The Security Ledger podcast

Episode 98: using Physics to crash hard drives and making sense of IoT standards

In this episode of The Security Ledger Podcast (#98): can sound waves be used to crash a hard drive? We’ll talk to one member of an international team of researchers who showed that, yes they can. And Fractional CISO Rob Black joins us to talk about Internet of Things security standards. With so many to choose from, will we ever see “one standard to rule them all”?

Bad vibrations: sonic attacks could crash hard drives

In the information security space, most of the ‘bad stuff’ we talk- and write about concerns attacks on software. SQL injection, buffer overflows, cross site scripting attacks – all seek to subvert the proper operation of software and applications.

But what about the hardware that software runs on top of? Isn’t that also vulnerable? We know, of course, about flaws buried in processor chips like the Meltdown and Spectre bugs as well as newer variants of those flaws. But what if you go even deeper – not just at the brain of a system but the physical properties of hardware that allows the machine to operate.

Researchers used acoustic attacks to crash magnetic disk drives.

That’s what researcher Kevin Fu has been up to with his graduate students at the University of Michigan: examining what he calls “physics based hacks” that seek to manipulate the operation of an IT system by leveraging the physical properties of the device itself.

His lab’s latest work, conducted with researchers from Zhejian University in China, involves ultrasonic and sonic attacks on magnetic hard disk drives. Fu and his team found that they could cause the drives to malfunction and crash using nothing more than commodity, $20 speakers and targeted sonic and ultrasonic blasts.

[See also: Report: Major attack on critical infrastructure expected due to increased risk from IoT]

In our first segment, I spoke with Connor Bolton, a graduate student who was part of the University of Michigan team about that research and what the implications are for companies with sensitive IT systems and operations.

One IoT standard to rule them all?

Our fifth Security of Things Forum is happening in less than a month. (June 19 in Boston – get your tickets now!) At this year’s show in Boston, we’ll be looking hard at the fast evolving but crowded field of Internet of Things security standards. Among the fundamental questions we want to answer: what commonalities exist between these many competing standards, whether its practical to have one to govern the security of connected devices and – if so- what that standard might look like.

Rob Black is the founder of Fractional CISO. He’s on Twitter @IoTSecurityGuy

To help sort through that issue, I invited the moderator of our June panel, Rob Black into the studio. A principal at Fractional CISO, Rob is an expert on all things security and IoT. In this conversation, Rob talks about the IoT standards that are most promising and gives his vision of a successful security standard for connected devices. Rob says that the IoT may be too broad to ever be governed by a single security standard.

That said: the need for functioning standards is greater now than ever before, especially as software driven systems come to govern life and safety critical machinery.

Check out our conversation!