In this week’s episode of The Security Ledger Podcast (#86) we speak with Dr. Kevin Fu of the University of Michigan about research he conducted that casts doubts on reports of mysterious acoustic attacks on US embassy employees in Havana, Cuba. Also: Chip Block of Evolver talks about the Securities and Exchange Commission’s expanded cyber security guidance. And finally: thousands of radiologic sensors were deployed in the U.S. following the attacks of September 11 2001. We’ll look at new efforts to secure those systems from cyber attack.
The US State Department decided last week to make staff cuts to the Cuban Embassy permanent, citing a need to protect American personnel from what the State Department called a series of “health attacks” – reportedly sonic assaults that left embassy staff and employees with hearing loss and a range of other symptoms. But did attacks really take place?
Bad Vibes in Havana
Our first guest, Professor Kevin Fu of the University of Michigan, thinks there’s good reason to believe they didn’t. Writing for The Conversation last week, he and fellow researcher Wenyuan Xu said they were able to recreate the mysterious behavior described by American diplomats in their lab.
“We were able to use ultrasonic tones to create sounds like those that were described and recorded in Cuba. No single ultrasonic tone would do this, but as with musical combination tones, combining more than one can create audible byproduct sounds, including by accident,” Fu and Xu wrote.
The culprit? Fu told The Security Ledger it was likely “interference by ultrasonic emitters causing audible byproducts.” In our conversation, I asked Fu – one of the leading experts on the security of embedded devices – what that mouthful of words means, what might have been the source of the disturbing sounds experienced by Embassy staff and what this means for the future, as millions of wireless, sensing and emitting devices begin to populate our environment.
[Check out our previous conversation with Dr. Fu here: Episode 81: Hacking IoT with Physics, Poor Grades for Safety Wearables and Peak Ransomware]
It has been almost seven years since the Securities and Exchange Commission issued its first guidance about the need for companies to disclose so-called cyber incidents. That guidance set a high bar: asking companies to disclose only breaches that were material to the company and then leaving it up to regulated firms to decide what the threshold for materiality was. No surprise: the intervening years saw few voluntary disclosures of cyber incidents by companies that hadn’t already become the subject of headlines and news coverage in the public.
In recent days, however, the SEC has updated that guidance, providing far more specific and granular instructions to regulated firms on the matter of cyber incident disclosure. The new guidance also has some intriguing implications for connected device makers. In the second part of this week’s podcast, we invited Chip Block of the firm Evolver back into the SL studio to talk about the SEC’s new guidance.
Watching the Detectors
In our final segment: more than 2,000 radiologic detectors were deployed at US ports of entry following the attacks of 9/11. The nondescript roadside boxes can stand more than 14 feet tall and sniff out fissile material passing by in trucks, cars or shipping containers. But are those radiologic detectors as good at fending off cyber attacks? In our final segment, we speak with Dr. Rico Chandra, the CEO and co-founder of Arktis, which makes radiologic detectors, about efforts to shore up this critical infrastructure against cyber attack and the steps his company is taking to harden their devices.