WEBVTT 00:00:00.588 --> 00:00:03.619 I'm a computer science professor, 00:00:03.619 --> 00:00:05.932 and my area of expertise is 00:00:05.932 --> 00:00:08.131 computer and information security. 00:00:08.131 --> 00:00:10.451 When I was in graduate school, 00:00:10.451 --> 00:00:13.052 I had the opportunity to overhear my grandmother 00:00:13.052 --> 00:00:17.186 describing to one of her fellow senior citizens 00:00:17.186 --> 00:00:19.555 what I did for a living. 00:00:19.555 --> 00:00:23.117 Apparently, I was in charge of making sure that 00:00:23.117 --> 00:00:27.017 no one stole the computers from the university. (Laughter) 00:00:27.017 --> 00:00:29.761 And, you know, that's a perfectly reasonable thing 00:00:29.761 --> 00:00:31.681 for her to think, because I told her I was working 00:00:31.681 --> 00:00:33.188 in computer security, 00:00:33.188 --> 00:00:36.785 and it was interesting to get her perspective. NOTE Paragraph 00:00:36.785 --> 00:00:39.402 But that's not the most ridiculous thing I've ever heard 00:00:39.402 --> 00:00:41.419 anyone say about my work. 00:00:41.419 --> 00:00:43.703 The most ridiculous thing I ever heard is, 00:00:43.703 --> 00:00:46.837 I was at a dinner party, and a woman heard 00:00:46.837 --> 00:00:48.620 that I work in computer security, 00:00:48.620 --> 00:00:52.137 and she asked me if -- she said her computer had been 00:00:52.137 --> 00:00:55.573 infected by a virus, and she was very concerned that she 00:00:55.573 --> 00:00:59.524 might get sick from it, that she could get this virus. (Laughter) 00:00:59.524 --> 00:01:02.467 And I'm not a doctor, but I reassured her 00:01:02.467 --> 00:01:05.611 that it was very, very unlikely that this would happen, 00:01:05.611 --> 00:01:08.412 but if she felt more comfortable, she could be free to use 00:01:08.412 --> 00:01:10.260 latex gloves when she was on the computer, 00:01:10.260 --> 00:01:13.652 and there would be no harm whatsoever in that. NOTE Paragraph 00:01:13.652 --> 00:01:16.159 I'm going to get back to this notion of being able to get 00:01:16.159 --> 00:01:19.667 a virus from your computer, in a serious way. 00:01:19.667 --> 00:01:21.307 What I'm going to talk to you about today 00:01:21.307 --> 00:01:26.153 are some hacks, some real world cyberattacks that people 00:01:26.153 --> 00:01:28.707 in my community, the academic research community, 00:01:28.707 --> 00:01:31.501 have performed, which I don't think 00:01:31.501 --> 00:01:32.709 most people know about, 00:01:32.709 --> 00:01:35.737 and I think they're very interesting and scary, 00:01:35.737 --> 00:01:38.178 and this talk is kind of a greatest hits 00:01:38.178 --> 00:01:41.169 of the academic security community's hacks. 00:01:41.169 --> 00:01:43.156 None of the work is my work. It's all work 00:01:43.156 --> 00:01:45.330 that my colleagues have done, and I actually asked them 00:01:45.330 --> 00:01:47.887 for their slides and incorporated them into this talk. NOTE Paragraph 00:01:47.887 --> 00:01:49.629 So the first one I'm going to talk about 00:01:49.629 --> 00:01:52.303 are implanted medical devices. 00:01:52.303 --> 00:01:55.343 Now medical devices have come a long way technologically. 00:01:55.343 --> 00:01:59.199 You can see in 1926 the first pacemaker was invented. 00:01:59.199 --> 00:02:02.751 1960, the first internal pacemaker was implanted, 00:02:02.751 --> 00:02:05.303 hopefully a little smaller than that one that you see there, 00:02:05.303 --> 00:02:08.271 and the technology has continued to move forward. 00:02:08.271 --> 00:02:12.904 In 2006, we hit an important milestone from the perspective 00:02:12.904 --> 00:02:16.071 of computer security. 