The Risk of Too Many Smart Devices
it happens to all of us
those sudden moments that we realize we
forgot to bring our phones
in those moments we panic and we quickly
try to find them
as if our life depends on them moments
such as those
prove heart dependent we have become to
technology
and electronic devices
we rely on electronic devices with all
aspects of our lives but has it occurred
to you that these
smart devices could spying on us
24 or 7 believe it or not they are
monitoring us
constantly and they know all our secrets
we have become dependent more than ever
on electronic devices and unfortunately
covert error has contributed to it even
more
we are using our smartphones and
personal computers for
literally everything these days starting
from
attending school classes or work
meetings
to hanging out and mingling
with our friends online says using
applications such as clubhouse or a
skype
or even shopping online and
our lives are tied up with so many
smart devices such as fitness trackers
autonomous vehicles smart appliances or
even
smart tattoos a collection of these
smart devices
forms the internet of things or in short
iit
iit brings new opportunities
and in iit every device is
connected to to the internet and they
can potentially be connected to each
other
it opens the door to a smarter homes and
smarter cities and it
it enables us to having as such more
capabilities that
each of these individual devices cannot
provide us by their own
however iot increases the attack
surfaces due to the increased
connectivity
and their huge connect
complexity and because of that
complexity the risk of cyber attacks
has increased more than ever
there are by end of 2021 there are
more than 47 billion
iit devices around the world
and you can relate to it by looking at
your own devices
you can see that that we can easily have
seven or eight
uh devices and this is not an
exaggeration that huge number
so these devices are collecting
monitoring analyzing and communicating
our most intimate data
such as health related data or financial
data to be able to provide
real-time aid on daily basis
but have you ever thought that this
information
collected by these users by these
devices
can be misused or even sent to
bad guys it’s not an urban myth
and the reality is that every time that
you
choose to add a smart device in your
daily life
you are losing more and more privacy let
me talk about something that happened
for myself
and i think that several of you have
come across the similar scenarios
a few months ago i was talking to my
friends regarding
purchasing a new laptop we were talking
about different brands such as
apple hv lenovo it was a small talk that
can happen
every day but later that day
i actually
got some relevant recommendations and
advertisement
on my facebook and amazon accounts and
i believe it kind of made me to really
think that maybe
these infrastructures are they can see
what we say
and they can use it for personalized
advertisements
there are several of these scenarios
reported actually around the world
the first example is about the fitness
tracker
called straw in this fitness
in 2018 they decided to release the heat
map of
the running traces of their most active
users
it was a commercial act but somehow
it disclosed some of our nation’s
secrets
so it happened that using these heat
maps
we can find some of the location of some
of our military bases
so the soldier involved they had higher
exercise requirements so they made
them most active users of this fitness
tracker and later on
google map satellites could be used to
go and see what are the roads and
buildings that they
these soldiers use more frequently
another example is about a security
camera
that has been designed and manufactured
in china
there was a security bug in these
security cameras that
it actually direct the video of
this direct data stream of the videos
uh in uh collected by these security
cameras and it
just sent them to somebody else randomly
and in this figure you can see that
the video of a baby
has been directed to somebody’s else
ipad
randomly another very similar
and very recent example was about
security camera
called vercado this this
startup the security cameras that they
have developed they had
some kind of security bars that
attackers could use the underlying
vulnerability
and they could access to the video of
customers in this figure you can see
that they actually access to the video
of
tesla in one of the warehouses in
shanghai
the main motivation behind most of these
attacks is either to
steal or expose data to
create a target financial assets
or to be able to access to user accounts
every day there are three millions
attacks happening around divorce
most of these cyber attacks they are
targeting the vulnerabilities at the
software level
for example a bug in your facebook
application
or in the windows operating system
could enable attackers to overthrow your
device or your icon to be able to take
over it
however these software vulnerabilities
can be
patched using some updates for probably
you have seen
a set of security update notification
with
when you wanted to turn off your laptop
and whenever you install those update
your system will be immune toward these
relevant attacks however you may not
know that all of the iit and iit devices
are built on top of a set of hardware
like integrated circuits including
processors and memory chips
these hardwares are acting as a brain of
these
integrated circuits and they
are storing a set of our digital
information such as
passcode texts photos and you know our
user credentials
and they are acting as a root of trust
the question is that what if the
