Security and Privacy Research Lab

(Cross-posted from Allen School News.)

In an illustration of just how narrow the divide between the biological and digital worlds has become, a team of researchers from the Allen School released a study revealing potential security risks in software commonly used for DNA sequencing and analysis — and demonstrated for the first time that it is possible to infect software systems with malware delivered via DNA molecules. The team will present its paper, “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More,” at the USENIX Security Symposium in Vancouver, British Columbia next week.

Many open-source systems used in DNA analysis began in the cloistered domain of the research lab. As the cost of DNA sequencing has plummeted, new medical and consumer-oriented services have taken advantage, leading to more widespread use — and with it, potential for abuse. While there is no evidence to indicate that DNA sequencing software is at imminent risk, the researchers say now would be a good time to address potential vulnerabilities.

“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said professor Tadayoshi Kohno, co-director of the Security and Privacy Research Lab, in a UW News release.

Kohno and Karl Koscher (Ph.D., ’14), who works with Kohno in the Security and Privacy Research Lab, have been down this road before — literally as well as figuratively. In 2010, they and a group of fellow UW and University of California, San Diego security researchers demonstrated that it was possible to hack into modern automobile systems connected to the internet. They have also explored potential security vulnerabilities in implantable medical devices and household robots.

Kohno conceived of this latest experiment after he came across an online discussion about a tabloid headline in which a person was alleged to have been infected by a computer virus. While he wasn’t about to take that fantastical storyline at face value, Kohno was curious whether the concept might work in reverse.

Kohno, Koscher, and Allen School Ph.D. student Peter Ney — representing the cybersecurity side of the equation — teamed up with professor Luis Ceze and research scientist Lee Organick of the Molecular Information Systems Lab, where they are working on an unrelated project to create a DNA-based storage solution for digital data. The group decided not only would they analyze existing software for vulnerabilities; they would attempt to exploit them.

“We wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing,” Ney said.

As it turns out, it is possible. The team introduced a known vulnerability into software they would then use to analyze the DNA sequence. They encoded a malicious exploit within strands of synthetic DNA, and then processed those strands using the compromised software. When they did, the researchers were able to execute the encoded malware to gain control of the computer on which the sample was being analyzed.

While there are a number of physical and technical challenges someone would have to overcome to replicate the experiment in the wild, it nevertheless should serve as a wake-up call for an industry that has not yet had to contend with significant cybersecurity threats. According to Koscher, there are steps companies and labs can immediately take to improve the security of their DNA sequencing software and practice good “security hygiene.”

“There is some really low-hanging fruit out there that people could address just by running standard software analysis tools that will point out security problems and recommend fixes,” he suggested. For the longer term, the group’s recommendations include employing adversarial thinking in setting up new processes, verifying the source of DNA samples prior to processing, and developing the means to detect malicious code in DNA.

The team emphasized that people who use DNA sequencing services should not worry about the security of their personal genetic and medical information — at least, not yet. “Even if someone wanted to do this maliciously, it might not work,” Organick told UW News.

While Ceze admits he is concerned by what the team discovered during their analysis, it is a concern that is largely rooted in conjecture at this point.

“We don’t want to alarm people,” Ceze pointed out. “We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before.”

Visit the project website and read the UW News release to learn more.

Also see coverage in Wired, The Wall Street Journal, MIT Technology Review, The Atlantic, TechCrunch, Mashable, Gizmodo, ZDNet, GeekWire, Inverse, IEEE Spectrum, and TechRepublic.

Today Security Lab PhD student Eric Zeng presented at the 13th Symposium on Usable Privacy and Security (SOUPS) in Santa Clara, CA. Eric presented his paper “End User Security & Privacy Concerns with Smart Homes” for which he conducted interviews with fifteen people living in smart homes (twelve smart home administrators and three other residents) to learn about how they use their smart homes, and to understand their security and privacy related attitudes, expectations, and actions. This work was done in collaboration with Security Lab postdoc Shrirang Mare and faculty member Franzi Roesner. Read the full research paper here. Congrats Eric on a great presentation!

The Security and Privacy Lab is excited to welcome postdoctoral researcher Earlence Fernandes. Earlence’s research focuses on computer security and privacy, with a special interest in cyber-physical systems. His recent work, a security analysis of the popular SmartThings platform, received the Distinguished Practical Paper Award at 2016 IEEE Security and Privacy. Earlence joins us after earning his PhD at the University of Michigan in 2017, where he was advised by Prof. Atul Prakash. Welcome Earlence!

Congratulations to Prof. Dr. Ada Lerner on a successful final defense!