00:02:16.071 --> 00:02:17.412 And why do I say that? 00:02:17.412 --> 00:02:20.302 Because that's when implanted devices inside of people 00:02:20.302 --> 00:02:23.047 started to have networking capabilities. 00:02:23.047 --> 00:02:24.927 One thing that brings us close to home is we look 00:02:24.927 --> 00:02:27.632 at Dick Cheney's device, he had a device that 00:02:27.632 --> 00:02:31.501 pumped blood from an aorta to another part of the heart, 00:02:31.501 --> 00:02:32.684 and as you can see at the bottom there, 00:02:32.684 --> 00:02:35.693 it was controlled by a computer controller, 00:02:35.693 --> 00:02:38.210 and if you ever thought that software liability 00:02:38.210 --> 00:02:41.799 was very important, get one of these inside of you. NOTE Paragraph 00:02:41.799 --> 00:02:45.494 Now what a research team did was they got their hands 00:02:45.494 --> 00:02:46.914 on what's called an ICD. 00:02:46.914 --> 00:02:48.984 This is a defibrillator, and this is a device 00:02:48.984 --> 00:02:53.320 that goes into a person to control their heart rhythm, 00:02:53.320 --> 00:02:55.658 and these have saved many lives. 00:02:55.658 --> 00:02:58.130 Well, in order to not have to open up the person 00:02:58.130 --> 00:03:00.324 every time you want to reprogram their device 00:03:00.324 --> 00:03:02.779 or do some diagnostics on it, they made the thing be able 00:03:02.779 --> 00:03:05.881 to communicate wirelessly, and what this research team did 00:03:05.881 --> 00:03:08.491 is they reverse engineered the wireless protocol, 00:03:08.491 --> 00:03:10.363 and they built the device you see pictured here, 00:03:10.363 --> 00:03:13.123 with a little antenna, that could talk the protocol 00:03:13.123 --> 00:03:17.598 to the device, and thus control it. 00:03:17.598 --> 00:03:20.287 In order to make their experience real -- they were unable 00:03:20.287 --> 00:03:22.759 to find any volunteers, and so they went 00:03:22.759 --> 00:03:24.903 and they got some ground beef and some bacon 00:03:24.903 --> 00:03:26.691 and they wrapped it all up to about the size 00:03:26.691 --> 00:03:29.489 of a human being's area where the device would go, 00:03:29.489 --> 00:03:30.943 and they stuck the device inside it 00:03:30.943 --> 00:03:34.075 to perform their experiment somewhat realistically. 00:03:34.075 --> 00:03:37.095 They launched many, many successful attacks. 00:03:37.095 --> 00:03:40.151 One that I'll highlight here is changing the patient's name. 00:03:40.151 --> 00:03:41.144 I don't know why you would want to do that, 00:03:41.144 --> 00:03:43.248 but I sure wouldn't want that done to me. 00:03:43.248 --> 00:03:45.579 And they were able to change therapies, 00:03:45.579 --> 00:03:48.074 including disabling the device -- and this is with a real, 00:03:48.074 --> 00:03:49.970 commercial, off-the-shelf device -- 00:03:49.970 --> 00:03:52.016 simply by performing reverse engineering and sending 00:03:52.016 --> 00:03:55.005 wireless signals to it. NOTE Paragraph 00:03:55.005 --> 00:03:58.585 There was a piece on NPR that some of these ICDs 00:03:58.585 --> 00:04:01.007 could actually have their performance disrupted 00:04:01.007 --> 00:04:04.658 simply by holding a pair of headphones onto them. NOTE Paragraph 00:04:04.658 --> 00:04:06.067 Now, wireless and the Internet 00:04:06.067 --> 00:04:07.719 can improve health care greatly. 