Category: Uncategorized

(Reposted from Allen School News, by Kristine White)

Back in 2011, a team of University of Washington and University of California San Diego researchers published a paper detailing how they could remotely hack into a pair of 2009 Chevy Impalas. By targeting a range of attack vectors including CD players, Bluetooth and cellular radio, the researchers were able to control multiple vehicle functions, from the windshield wipers to the brakes.

Since its publication, the team’s research has helped lead to new standards for motor vehicle security and put the brakes on automobile cyberattacks. For their lasting contributions, their paper titled “Comprehensive Experimental Analyses of Automotive Attack Surfaces” received the Test of Time Award at the 34th USENIX Security Symposium in Seattle earlier this month.  

“I was only a first-year graduate student when we started this project, and I had just switched my focus to security. It was such a privilege to be able to help out on such an important and impactful project, and to learn from all of the other members of the team about how to do this kind of research,” said co-author Franziska Roesner (Ph.D., ‘14), Brett Helsel Professor and co-director of the Security and Privacy Research Lab in the Allen School. 

Modern automobiles are made up of independent computers called electronic control units (ECUs), typically connected through the Controller Area Network (CAN), that oversee different motor functions. In a previous paper, the team found that if an attacker physically connected to the car’s internal network could override critical safety systems. Building off of that work, the researchers analyzed the modern automobile’s external attack surface and found that an adversary could hack into a car from miles away. 

The team identified three categories of components that were vulnerable to cyberattacks. An attacker could use an indirect physical channel such as tools that connect to the OBD-II port, which can access all CAN buses in the car, or through the media player. For example, the researchers compromised the car’s radio and then used a doctored CD to upload custom firmware. If an attacker is able to place a wireless transmitter in proximity to the car’s receiver, they can gain access to the ECU via Bluetooth or even remote keyless entry, the team found. Attackers do not have to be nearby to wreak havoc. Using long-range communication channels such as cellular, it is possible to exploit vulnerabilities in how the car’s telematics unit uses the aqLink code to remotely control the vehicle.

“More than 10 years ago, we saw that devices in our world were becoming incredibly computerized, and we wanted to understand what the risks might be if they continued to evolve without thought toward security and privacy,” said senior author Tadayoshi Kohno, who was then a professor at the Allen School, now faculty at Georgetown University, in a UW News release.

The impact of the team’s work can still be felt today. As a result of the research, car manufacturers including GM have hired entire security teams. The work has influenced the development of guidelines for original equipment manufacturers (OEMs) and also led to the creation of the Electronic Systems Safety Research Division at the National Highway Traffic Safety Administration. As cars grow increasingly more connected and autonomous, the insights from the UW and UCSD collaboration will continue to inform the automotive industry against emerging threats.

“Beyond the practical impact of the work, that experience has also made for great stories to tell in the computer security courses I teach now — for example, the time that we accidentally set the car’s horn to a permanent ‘on’ state while experimenting outside the Allen Center,” Roesner said.

Joining Roesner and Kohno at UW at the time of the original paper were Karl Koscher (Ph.D. ‘14), now a postdoc at UCSD, and Alexei Czeskis (Ph.D., ‘13), currently at LinkedIn. The original University of California San Diego group was made up of UCSD faculty members Stefan Savage (Ph.D., ‘02) and Hovav Shacham; Stephen Checkoway (B.S., ‘05), now faculty at Oberlin College; Damon McCoy, faculty at New York University; Danny Anderson, who runs a software consulting company; and late researcher Brian Kantor.

Read the full paper here, as well as a related article from the NYU Tandon School of Engineering.

UW Security Lab members presented two papers at the ACM Conference on Fairness, Accountability, and Transparency (FAccT) in Athens, Greece this week:

• Kentrell Owens presented his paper (with co-authors Yael Eiger, Basia Radka, Yoshi Kohno, and Franzi Roesner) on “Understanding experiences with compulsory immigration surveillance in the U.S.“.
• Mattea Sim presented her paper (with co-authors Basia Radka, Yoshi Kohno, Franzi Roesner, and Kurt Hugenberg) on “Characterizing the Default Persona During Design: Mental Representations of Technology Users are Gendered“.

The UW Security Lab is so excited to congratulate our 2025 graduates!! It’s been an honor to work with all of you and we can’t wait to see where your careers lead you!

Left to right in the photo: Prof. Franzi Roesner, Prof. Yoshi Kohno, Dr. Miranda Wei (PhD graduate), Dr. Kaiming Cheng (PhD graduate), Evan Lam (BS graduate), Basia Radka (MS graduate), Dr. Kentrell Owens (PhD Graduate).

The end of this academic year bring the (successful) completion of three Security Lab PhDs. In the last several week the following students have successfully defended their dissertations and will soon be off to do great things in the world! Ordered alphabetically:

• Kaiming Cheng defended his dissertation titled “Toward Safer Augmented Reality: Securing Input, Output, and Interaction”. Kaiming will join Meta as a Research Scientist.
• Kentrell Owens defended his dissertation titled “Technology and Power: Examining Imbalances Through Usable Security & Privacy Research”. Kentrell will move to Germany to do a postdoc with Yixin Zou at the Max Planck Institute for Security & Privacy (MPI-SP).
• Miranda Wei defended her dissertation titled “Against Online Abuse and Toward Sociotechnical Security & Privacy”. Miranda will join EPFL as an assistant professor after a year as a postdoc at Princeton’s Center for Information Technology Policy (CITP).

Congratulations, all!!

(Cross-posted from Allen School News.)

Even the most well-designed and accessible websites may inadvertently have inaccessible elements — advertisements. Pesky pop-ups or bothersome banner ads may be easy for many people to navigate away from, but for those who use screen readers, ads that are not developed with accessibility in mind can make browsing online a frustrating experience. 

