Month: August 2017

Thanks to this year’s location in our neighboring city of Vancouver, Canada, nearly the entire UW Security and Privacy Lab was able to attend the 26th USENIX Security Symposium. It was a great conference!

(Cross-posted from Allen School News.)

Allen School professor Franziska Roesner has been recognized with a 2017 TR35 Award, MIT Technology Review’s annual celebration of the world’s 35 top innovators under the age of 35. Roesner is honored in the “Inventors” category, recognizing the visionary individuals who are creating the breakthroughs and building the technologies that will shape the future.

Roesner co-directs the Allen School’s Security and Privacy Research Lab, where she analyzes the security and privacy risks of existing and emerging technologies and develops tools to safeguard end users. She is also a member of the University of Washington’s interdisciplinary Tech Policy Lab.

She is the first computer scientist to analyze the risks associated with augmented reality (AR) technologies in order to support the design of systems that mitigate vulnerabilities in these emerging platforms. These technologies are becoming increasingly popular, not only for entertainment but also for assistive purposes, such as heads-up windshield displays in cars. When Roesner began studying them in 2011, products such as Google Glass had not been announced yet and such technologies were still largely in the realm of science fiction. Roesner’s research covers issues associated with both inputs and outputs, from the potentially sensitive sensor data these platforms collect on users in the course of their interactions, to the impact of visual ad content on the safety of users and bystanders. Her impact in AR and virtual reality (VR) extends beyond the lab: her research has made her a go-to source for other researchers, government regulators, and industry leaders on how to counter the privacy, security, and safety risks in order to realize the full potential of these emerging technologies.

Web privacy and security is another area in which Roesner has produced pioneering research that has had a lasting impact on users. In 2011, when web tracking was a nascent concern, she produced the first comprehensive measurement of third-party tracking on the web. More recently, her team studied the evolution of tracking methods over a 20-year period, from 1996 to 2016 using a novel tool called Tracking Excavator. Roesner previously built a new anti-tracking tool, ShareMeNot, whose code was incorporated into the Electronic Frontier Foundation’s PrivacyBadger browser add-on. PrivacyBadger and other add-ons that incorporated ShareMeNot’s ideas are used by millions of people to safeguard their privacy online.

Another user group that has benefitted from Roesner’s user-centric research is journalists and others who rely on secure communication with sources, clients, and colleagues. After hearing stories like how it took reporter Glenn Greenwald months to establish a secure email connection with source Edward Snowden, she collaborated with experts from the journalism community on a study of the computer security needs of journalists and lawyers. Based on those findings, Roesner spearheaded the development of Confidante, a usable encrypted email client that offers the security of traditional encryption technologies without the friction of traditional key management and verification.

“Ideally, we’d like to design and build security and privacy tools that actually work for end users. But to do that, we need to engage with those users, to understand what they need, and not build technology in isolation,” Roesner told UW News.

“As our technologies progress and become even more integral to our lives, the push to consider privacy and security issues will only increase,” she said.

Before joining the UW faculty in 2014, Roesner earned her Ph.D. and Master’s degree from the Allen School working with professor Tadayoshi Kohno, and bachelor’s degrees in computer science and liberal arts from the University of Texas at Austin.

Since 1999, MIT Technology Review has published its annual list of “Innovators Under 35” recognizing exceptional early-career scientists and technologists whose research has the potential to change the world. Past TR35 honorees include Allen School faculty members Shyam Gollakota and Kurtis Heimerl (2014), Jeffrey Heer and Shwetak Patel (2009), and Tadayoshi Kohno (2007), and alumni Kuang Cheng (2014), Noah Snavely (2011), Scott Saponas (2010), Jeffrey Bigham and Adrien Treuille (2009), and Karen Liu and Tapan Parikh (2007).

View Roesner’s TR35 profile here and the full list of 2017 TR35 recipients here.

Congratulations, Franzi!

(Cross-posted from Allen School News.)

Researchers from the Allen School’s Networks & Mobile Systems Lab and Security and Privacy Research Lab teamed up on a new project, CovertBand, to demonstrate how smart devices can be converted into surveillance tools capable of secretly tracking the body movements and activities of users and their companions. CovertBand turns off-the-shelf devices into active sonar systems with the help of acoustic pulses concealed in music. The team’s findings reveal how increasingly popular smart home assistants and other connected devices could be used to compromise users’ privacy in their own homes — even from half a world away.

“Most of today’s smart devices including smart TVs, Google Home, Amazon Echo and smartphones come with built-in microphones and speaker systems — which lets us use them to play music, record video and audio tracks, have phone conversations or participate in videoconferencing,” Allen School Ph.D. student and co-lead author Rajalakshmi Nandakumar told UW News. “But that also means that these devices have the basic components in place to make them vulnerable to attack.”

As fellow author and Ph.D. student Alex Takakuwa points out, “Other surveillance approaches require specialized hardware. CovertBand shows for the first time that through-barrier surveillance is possible using no hardware beyond what smart devices already have.”