00:04:07.719 --> 00:04:09.806 There's several examples up on the screen 00:04:09.806 --> 00:04:12.913 of situations where doctors are looking to implant devices 00:04:12.913 --> 00:04:15.778 inside of people, and all of these devices now, 00:04:15.778 --> 00:04:18.903 it's standard that they communicate wirelessly, 00:04:18.903 --> 00:04:20.315 and I think this is great, 00:04:20.315 --> 00:04:23.420 but without a full understanding of trustworthy computing, 00:04:23.420 --> 00:04:25.827 and without understanding what attackers can do 00:04:25.827 --> 00:04:27.974 and the security risks from the beginning, 00:04:27.974 --> 00:04:30.364 there's a lot of danger in this. NOTE Paragraph 00:04:30.364 --> 00:04:31.841 Okay, let me shift gears and show you another target. 00:04:31.841 --> 00:04:33.929 I'm going to show you a few different targets like this, 00:04:33.929 --> 00:04:36.846 and that's my talk. So we'll look at automobiles. NOTE Paragraph 00:04:36.846 --> 00:04:39.742 This is a car, and it has a lot of components, 00:04:39.742 --> 00:04:41.362 a lot of electronics in it today. 00:04:41.362 --> 00:04:45.739 In fact, it's got many, many different computers inside of it, 00:04:45.739 --> 00:04:48.894 more Pentiums than my lab did when I was in college, 00:04:48.894 --> 00:04:52.533 and they're connected by a wired network. 00:04:52.533 --> 00:04:55.964 There's also a wireless network in the car, 00:04:55.964 --> 00:04:59.197 which can be reached from many different ways. 00:04:59.197 --> 00:05:02.898 So there's Bluetooth, there's the FM and XM radio, 00:05:02.898 --> 00:05:05.718 there's actually wi-fi, there's sensors in the wheels 00:05:05.718 --> 00:05:07.871 that wirelessly communicate the tire pressure 00:05:07.871 --> 00:05:09.677 to a controller on board. 00:05:09.677 --> 00:05:14.595 The modern car is a sophisticated multi-computer device. NOTE Paragraph 00:05:14.595 --> 00:05:17.917 And what happens if somebody wanted to attack this? 00:05:17.917 --> 00:05:19.234 Well, that's what the researchers 00:05:19.234 --> 00:05:21.105 that I'm going to talk about today did. 00:05:21.105 --> 00:05:24.082 They basically stuck an attacker on the wired network 00:05:24.082 --> 00:05:26.404 and on the wireless network. 00:05:26.404 --> 00:05:29.103 Now, they have two areas they can attack. 00:05:29.103 --> 00:05:31.141 One is short-range wireless, where you can actually 00:05:31.141 --> 00:05:32.922 communicate with the device from nearby, 00:05:32.922 --> 00:05:35.059 either through Bluetooth or wi-fi, 00:05:35.059 --> 00:05:37.233 and the other is long-range, where you can communicate 00:05:37.233 --> 00:05:39.015 with the car through the cellular network, 00:05:39.015 --> 00:05:40.975 or through one of the radio stations. 00:05:40.975 --> 00:05:44.024 Think about it. When a car receives a radio signal, 00:05:44.024 --> 00:05:46.225 it's processed by software. 00:05:46.225 --> 00:05:49.286 That software has to receive and decode the radio signal, 00:05:49.286 --> 00:05:50.405 and then figure out what to do with it, 00:05:50.405 --> 00:05:53.429 even if it's just music that it needs to play on the radio, 00:05:53.429 --> 00:05:55.697 and that software that does that decoding, 00:05:55.697 --> 00:05:58.790 if it has any bugs in it, could create a vulnerability 00:05:58.790 --> 00:06:01.825 for somebody to hack the car. NOTE Paragraph 00:06:01.825 --> 00:06:04.777 The way that the researchers did this work is, 00:06:04.777 --> 00:06:09.000 they read the software in the computer chips 00:06:09.000 --> 00:06:12.193 that were in the car, and then they used sophisticated 00:06:12.193 --> 00:06:13.607 reverse engineering tools 00:06:13.607 --> 00:06:15.662 to figure out what that software did, 00:06:15.662 --> 00:06:18.703 and then they found vulnerabilities in that software, 00:06:18.703 --> 00:06:22.049 and then they built exploits to exploit those. 