Allen School Ph.D. student Christina Yeung alongside professors Franziska Roesner and Tadayoshi Kohno wanted to understand just how problematic inaccessible ads can be to users who rely on screen readers. By auditing how ads use, or do not use, accessible elements and pairing that with interviews with blind participants about their browsing experience, the researchers found that the overall online ad ecosystem is fairly inaccessible for users with screen readers. However, encouraging ad platforms to adhere to existing web accessibility guidelines can help make surfing the web a better experience for everyone. 

The researchers presented their paper “Analyzing the (In)Accessibility of Online Advertisements” at the 2024 ACM Internet Measurement Conference (IMC) in Madrid, Spain, last November where it received the Best Paper Award. 

“Online ads are everywhere and so pervasive. If you’re browsing on your phone, or even have an ad blocker on your laptop — you will still see ads,” lead author Yeung said. “But because ads are designed with the intent to visually tell you what’s going on, for those who are blind and use screen readers, they can be even more problematic in ways that other people might not think about on a day-to-day basis.”

Yeung and her collaborators analyzed the behavior of over 8,000 ads across 90 different websites based on how well they adhere to Web Content Accessibility Guidelines (WCAG) best practices. Over the course of a month, the team looked at whether the ads disclosed their third-party content status to screen readers as well as their use of HTML assistive attributes such as alt-text and aria-labels. These elements ensure that screen readers can perceive images and other non-text elements on the ad. They also tracked the number of interactive elements each ad had and if there was any missing text associated with links or buttons. For an ad with 15 interactive elements, someone who uses the tab key to maneuver through ads would need to press it 15 times to reach other content on the site. If an ad has a button without associated text, instead of telling the user what it does, the screen reader will just say “button.”

The researchers found that the majority of the ads contained inaccessible elements. More than half of the ads had no alt-text at all, or had empty or non-descriptive strings. Many assistive attributes included non-descriptive language such as “ad” or “image.” They also noticed that ad developers were using title attributes to provide information, contrary to WCAG guidelines. Title attributes can provide more context to specific HTML elements, appearing as a tooltip when a user hovers their mouse over the element. However, not all screen readers can consistently interact with them. 

“Inaccessible ads have two primary problems,” Yeung said. “First, people can’t differentiate what the content is, so they can’t even make the decision as to whether or not they want to interact with it. Secondly, ads that are designed poorly really do negatively impact browsing in a way that can be quite cumbersome.”

Yeung then interviewed blind participants who use screen readers to understand just how burdensome these poorly-designed ads can be. All of the participants reported that these ads both distracted and detracted from their web browsing experience as they were difficult to navigate away from. Because many ads did not disclose their third-party status, participants often had to use context clues to identify them. For example, if someone was on a news site and they suddenly hear content about furniture, they would know that the furniture content is the ad. While the researchers did not evaluate pop-up ads in the study, participants brought up how frustrating these ads are because they are difficult to close and participants struggled to get back to where they were on the page before the ad.

Only a few large companies dominate the ad landscape, so refining how they adhere to accessibility guidelines can make a noticeable difference. Major ad platforms such as Google, Yahoo and Criteo could create and enforce policies requiring ads to provide meaningful information to screen readers in the HTML attributes. They could also go a step further and develop templates that encourage using assistive attributes and reject ads with generic or missing information, Yeung explained.

“By making some fairly minor changes, we can improve the ecosystem in a way that makes browsing more equitable for everyone,” Yeung said.

Next, Yeung is looking into people’s perceptions of the data collection practices of different generative artificial intelligence companies.

Read the full paper on ad inaccessibility.

Security Lab PhD student Yael Eiger received an Honorable Mention for the National Science Foundation’s prestigious Graduate Research Fellowship. This is a major honor. Congratulations, Yael!!

Congratulations to Security Lab students Miranda Wei and Tina Yeung, along with faculty members Franzi Roesner and Yoshi Kohno, for receiving an Honorable Mention Award for their paper at the 2025 Conference on Human Factors in Computing Systems (CHI), titled “‘We’re utterly ill-prepared to deal with something like this’: Teachers’ Perspectives on Student Generation of Synthetic Nonconsensual Explicit Imagery”. The paper’s abstract:

Synthetic nonconsensual explicit imagery, also referred to as “deep-fake nudes”, is becoming faster and easier to generate. In the last year, synthetic nonconsensual explicit imagery was reported in at least ten US middle and high schools, generated by students of other students. Teachers are at the front lines of this new form of image abuse and have a valuable perspective on threat models in this context. We interviewed 17 US teachers to understand their opinions and concerns about synthetic nonconsensual explicit imagery in schools. No teachers knew of it happening at their schools, but most expected it to be a growing issue. Teachers proposed many interventions, such as improving reporting mechanisms, focusing on consent in sex education, and updating technology policies. However, teachers disagreed about appropriate consequences for students who create such images. We unpack our findings relative to differing models of justice, sexual violence, and sociopolitical challenges within schools.

You can read the full paper at this link. Miranda will soon travel to attend CHI in Japan and present the paper.

Many members of the Security Lab (and friends and at least one alum) greatly enjoyed the Allen School’s annual ski day yesterday!

Kaiming Cheng gave a great talk on “User Comprehension and Comfort with Eye-Tracking and Hand-Tracking Permissions in Augmented Reality” at the Symposium on Usable Security and Privacy (USEC) earlier this week. Check out the paper at https://www.ndss-symposium.org/wp-content/uploads/usec25-5.pdf.

Congratulations to soon-to-be-Dr. Rachel McAmis on passing the UW General Exam and advancing to PhD candidacy! Her research, with the UW Security & Privacy Research Lab and the UW Tech Policy Lab, is focused on satellites and computer security.