Nitesh Saxena can do some very bad things with your digital devices.
He knows how to trick you into buying him a diamond ring when you think you’re only paying for a burger. He understands how to hijack your phone’s camera and use it to build a 3D picture of your office that can be mined for passwords (hello, sticky notes!) and bank account numbers (thanks for leaving the checkbook out!). In theory, at least, he could even make your pacemaker go haywire and send you to the hospital, if not the morgue. Of course, he is quick to point out, he will not do any of this because he is a responsible researcher who is actually looking to defeat such attacks so you can have a good night sleep.
UAB College of Arts and Sciences Department of Computer and Information Sciences and director of the SPIES (Security and Privacy in Emerging Computing and Networking Systems) lab. He and his students spend their time figuring out how criminals are abusing new technologies — or, often, how they could abuse them — and developing countermeasures.Saxena is an associate professor in the
But a defense is only useful if it’s actually used. Despite the fact that our phones have access to everything from our bank accounts to our health data, many of us are reluctant to use something as simple as a password lock.
Security You Can’t See
That’s why the SPIES lab is always looking for the easy way out. One approach is “playful” security: transforming a chore into a challenge that users enjoy, or at least tolerate. Last year, Saxena’s group made a splash with a system that turned CAPTCHAs — those annoying warped-text obstacles — into mini-games. But the best security measures, Saxena says, are ones the user doesn’t have to think about at all.
“The ideal is something that is user-transparent,” Saxena said. His lab is now making a major push into “behavioral biometrics” — software that takes advantage of the sensors built into today’s smartphones to learn the characteristic gestures a person uses while interacting with his or her device. A phone running this software could unlock itself automatically when it recognizes that it is in the hands of its owner — and deny access to unauthorized users.
The Way You Move
“When you pick up a call, you hold the phone in your hand and bring it up to your ear in a certain way,” Saxena said. “When you take a picture, you raise the phone and hold it in a specific manner for a while. We can detect these gestures automatically, using the accelerometer, gyroscopes and proximity sensors.” The SPIES team has also studied the gestures associated with using a phone’s near-field communication (NFC) chip. These chips, activated by tapping the phone on a reader at a retail outlet, are built into the latest iPhone and many Android machines. They make possible mobile payment systems such as Apple Pay and Google Wallet. (See an illustration of how the system works in the graphic below.)
“The advantage of this approach is that it doesn’t require the user to do anything,” Saxena said. “We’ve found that all three of these gestures are pretty unique. We can differentiate very robustly between them.” His team is now working to combine readings from phones and “wearable” devices, such as Google Glass and smartwatches like the Pebble. “The watch could provide data about the way you move your wrist while typing a text message, for example,” Saxena said. “Google Glass would add information on head movement and eye movement. And all this data would be unique to the user, so a thief would have to mimic all of these gestures in order to unlock the device.”
Saxena’s gesture-sensing software could also prevent hackers from remotely controlling a phone, he says. Criminals have already released malicious software (called malware), coupled to innocent-looking Android apps, that can automatically place calls to premium rate numbers when the phone is left untended. Security researchers have developed malware that can take pictures with a phone’s camera and send them surreptitiously to a third party. If criminals can create something similar, they could use the ill-gotten images to build a three-dimensional map of the infected user’s home, office and more. That map could then be used to mine personal information.
Because this malicious code couldn’t mimic the appropriate gestures, a phone running Saxena’s software would deny access to the phone and camera. The system is still not 100 percent accurate, Saxena says. But it could easily be coupled with a fall-back system. When the software can’t decide whether its legitimate owner or someone else is in control, it could prompt the user for a password or other input.
Safe and Sound
The SPIES team is also looking into the security of high-tech implanted medical devices, such as pacemakers. These machines have to be able to communicate with the outside world, Saxena explains, because doctors need to modify therapy after the implant surgery. But that means “an attacker could bring a strong reader close to a patient’s chest and actually read data from the implant,” Saxena said. “They could also issue commands, changing the rate at which the pacemaker transmits pulses, for instance. You could potentially kill someone.”
So, Saxena’s group asked themselves, “How could you protect against that kind of attack?” One way would be to program the device to respond only when the patient is in a set position — lying down on the exam table in the doctor’s office. Adding a tiny, cheap accelerometer to the medical device could create another layer of security, Saxena adds. “To unlock the device, the doctor could use his phone. He could set it to vibrate in a specific pattern unique to each patient; then, when the doctor touches the phone to the patient’s chest, the device would read this vibration and unlock.”
In a related project, the SPIES lab is delving deeper into the sensors themselves. “A lot of our work relies on these sensors behaving correctly,” Saxena said. “We are now analyzing the sensitivity of the Android platform. We want to make sure that attackers cannot manipulate the sensor data. If they can change the way the proximity sensor readings work internally, that would be important to know.”