00:06:22.049 --> 00:06:24.431 They actually carried out their attack in real life. 00:06:24.431 --> 00:06:25.781 They bought two cars, and I guess 00:06:25.781 --> 00:06:28.699 they have better budgets than I do. 00:06:28.699 --> 00:06:31.289 The first threat model was to see what someone could do 00:06:31.289 --> 00:06:33.433 if an attacker actually got access 00:06:33.433 --> 00:06:35.486 to the internal network on the car. 00:06:35.486 --> 00:06:38.089 Okay, so think of that as, someone gets to go to your car, 00:06:38.089 --> 00:06:40.993 they get to mess around with it, and then they leave, 00:06:40.993 --> 00:06:43.361 and now, what kind of trouble are you in? 00:06:43.361 --> 00:06:46.153 The other threat model is that they contact you 00:06:46.153 --> 00:06:48.610 in real time over one of the wireless networks 00:06:48.610 --> 00:06:50.665 like the cellular, or something like that, 00:06:50.665 --> 00:06:54.665 never having actually gotten physical access to your car. NOTE Paragraph 00:06:54.665 --> 00:06:57.489 This is what their setup looks like for the first model, 00:06:57.489 --> 00:06:59.172 where you get to have access to the car. 00:06:59.172 --> 00:07:02.559 They put a laptop, and they connected to the diagnostic unit 00:07:02.559 --> 00:07:05.498 on the in-car network, and they did all kinds of silly things, 00:07:05.498 --> 00:07:08.281 like here's a picture of the speedometer 00:07:08.281 --> 00:07:11.097 showing 140 miles an hour when the car's in park. 00:07:11.097 --> 00:07:13.470 Once you have control of the car's computers, 00:07:13.470 --> 00:07:14.389 you can do anything. 00:07:14.389 --> 00:07:16.005 Now you might say, "Okay, that's silly." 00:07:16.005 --> 00:07:17.664 Well, what if you make the car always say 00:07:17.664 --> 00:07:20.405 it's going 20 miles an hour slower than it's actually going? 00:07:20.405 --> 00:07:22.947 You might produce a lot of speeding tickets. NOTE Paragraph 00:07:22.947 --> 00:07:26.803 Then they went out to an abandoned airstrip with two cars, 00:07:26.803 --> 00:07:29.548 the target victim car and the chase car, 00:07:29.548 --> 00:07:32.294 and they launched a bunch of other attacks. 00:07:32.294 --> 00:07:35.060 One of the things they were able to do from the chase car 00:07:35.060 --> 00:07:37.034 is apply the brakes on the other car, 00:07:37.034 --> 00:07:38.594 simply by hacking the computer. 00:07:38.594 --> 00:07:41.025 They were able to disable the brakes. 00:07:41.025 --> 00:07:44.203 They also were able to install malware that wouldn't kick in 00:07:44.203 --> 00:07:46.628 and wouldn't trigger until the car was doing something like 00:07:46.628 --> 00:07:50.374 going over 20 miles an hour, or something like that. 00:07:50.374 --> 00:07:53.132 The results are astonishing, and when they gave this talk, 00:07:53.132 --> 00:07:54.848 even though they gave this talk at a conference 00:07:54.848 --> 00:07:56.574 to a bunch of computer security researchers, 00:07:56.574 --> 00:07:58.274 everybody was gasping. 00:07:58.274 --> 00:08:01.973 They were able to take over a bunch of critical computers 00:08:01.973 --> 00:08:05.734 inside the car: the brakes computer, the lighting computer, 00:08:05.734 --> 00:08:08.561 the engine, the dash, the radio, etc., 00:08:08.561 --> 00:08:10.854 and they were able to perform these on real commercial 00:08:10.854 --> 00:08:13.881 cars that they purchased using the radio network. 00:08:13.881 --> 00:08:16.884 They were able to compromise every single one of the 00:08:16.884 --> 00:08:19.350 pieces of software that controlled every single one 00:08:19.350 --> 00:08:22.365 of the wireless capabilities of the car. 00:08:22.365 --> 00:08:24.878 All of these were implemented successfully. NOTE Paragraph 00:08:24.878 --> 00:08:27.230 How would you steal a car in this model? 