Revolar personal safety device

Episode 81: Hacking IoT with Physics, Poor Grades for Safety Wearables and Peak Ransomware

In this week’s podcast: researcher Kevin Fu of University of Michigan discusses his work on attacks that use physics to manipulate connected devices. Also: Mark Loveless of DUO discusses his research into how poor implementation of wireless protocols make personal security trackers a privacy risk. And have we seen peak ransomware? Adam Kujawa of the firm Malwarebytes joins us to talk about the findings of that company’s State of Malware Report. 

To date, billions of dollars have been invested in technology to address the risks posed by software security holes. But what about flaws in the very components that make up modern, connected devices? The materials that make up transistors, circuit boards, motion sensors and other devices have physical properties that make them vulnerable to analog attacks.

It’s the analog, stupid

Together with Wenyuan Xu of  Zhejiang University our first guest, Kevin Fu, a professor at The University of Michigan is warning of the risks posed by these so-called “physics based” attacks on sensors and billions of other vulnerable components that populate our world. Sound and electromagnetic waves and other analog signals can be used to cause sensors to misbehave, in the same way that braces can be used to channel radio signals.  But in the emerging Internet of Things, the consequences of these attacks could be dire. .

To start our conversation, Kevin talks about so-called “transduction attacks” and how manipulating the physical properties of devices is a way to violate the “social contract” that exists between hardware and software and effect the behavior of a software-driven sensing devices.

Wearables pose risks to safety and (national) security

The Washington Post reported over the weekend that fitness trackers worn by military personnel were inadvertently betraying the location of U.S. military installations, including secret bases used by special forces in countries like Syria. The report is just the latest to highlight the privacy and security risks that fitness trackers, smart phones and other connected, sensor rich devices pose to personal (and even state) security.

Revolar personal safety device
The insides of a Revolar device, one of three tested by DUO Security, which found wide discrepancies in the security of the personal safety wearables. (Image courtesy of DUO Security.)

Mark Loveless knows this first hand. The researcher at DUO Security just wrapped up a months long audit of personal safety tracking devices that are being sold to consumers. The devices, which can serve both as personal trackers and panic buttons are used by individuals afraid of being stalked by strangers or acquaintances, and by human rights activists living under repressive regimes.

[You might also like to read Researchers warn of Physics Based Attacks on Sensors]

But Loveless found that the security of the devices is no sure bet. In fact, he found vast differences in the security and privacy protections of the three devices he tested, all of which used the Bluetooth wireless protocol. Security flaws in some could make it easy to track or discover someone using a wearable safety device, or to secretly disable the device without the wearer noticing.

Are we at peak ransomware?

Folks who follow the oil market often ruminate about “peak oil” the (fictional?) point at which oil production reaches its maximum and begins a slow but steady decline until the point – in the distant future – when human civilization finds a way to do what it needs without oil. But what about malware? Do cybercriminal markets follow patterns similar to, say, commodities like petroleum?

That was one of the questions we discussed with Adam Kujawa, the director of malware intelligence at the firm Malwarebytes. What prompted us was a section of Malwarebytes State of Malware Report for 2017 that noted ransomware use and development, after expanding rapidly in the past few  years, experienced a decline in the second half of 2017.

Kujawa was skeptical of the notion of “peak ransomware.” But it was true, he noted, that while the number of ransomware attacks jumped in 2017, by the end of the year it was clear that ransomware had lost its luster and that cybercriminals had moved on to other malware like adware and spyware.  In the third segment of our podcast, gives his thoughts on the reasons for the decline in ransomware and talks about what kinds of threats and attacks have replaced it.