Tricks of the trade
Things are not always what they appear to be in Kevin Fu’s laboratory at U-M’s College of Engineering.
On any given day, research investigators may use an antenna to fool the lab’s temperature sensor into giving a false reading of below absolute zero ― a temperature so low it does not exist in the natural world. They also have utilized a laser light beam to inject false voice commands in a voice-controlled assistant from a distance of 300 feet, roughly the length of a football field.
While these scientific shenanigans seem more like hackers’ pranks, they are meant to illustrate an important point: The electronic devices on which we depend are not as secure and trustworthy as we thought.
“It’s possible to use everyday physics ― such as radio waves, ultrasonic beams, sound waves, lasers, and even laser pointers and flashlights ― to trick these devices into seeing false realities,” says Fu, associate professor of electrical engineering and computer science.
“It’s a little scary to know that all these electronic products have been put on the market before we figured out the basic science and engineering for securing the sensors inside them.”
In worst-case scenarios, hackers could use all the methods Fu describes to disable pacemakers and implantable defibrillators or to manipulate the navigation systems of semi-tractor-trailer trucks and passenger cars. Con artists could hijack Alexa or Siri and start opening locked front doors, turning on electric appliances, and shutting off security systems in people’s homes.
“We need to figure out how to build in these protection systems before manufacturers automate all of our automobiles, medical devices, and factories with sensors,” Fu explains. “We are trying to get ahead of the curve.”
Fu directs the U-M Archimedes Center for Medical Device Security and knows he is racing against time. He has testified before the U.S. Senate and House of Representatives on matters of information security, and has been a visiting scientist at the U.S. Food and Drug Administration. In addition, Fu has advised the American Hospital Association and the Heart Rhythm Society about health-care cybersecurity.
An unexplored frontier
Unlike many cybersecurity troubleshooters, Fu is not looking for software bugs, malware, or ransomware that hackers can use to access electronic devices and automated systems.
Rather, he is probing the soft underbelly of technology by burrowing down into the actual brain of the computer itself to figure out how to eliminate vulnerabilities by design.
“Ultrasonic signals and light waves can fool the physical manifestations of the computer ― that is, the wires, the circuits, the little objects that vibrate, and all the interstitial computing tissue we forget about,” Fu says. “We’ve found that simple things such as a small transmitter or a laser can cause havoc inside a computer by getting into its brain through its relatively unprotected sensors.”
Firewalls and antivirus software cannot protect against such external threats to the physics of computation and sensing. These security tools and programs tend to fail fast and catastrophically, leaving electronic devices and computerized systems vulnerable to intrusion.
The best solution, according to Fu, is to build security into these devices and systems by design, from the physical hardware to the embedded software.
Students in Fu’s U-M lab investigate ways to improve the reliability of LiDAR systems for autonomous vehicles, pacemakers and defibrillators for cardiac patients, and voice-controlled assistants for households.
In recent years, heightened concerns about privacy and security have prompted some medical-device manufacturers to start working on computer-security standardization for their product designs. But they are still playing catch-up.
To accelerate the adoption of embedded security, Fu and his colleagues have consulted with nearly a dozen different companies and health-care systems, including Medtronic and the Mayo Clinic.
“We are trying to educate front-line engineers about how to incorporate good security-engineering practices into their thinking when they design, test, and ship devices, and what they have to do to maintain those devices after sale,” he says.
Increasing consumer awareness
Millions of sensor-equipped devices, already in use and ranging from phones and televisions to automobiles and airplanes, are vulnerable to intrusion. There’s no easy fix.
Retrofitting existing devices with security features would be difficult and costly, Fu says. It makes more economic sense to incorporate security properties early in the design phase of a product, he insists.
Preventing hackers from disabling or taking control of electronic devices has proven to be an ongoing challenge, because malicious actors tend to be two steps ahead of researchers and manufacturers. Increasingly, consumers pay the price for the vexing shortfalls in embedded security.
For example, in 2019, home-security cameras sold by the Amazon-owned company Ring were deemed a threat to families and the public after hackers in several states gained access to the surveillance devices and used them to frighten parents and children in their homes. Other breaches involving Google Nest smart-home products and the Fredi Taococo baby monitor also have raised concerns about security and privacy.
Constant vigilance is needed to thwart such intrusions, Fu says.
“The absence of security threats today is one of the best predictors of future security problems,” he says. “Too often, people have a sense of complacency and a feeling that bad things can never happen. That kind of logic is dangerous when you are trying to protect against future threats.”
Fu recommends that consumers take some simple steps to ward off security intrusions.
“I advise people to be skeptical of advertisers who claim their products have perfect security built into them,” he says. “In the meantime, consumers can reduce their exposure to intrusion by putting a sticker over the lens of their smartphone camera or smart television. This will keep intruders from spying and collecting information on their family, especially their kids.”
David Zoellner - 1969 LSA. 1972 Law
Prof Fu is amazing. Heard him at a conference in Charleston last December.
John Buehrer - 1991 LSA / EECS
I’m pleased to hear that “hardware DevSecOps” now has an academic foundation! Next on the list is doing it for Blockchain.