00:08:27.230 --> 00:08:30.910 Well, you compromise the car by a buffer overflow 00:08:30.910 --> 00:08:33.437 of vulnerability in the software, something like that. 00:08:33.437 --> 00:08:35.640 You use the GPS in the car to locate it. 00:08:35.640 --> 00:08:37.835 You remotely unlock the doors through the computer 00:08:37.835 --> 00:08:40.973 that controls that, start the engine, bypass anti-theft, 00:08:40.973 --> 00:08:42.641 and you've got yourself a car. NOTE Paragraph 00:08:42.641 --> 00:08:45.128 Surveillance was really interesting. 00:08:45.128 --> 00:08:48.337 The authors of the study have a video where they show 00:08:48.337 --> 00:08:50.886 themselves taking over a car and then turning on 00:08:50.886 --> 00:08:53.647 the microphone in the car, and listening in on the car 00:08:53.647 --> 00:08:56.998 while tracking it via GPS on a map, 00:08:56.998 --> 00:08:58.711 and so that's something that the drivers of the car 00:08:58.711 --> 00:09:00.879 would never know was happening. NOTE Paragraph 00:09:00.879 --> 00:09:03.013 Am I scaring you yet? 00:09:03.013 --> 00:09:04.956 I've got a few more of these interesting ones. 00:09:04.956 --> 00:09:06.789 These are ones where I went to a conference, 00:09:06.789 --> 00:09:08.722 and my mind was just blown, and I said, 00:09:08.722 --> 00:09:10.548 "I have to share this with other people." NOTE Paragraph 00:09:10.548 --> 00:09:12.171 This was Fabian Monrose's lab 00:09:12.171 --> 00:09:15.627 at the University of North Carolina, and what they did was 00:09:15.627 --> 00:09:17.702 something intuitive once you see it, 00:09:17.702 --> 00:09:19.416 but kind of surprising. 00:09:19.416 --> 00:09:21.675 They videotaped people on a bus, 00:09:21.675 --> 00:09:24.515 and then they post-processed the video. 00:09:24.515 --> 00:09:26.978 What you see here in number one is a 00:09:26.978 --> 00:09:31.361 reflection in somebody's glasses of the smartphone 00:09:31.361 --> 00:09:32.786 that they're typing in. 00:09:32.786 --> 00:09:34.761 They wrote software to stabilize -- 00:09:34.761 --> 00:09:36.126 even though they were on a bus 00:09:36.126 --> 00:09:39.337 and maybe someone's holding their phone at an angle -- 00:09:39.337 --> 00:09:41.707 to stabilize the phone, process it, and 00:09:41.707 --> 00:09:43.592 you may know on your smartphone, when you type 00:09:43.592 --> 00:09:46.531 a password, the keys pop out a little bit, and they were able 00:09:46.531 --> 00:09:49.371 to use that to reconstruct what the person was typing, 00:09:49.371 --> 00:09:53.692 and had a language model for detecting typing. 00:09:53.692 --> 00:09:56.027 What was interesting is, by videotaping on a bus, 00:09:56.027 --> 00:09:58.156 they were able to produce exactly what people 00:09:58.156 --> 00:10:00.307 on their smartphones were typing, 00:10:00.307 --> 00:10:02.567 and then they had a surprising result, which is that 00:10:02.567 --> 00:10:05.331 their software had not only done it for their target, 00:10:05.331 --> 00:10:06.734 but other people who accidentally happened 00:10:06.734 --> 00:10:08.820 to be in the picture, they were able to produce 00:10:08.820 --> 00:10:11.547 what those people had been typing, and that was kind of 00:10:11.547 --> 00:10:15.164 an accidental artifact of what their software was doing. NOTE Paragraph 00:10:15.164 --> 00:10:19.467 I'll show you two more. One is P25 radios. 00:10:19.467 --> 00:10:22.267 P25 radios are used by law enforcement 00:10:22.267 --> 00:10:25.674 and all kinds of government agencies 00:10:25.674 --> 00:10:27.410 and people in combat to communicate, 00:10:27.410 --> 00:10:30.243 and there's an encryption option on these phones. 