vulnerability
actually exists in the hardware
so previously hardware components and
you know digital chips were believed
that they are
static secure and trust force
and we were focused more on software
attacks
however research has shown that these
hardware components are not invincible
to security active flaws and design bugs
and they can be used to launch
more and more attacks research has shown
that if the security vulnerabilities
at the hardware levels are blocked the
whole
system vulnerability will be reduced by
43 percent
which means that a big portion of cyber
attacks will be blocked
if we are addressing security
vulnerabilities
at the hardware however security
vulnerabilities at hardware
are more
critical than software vulnerabilities
the reason is that they are
fixed and when you are building them we
cannot
change them in that case so we
do not have the option of installing
updates and patching those
vulnerabilities
an attack that targets a vulnerability
at hardware level
can be successfully repeated on
every instance of that chip that it
is that is being used or deployed in
different iot devices and we cannot do
anything because we
there is no updates to be patched to
prevent these attacks
so let us talk about how these
vulnerabilities are going to be
introduced in hardware designs
a company in united states will design a
product but
not all aspects of the design happens
in-house
as you can see here the
supply chain of integrated circuits
are highly dispersed and globally
distributed so
several countries and companies around
the world
are involved in designing a hardware
therefore
this long and globally distributed
supply chain
make these hardware chips vulnerable to
an array of
security and integrity attacks
so for example due to
time to market and cost a
constraint a company united states may
decide to outsource fabrication
and send its design offshore to some
asian countries such
as such as china and korea
but not everybody in this fabrication
facilities they are necessarily trusted
so they have access to whole design so
they
can steal the design they can claim it
as their own
they can over
produce more than the numbers that are
ordered and they
create some products over their own
brands and sell them in black market
but worse than anything they can
insert malicious functionalities in the
design
and this is a real concern last month we
heard the news that the shortage of
computer chips reach to the crisis
level shortage of chips means
that we need to rely on the chips
that they are fabricated and designed
in some other countries so it means that
not only we do not have any control
over fabrication process we do not have
any control on the design process and we
do not
know what kind of malicious
functionality may exist in these chips
and it may create some security and
integrity and confidentiality
issues for us further
it’s extremely difficult to distinguish
between an authentic
and counterfeit cheap it’s been a very
one of the most challenging problems
that we wanted to address to be able to
guarantee that we are using an authentic
chip
the market of a counterfeits is sizable
and growing such as in 2019
that market size was 75 billion devices
and traces of this counterfeit
components
was confirmed in 169 billion devices
such as airport landing lives
lights or network routers
so the consequence and risk of using
these counterfeits range
from generating incumbents
inconvenience to injury or loss of life
there are a lot of recycled ips also
they can be used
in and deployed in iit devices
using recycle ips makes the iit devices
less and less reliable and more
vulnerable toward security attacks
it has been always a kind of battle
between providing better security
and having the best performance the
performance
always there have been several efforts
that we wanted to just
make the best performance with minimum
overhead on
some requirements of the design such as
battery
life time however addressing the
security
always comes with
overheads and the big issue is that
how we can balance and find a sweetest
spot
between these two important parameters
and
not only that we can have the best
performance but at the same time we can
have less overhead and security
and we make sure that because of
performance we do not create security
vulnerabilities in the systems
so what can we do i here i present one
of the possible solutions
for example for counterfeits we can use
microscopes
or x-ray machines to be able to identify
whether a design is authentic or is a
counterfeit
we can also use advanced artificial
intelligence algorithm to be able to
distinguish these devices
so in short we need to develop a set of
metrics
to be able to evaluate hardware design
to
see that how vulnerable they are we need
to create a set of
tools that those tools are
can be able to address this
vulnerability
automatically at the same time we need
to create
a set of awareness between the
users of these potentially vulnerable
iot devices
i believe the government academia and
industry
they need to work hand in hand to be
able to
create an ecosystem that delivers these
secure hardware designs from the design
to consumer market
this is the only way and this is the
only and only way that
we can make sure that we have secure
devices and we can use iot and smart
devices with ease of
mind without being worried
about being a spy
or bridge of our security and privacy
in university of florida my team
and i we are trying to address these
challenging questions here is the list
of my phd
students that they are dedicated to find
answers for these challenges and help us
to have
more and more secure smart devices
thank you