
• The obvious vector of breaking whatever security is on the DRM’d files (after all, the method and key for decrypting them must be on the device somewhere if it’s able to display the books) would be an easy approach to breaking the security of the platform in general. Attacking the wireless transmission itself would likely be much more difficult since it’s probably based on well-established cryptographic algorithms, but breaking DRM is certainly not without a very large precedent.

Potential defenses

• Passwords more prominently used throughout the device would mitigate the theft concern almost entirely (assuming, of course, chosen passwords are secure). Were the device to require passwords to power on or access certain user-determined books on the device depending on their sensitivity (the latter using encryption on the file rather than just an operating system refusal to open the file given that it could be retrieved by USB), much of the concern of the device falling into an adversary’s hands is mitigated. Potentially along with a remote kill-switch like that implemented on enterprise cell phones, the threat of the device being stolen would be greatly reduced.
• More screen blanking would help the display issue greatly – at least with the immediate and definite problem of trace ink. The device typically flashes the entire screen to black and then white to clear the screen, and I’m assuming that a few more rounds of this would reduce the amount of material left on-screen afterwards. Since the rest of the threat is primarily speculation on my part, I’m not sure as to what the defense would be.
• The ability to update the DRM of files remotely could be one way that Amazon could use to secure the files. It’s security by obscurity, but constantly changing the DRM scheme could be one way of preventing the attack from figuring out how to crack the protected books. I’m not skilled enough in cryptography to know if there’s a way the device could possibly secure the books given that the decryption method and key are both stored on the device itself, without external authentication (the EVDO antenna may be turned off, and DRM’d files are still accessible in remote regions).

Most of my analysis is based on what Amazon wishes the Kindle would be – a general purpose reading device integral to the lives of those who use it – rather than what it is now – a largely novelty gadget which, while well-executed, is too expensive to be a reasonable purchase for all but the most fanatic book fans and extreme road warriors. Scenarios such as heavy duty web browsing (unlikely due to the slow response of the screen and slow transfer over EVDO), storage of anything other than books (such as the confidential material I listed above), and other such ubiquitous uses of the device are not a reality at this point.

However, if Amazon is serious about the device becoming hugely successful in the future, they are all issues that must be addressed soon.

According to an article from Massively, Eve Online experienced an upset in their internal politics this week. “Band of Brothers (aka “BoB”), the self-styled villain alliance in the game,” has been taken down from within their own ranks. Not having played EVE, I can’t comment on the exact details of the event, but it appears the alliance was disbanded by a single, well-placed deserter.  This is one example of a lack of security leading to the loss of a great deal of in-game assets.

The specifics of the situation are not entirely clear to me, but according to massively:

Once assured a place within GoonSwarm, Agamar [the deserter] proceeded to disband the Band of Brothers alliance using his director level access. In addition to shutting down the alliance, he cleaned out his corporation’s ISK reserves and stole their dreadnaught (capital ship) fleet, which became a gift to GoonSwarm.

Other MMOs have a similar situation where player organizations have a single person in charge.  This makes management easy, since only the leader needs to be online to make any changes to the group, but at the same time this creates a single point of failure.  If this leader decides he no longer wants his position, he can simply hand off control to someone else.  If he’s malicious, however, he has the sole power to disband the group and keep any group-controlled assets.  In the case of other MMOs, these are generally not extremely valuable assets, but in Eve Online, they can be immensely valuable in terms of the time required to obtain them.  In particular, with the disband of their alliance, BoB lost sovereignty of its territories, meaning any infrastructure there is useless for the next three months.  Their territories are conquerable, their cyno-jammers that prevent capital ships from entering the territory, and jump bridges that allow smaller ships to move between systems, are all inoperable.  These assets took years to build and aqcuire, and they became inoperable for a few months due to the actions of a single individual.

Since Eve Online alliance comprise thousands of players, it would seem that there should be a more secure system to protect the assets of these groups that relying on a single individual to be in charge of everything.  In a real world setting, bureaucracy prevents any one individual from taking actions that could negatively affect the entire organization, and it would seem something like that is needed in Eve if this situation is something to be avoided in the future.  Then again, maybe it’s just what makes the game what it is.

Assets &Security Goals:

• Maintain control and access to in-game assets, including defenses and manufacturing stations.
• Privacy of communications made on private message boards.

Potential Adversaries & Threats:

• Rival Alliances: the goal of PvP in the game is to conquer territories for your alliance/cop at the expense of other alliances and corps.  In this case, the GoonSwarm’s main goal was to dismantle BoB.
• Malicious Insiders: a disgruntled member of the alliance might wish to cause harm to the alliance before he leaves for greener pastures.

Potential Weaknesses:

• A lack of any sort of bureaucratic system to make changes creates a single point of failure in the leader of the alliance.  If that player deserts, the member corps have no way of preventing him from dealing serious damage.
• Likewise anyone who happened to gain access to that player’s account through insidious means, such as a keylogger, would be able to perform the same actions without any member of the alliance’s consent.

Potential Defenses:

• Extraordinary permissions could be required to enact any sweeping changes to alliances.  In particular, removing a corp from an alliance could require a minimum number of director level players.
• There could be a holding period before a corp can be removed from an alliance, allowing a day or two for other corps in the alliance to respond.

Some sort of balance needs to be struck between the security against malicious actions and the ability of leaders to make the actions at all.  Perhaps this is already balanced in a way that makes the game what it is.  In order to make the politics and metagaming accessible to players and move in time frames of months rather than years, it makes sense that some of these actions would be a little too easy to be entirely secure.