00:10:30.243 --> 00:10:32.971 This is what the phone looks like. It's not really a phone. 00:10:32.971 --> 00:10:34.177 It's more of a two-way radio. 00:10:34.177 --> 00:10:37.499 Motorola makes the most widely used one, and you can see 00:10:37.499 --> 00:10:40.148 that they're used by Secret Service, they're used in combat, 00:10:40.148 --> 00:10:43.250 it's a very, very common standard in the U.S. and elsewhere. 00:10:43.250 --> 00:10:45.555 So one question the researchers asked themselves is, 00:10:45.555 --> 00:10:48.259 could you block this thing, right? 00:10:48.259 --> 00:10:49.842 Could you run a denial-of-service, 00:10:49.842 --> 00:10:51.666 because these are first responders? 00:10:51.666 --> 00:10:53.467 So, would a terrorist organization want to black out the 00:10:53.467 --> 00:10:57.955 ability of police and fire to communicate at an emergency? 00:10:57.955 --> 00:11:01.027 They found that there's this GirlTech device used for texting 00:11:01.027 --> 00:11:03.745 that happens to operate at the same exact frequency 00:11:03.745 --> 00:11:06.016 as the P25, and they built what they called 00:11:06.016 --> 00:11:10.350 My First Jammer. (Laughter) 00:11:10.350 --> 00:11:12.728 If you look closely at this device, 00:11:12.728 --> 00:11:16.358 it's got a switch for encryption or cleartext. 00:11:16.358 --> 00:11:19.408 Let me advance the slide, and now I'll go back. 00:11:19.408 --> 00:11:21.955 You see the difference? 00:11:21.955 --> 00:11:24.512 This is plain text. This is encrypted. 00:11:24.512 --> 00:11:27.069 There's one little dot that shows up on the screen, 00:11:27.069 --> 00:11:29.154 and one little tiny turn of the switch. 00:11:29.154 --> 00:11:31.058 And so the researchers asked themselves, "I wonder how 00:11:31.058 --> 00:11:35.315 many times very secure, important, sensitive conversations 00:11:35.315 --> 00:11:36.938 are happening on these two-way radios where they forget 00:11:36.938 --> 00:11:39.848 to encrypt and they don't notice that they didn't encrypt?" NOTE Paragraph 00:11:39.848 --> 00:11:43.187 So they bought a scanner. These are perfectly legal 00:11:43.187 --> 00:11:46.645 and they run at the frequency of the P25, 00:11:46.645 --> 00:11:48.412 and what they did is they hopped around frequencies 00:11:48.412 --> 00:11:50.922 and they wrote software to listen in. 00:11:50.922 --> 00:11:53.556 If they found encrypted communication, they stayed 00:11:53.556 --> 00:11:55.242 on that channel and they wrote down, that's a channel 00:11:55.242 --> 00:11:57.030 that these people communicate in, 00:11:57.030 --> 00:11:58.652 these law enforcement agencies, 00:11:58.652 --> 00:12:02.043 and they went to 20 metropolitan areas and listened in 00:12:02.043 --> 00:12:05.518 on conversations that were happening at those frequencies. 00:12:05.518 --> 00:12:08.757 They found that in every metropolitan area, 00:12:08.757 --> 00:12:10.911 they would capture over 20 minutes a day 00:12:10.911 --> 00:12:13.286 of cleartext communication. 00:12:13.286 --> 00:12:15.286 And what kind of things were people talking about? 00:12:15.286 --> 00:12:16.770 Well, they found the names and information 00:12:16.770 --> 00:12:19.622 about confidential informants. They found information 00:12:19.622 --> 00:12:21.824 that was being recorded in wiretaps, 00:12:21.824 --> 00:12:24.534 a bunch of crimes that were being discussed, 00:12:24.534 --> 00:12:25.696 sensitive information. 00:12:25.696 --> 00:12:29.059 It was mostly law enforcement and criminal. 