CovertBand relies on repetitive acoustic pulses in the range of 18 to 20 kHz. While that is typically low enough that most adults are unlikely to pick up on the signals, young people and pets might — and an audible volume is required for more distant surveillance or to pick up activity through walls. To get around this, the team found that they could disguise the pulses under a layer of music, with repetitive, percussive beats the most effective at hiding the additional sound.

“To our knowledge, this is the first time anyone has demonstrated that it is possible to convert smart commodity devices into active sonar systems using music,” said Allen School professor and co-author Shyam Gollakota.

By connecting a smartphone to a portable speaker or flat-screen TV, the researchers discovered they could use the data collected through CovertBand to accurately identify repetitive movements such as walking, jumping, and exercising up to a distance of six meters within line of sight, and up to three meters through walls. Having proven the concept, researchers believe a combination of more data and the use of machine learning tools would enable rapid classification of a greater variety of movements — and perhaps enable the identification of the individual making them.

With CovertBand, Allen School researchers have identified a plausible threat, given the increasing ubiquity of these devices in our pockets and in our living rooms. But our embrace of emerging technologies needn’t end on a sour note. As professor and co-author Tadayoshi Kohno points out, when it comes to cybersecurity, knowledge is power.

“We’re providing education about what is possible and what capabilities the general public might not know about, so that people can be aware and can build defenses against this,” he said.

The researchers will present a paper detailing their findings at the Ubicomp 2017 conference in Maui, Hawaii next month.

Read the full UW News release here. Learn more and listen to samples of the CovertBand attack music on the project web page here. Check out articles on CovertBand in Fast Company, Digital Trends, New Atlas, and The Register.

(Cross-posted from Allen School News.)

In an illustration of just how narrow the divide between the biological and digital worlds has become, a team of researchers from the Allen School released a study revealing potential security risks in software commonly used for DNA sequencing and analysis — and demonstrated for the first time that it is possible to infect software systems with malware delivered via DNA molecules. The team will present its paper, “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More,” at the USENIX Security Symposium in Vancouver, British Columbia next week.

Many open-source systems used in DNA analysis began in the cloistered domain of the research lab. As the cost of DNA sequencing has plummeted, new medical and consumer-oriented services have taken advantage, leading to more widespread use — and with it, potential for abuse. While there is no evidence to indicate that DNA sequencing software is at imminent risk, the researchers say now would be a good time to address potential vulnerabilities.

“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said professor Tadayoshi Kohno, co-director of the Security and Privacy Research Lab, in a UW News release.

Kohno and Karl Koscher (Ph.D., ’14), who works with Kohno in the Security and Privacy Research Lab, have been down this road before — literally as well as figuratively. In 2010, they and a group of fellow UW and University of California, San Diego security researchers demonstrated that it was possible to hack into modern automobile systems connected to the internet. They have also explored potential security vulnerabilities in implantable medical devices and household robots.

Kohno conceived of this latest experiment after he came across an online discussion about a tabloid headline in which a person was alleged to have been infected by a computer virus. While he wasn’t about to take that fantastical storyline at face value, Kohno was curious whether the concept might work in reverse.

Kohno, Koscher, and Allen School Ph.D. student Peter Ney — representing the cybersecurity side of the equation — teamed up with professor Luis Ceze and research scientist Lee Organick of the Molecular Information Systems Lab, where they are working on an unrelated project to create a DNA-based storage solution for digital data. The group decided not only would they analyze existing software for vulnerabilities; they would attempt to exploit them.

“We wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing,” Ney said.

As it turns out, it is possible. The team introduced a known vulnerability into software they would then use to analyze the DNA sequence. They encoded a malicious exploit within strands of synthetic DNA, and then processed those strands using the compromised software. When they did, the researchers were able to execute the encoded malware to gain control of the computer on which the sample was being analyzed.

While there are a number of physical and technical challenges someone would have to overcome to replicate the experiment in the wild, it nevertheless should serve as a wake-up call for an industry that has not yet had to contend with significant cybersecurity threats. According to Koscher, there are steps companies and labs can immediately take to improve the security of their DNA sequencing software and practice good “security hygiene.”

“There is some really low-hanging fruit out there that people could address just by running standard software analysis tools that will point out security problems and recommend fixes,” he suggested. For the longer term, the group’s recommendations include employing adversarial thinking in setting up new processes, verifying the source of DNA samples prior to processing, and developing the means to detect malicious code in DNA.

The team emphasized that people who use DNA sequencing services should not worry about the security of their personal genetic and medical information — at least, not yet. “Even if someone wanted to do this maliciously, it might not work,” Organick told UW News.

While Ceze admits he is concerned by what the team discovered during their analysis, it is a concern that is largely rooted in conjecture at this point.

“We don’t want to alarm people,” Ceze pointed out. “We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before.”

Visit the project website and read the UW News release to learn more.

Also see coverage in Wired, The Wall Street Journal, MIT Technology Review, The Atlantic, TechCrunch, Mashable, Gizmodo, ZDNet, GeekWire, Inverse, IEEE Spectrum, and TechRepublic.