Congratulations to Dr. Ada Lerner and Dr. Paul Vines on their PhD graduations today! Prof. Dr. Lerner will soon be joining Wellesley College as an assistant professor and Dr. Vines will be joining BAE Systems as a Principal Research Engineer. Congratulations to all the UW Allen School graduates!

(Cross-posted from Allen School News.)

A team of researchers in the Allen School’s Privacy & Security Research Lab have developed a new system, SeaGlass, which could bring more transparency and accountability to cell-phone surveillance. SeaGlass is capable of detecting anomalies in the cellular network that may indicate the presence of surveillance devices called IMSI-catchers (also known as cell-site simulators or Stingrays), which track individuals through their International Mobile Subscriber Identity by posing as a legitimate cell tower.

WIRED magazine recently talked to the researchers about SeaGlass and their hope that the findings contribute to the public discourse. From the article:

“Law enforcement’s use of the surveillance devices known as stingrays, fake cell towers that can intercept communications and track phones, remains as murky as it is controversial, hidden in non-disclosure agreements and cloak-and-dagger secrecy. But a group of Seattle researchers has found a new method to track those trackers: by recruiting ridesharing vehicles as surveillance devices of their own.

“For two months last year, researchers at the University of Washington paid drivers of an unidentified ridesharing service to keep custom-made sensors in the trunks of their cars, converting those vehicles into mobile cellular data collectors.”

The article explains how the information gathered by those mobile data collectors was analyzed to identify irregularities in the network compared to normal cell tower behavior, which could indicate that a surveillance device is active in the area. By using off-the-shelf parts and deploying the system on fleet vehicles that cover a lot of ground during their normal course of business, the researchers demonstrated SeaGlass to be an inexpensive and unobtrusive way to map the cellular landscape.

During the pilot, the system detected three anomalies in the greater Seattle area that piqued the team’s interest. Although the results do not offer conclusive proof of an IMSI-catcher, they do provide a good starting point for further exploration — and for an overdue conversation about surveillance practices.

“Up until now the use of IMSI-catchers around the world has been shrouded in mystery, and this lack of concrete information is a barrier to informed public discussion,” Ph.D. student Peter Ney said in a UW News release. “Having additional, independent and credible sources of information on cell-site simulators is critical to understanding how — and how responsibly — they are being used.”

The team, which also includes Allen School research scientist Ian Smith, Ph.D. student Gabriel Cadamuro, and professor Tadayoshi Kohno, hopes that its work will contribute to a more robust public debate over cell-phone surveillance. They describe in detail the SeaGlass technology and results of the pilot in a paper that will be published this month in the Proceedings on Privacy Enhancing Technologies.

“SeaGlass is a promising technology that — with wider deployment — can be used to help empower citizens and communities to monitor this type of surveillance,” said Smith. “This issue is bigger than one team of researchers. We’re eager to push this out into the community and find partners who can crowdsource more data collection and begin to connect the dots in meaningful ways.”

Read the WIRED story here, the UW News release here, and additional coverage by TechCrunch, Gizmodo, and Engadget. Learn more at the SeaGlass website here.

Congratulations to Dr. Paul Vines on a successful final defense!

Security Lab PhD student Eric Zeng gave a great Quals Talk today at the Allen School, describing his work studying end user security and privacy concerns with smart homes. The Quals project and talk — along with all the relevant coursework — fulfill a major milestone along the path to a PhD. Eric will be presenting a similar talk at the Symposium on Usable Privacy and Security (SOUPS) in July. Congratulations Eric!

Today Security Lab PhD student Kiron Lebeck presented at the 38th IEEE Symposium on Security & Privacy (Oakland) in San Jose, CA. Kiron presented his paper “Security Augmented Reality Output”, describing a design for an augmented reality platform that mitigates risks from buggy or malicious application output (e.g., virtual content that obscures a user’s view of important physical world objects, like oncoming cars, or that startles a user). This work was done in collaboration with Security Lab undergraduate researcher Kimberly Ruth and faculty members Yoshi Kohno and Franzi Roesner. Congrats Kiron on a great presentation!

Read the full research paper here and learn more about the UW Security Lab’s efforts on security and privacy for emerging augmented reality platforms here. This work was also recently covered by Science.

Security Lab undergraduate researcher Kimberly Ruth spoke today at UW’s Undergraduate Research Symposium. Kimberly discussed her work on security and privacy for emerging augmented reality technologies, in collaboration with Security Lab PhD student Kiron Lebeck and lab co-directors Professors Yoshi Kohno and Franzi Roesner, which will also appear later this month at the IEEE Symposium on Security and Privacy (Oakland) 2017. Great talk, Kimberly!