00:12:29.059 --> 00:12:30.893 They went and reported this to the law enforcement 00:12:30.893 --> 00:12:32.916 agencies, after anonymizing it, 00:12:32.916 --> 00:12:35.916 and the vulnerability here is simply the user interface 00:12:35.916 --> 00:12:37.310 wasn't good enough. If you're talking 00:12:37.310 --> 00:12:40.126 about something really secure and sensitive, it should 00:12:40.126 --> 00:12:43.419 be really clear to you that this conversation is encrypted. 00:12:43.419 --> 00:12:45.305 That one's pretty easy to fix. NOTE Paragraph 00:12:45.305 --> 00:12:46.974 The last one I thought was really, really cool, 00:12:46.974 --> 00:12:49.787 and I just had to show it to you, it's probably not something 00:12:49.787 --> 00:12:50.792 that you're going to lose sleep over 00:12:50.792 --> 00:12:52.583 like the cars or the defibrillators, 00:12:52.583 --> 00:12:55.606 but it's stealing keystrokes. 00:12:55.606 --> 00:12:58.353 Now, we've all looked at smartphones upside down. 00:12:58.353 --> 00:13:00.543 Every security expert wants to hack a smartphone, 00:13:00.543 --> 00:13:05.155 and we tend to look at the USB port, the GPS for tracking, 00:13:05.155 --> 00:13:08.363 the camera, the microphone, but no one up till this point 00:13:08.363 --> 00:13:09.943 had looked at the accelerometer. 00:13:09.943 --> 00:13:11.590 The accelerometer is the thing that determines 00:13:11.590 --> 00:13:15.084 the vertical orientation of the smartphone. 00:13:15.084 --> 00:13:16.501 And so they had a simple setup. 00:13:16.501 --> 00:13:19.259 They put a smartphone next to a keyboard, 00:13:19.259 --> 00:13:21.971 and they had people type, and then their goal was 00:13:21.971 --> 00:13:24.827 to use the vibrations that were created by typing 00:13:24.827 --> 00:13:29.067 to measure the change in the accelerometer reading 00:13:29.067 --> 00:13:32.243 to determine what the person had been typing. 00:13:32.243 --> 00:13:34.819 Now, when they tried this on an iPhone 3GS, 00:13:34.819 --> 00:13:37.588 this is a graph of the perturbations that were created 00:13:37.588 --> 00:13:40.829 by the typing, and you can see that it's very difficult 00:13:40.829 --> 00:13:43.907 to tell when somebody was typing or what they were typing, 00:13:43.907 --> 00:13:46.997 but the iPhone 4 greatly improved the accelerometer, 00:13:46.997 --> 00:13:50.477 and so the same measurement 00:13:50.477 --> 00:13:52.309 produced this graph. 00:13:52.309 --> 00:13:54.795 Now that gave you a lot of information while someone 00:13:54.795 --> 00:13:58.036 was typing, and what they did then is used advanced 00:13:58.036 --> 00:14:01.043 artificial intelligence techniques called machine learning 00:14:01.043 --> 00:14:02.474 to have a training phase, 00:14:02.474 --> 00:14:04.710 and so they got most likely grad students 00:14:04.710 --> 00:14:08.499 to type in a whole lot of things, and to learn, 00:14:08.499 --> 00:14:11.267 to have the system use the machine learning tools that 00:14:11.267 --> 00:14:14.130 were available to learn what it is that the people were typing 00:14:14.130 --> 00:14:16.957 and to match that up 00:14:16.957 --> 00:14:19.434 with the measurements in the accelerometer. 00:14:19.434 --> 00:14:21.069 And then there's the attack phase, where you get 00:14:21.069 --> 00:14:23.880 somebody to type something in, you don't know what it was, 00:14:23.880 --> 00:14:25.177 but you use your model that you created 00:14:25.177 --> 00:14:28.619 in the training phase to figure out what they were typing. 00:14:28.619 --> 00:14:32.103 They had pretty good success. This is an article from the USA Today. 00:14:32.103 --> 00:14:34.712 They typed in, "The Illinois Supreme Court has ruled 00:14:34.712 --> 00:14:37.674 that Rahm Emanuel is eligible to run for Mayor of Chicago" 00:14:37.674 --> 00:14:39.028 — see, I tied it in to the last talk — 00:14:39.028 --> 00:14:41.146 "and ordered him to stay on the ballot." 00:14:41.146 --> 00:14:43.917 Now, the system is interesting, because it produced 00:14:43.917 --> 00:14:46.803 "Illinois Supreme" and then it wasn't sure. 00:14:46.803 --> 00:14:48.753 The model produced a bunch of options, 00:14:48.753 --> 00:14:51.462 and this is the beauty of some of the A.I. techniques, 00:14:51.462 --> 00:14:53.712 is that computers are good at some things, 00:14:53.712 --> 00:14:55.246 humans are good at other things, 00:14:55.246 --> 00:14:57.177 take the best of both and let the humans solve this one. 00:14:57.177 --> 00:14:58.559 Don't waste computer cycles. 00:14:58.559 --> 00:15:00.695 A human's not going to think it's the Supreme might. 00:15:00.695 --> 00:15:02.435 It's the Supreme Court, right? 00:15:02.435 --> 00:15:04.965 And so, together we're able to reproduce typing 00:15:04.965 --> 00:15:07.914 simply by measuring the accelerometer. 00:15:07.914 --> 00:15:11.416 Why does this matter? Well, in the Android platform, 00:15:11.416 --> 00:15:15.549 for example, the developers have a manifest 00:15:15.564 --> 00:15:18.148 where every device on there, the microphone, etc., 00:15:18.148 --> 00:15:20.104 has to register if you're going to use it 00:15:20.104 --> 00:15:22.420 so that hackers can't take over it, 00:15:22.420 --> 00:15:25.528 but nobody controls the accelerometer. NOTE Paragraph 00:15:25.528 --> 00:15:27.744 So what's the point? You can leave your iPhone next to 00:15:27.744 --> 00:15:29.850 someone's keyboard, and just leave the room, 00:15:29.850 --> 00:15:31.489 and then later recover what they did, 00:15:31.489 --> 00:15:33.200 even without using the microphone. 00:15:33.200 --> 00:15:35.374 If someone is able to put malware on your iPhone, 00:15:35.374 --> 00:15:38.222 they could then maybe get the typing that you do 00:15:38.222 --> 00:15:40.543 whenever you put your iPhone next to your keyboard. NOTE Paragraph 00:15:40.543 --> 00:15:42.814 There's several other notable attacks that unfortunately 00:15:42.814 --> 00:15:44.945 I don't have time to go into, but the one that I wanted 00:15:44.945 --> 00:15:47.222 to point out was a group from the University of Michigan 00:15:47.222 --> 00:15:49.663 which was able to take voting machines, 00:15:49.663 --> 00:15:52.161 the Sequoia AVC Edge DREs that 00:15:52.161 --> 00:15:53.716 were going to be used in New Jersey in the election 00:15:53.716 --> 00:15:55.877 that were left in a hallway, and put Pac-Man on it. 00:15:55.877 --> 00:15:59.500 So they ran the Pac-Man game. NOTE Paragraph 00:15:59.500 --> 00:16:01.247 What does this all mean? 00:16:01.247 --> 00:16:04.894 Well, I think that society tends to adopt technology 00:16:04.894 --> 00:16:07.718 really quickly. I love the next coolest gadget. 00:16:07.718 --> 00:16:10.332 But it's very important, and these researchers are showing, 00:16:10.332 --> 00:16:11.692 that the developers of these things 00:16:11.692 --> 00:16:14.557 need to take security into account from the very beginning, 00:16:14.557 --> 00:16:17.342 and need to realize that they may have a threat model, 00:16:17.342 --> 00:16:19.804 but the attackers may not be nice enough 00:16:19.804 --> 00:16:21.581 to limit themselves to that threat model, 00:16:21.581 --> 00:16:24.118 and so you need to think outside of the box. NOTE Paragraph 00:16:24.118 --> 00:16:25.696 What we can do is be aware 00:16:25.696 --> 00:16:28.175 that devices can be compromised, 00:16:28.175 --> 00:16:29.874 and anything that has software in it 00:16:29.874 --> 00:16:32.523 is going to be vulnerable. It's going to have bugs. 00:16:32.523 --> 00:16:36.020 Thank you very much. (Applause)