IoT Security & Privacy Conference​

and Research Symposium

May 14th, 2019

8:30AM-2PM PT

Days
Hours
Minutes
Seconds

at UCI’s Donald Bren Hall, Room 6011

Keynote Speaker

The Physics of Sensor Cybersecurity

Kevin Fu​

Kevin’s embedded security research interests span from the physics of cybersecurity through the operating system to human factors. Past research projects include MEMS sensor security, pacemaker/defibrillator security, cryptographic file systems, web authentication, RFID security and privacy, wirelessly powered sensors, medical device safety, and public policy for information security & privacy.

Speakers

BRYAN CUNNINGHAM

Executive Director, CPRI

SAM MALEK

Associate Professor of Informatics; Director, ISR

SRI BHARADWAJ

Director of Clinical and Business Applications and CISO, UCI Health

ATHINA MARKOPOULOU

Associate Professor of Electrical Engineering & Computer Science

ALFRED CHEN

Assistant Professor of Computer Science

Picture of April Sather

April Sather

CPRI Fellow

SCOTT JORDAN

Professor of Computer Science

JACK LERNER

Clinical Professor of Law

Sina Faezi

Ph.D. Candidate, Computer Engineering

Agenda

Agenda

8:30-9:00

Arrival and registration

9:00 - 9:45

Keynote
The Physics of Sensor Cybersecurity
Associate Professor Kevin Fu, Computer Science and Engineering, University of Michigan
IEEE Fellow & Sloan Research Fellow

9:45 - 11:30

11:30-11:45

Break

11:45-12:45

IoT Privacy  Regulation Panel
Moderator: Bryan Cunningham, Executive Director, CPRI

  • Scott Jordan, Professor, ICS
  • Jack Lerner, Clinical Professor of Law
  • Athina Markopoulou, Associate Professor, Electrical Engineering & Computer Science
  • April Sather, CPRI Fellow

12:45-2:00

Registration

This Free Event, sponsored by UCI’s Cybersecurity Policy and Research Institute (cpri.uci.edu) and UCI’s Institute for Software Research (isr.uci.edu) features a special keynote by Professor Kevin Fu from the University of Michigan, followed by faculty presentations, a panel discussion and a research showcase.

Location & Venue

Donald Bren Hall, Room 6011

Irvine, CA 92697

Research Showcase

"Privacy Leak Classification from Mobile Devices" (Demo and Poster)​

  • Anastasia Shuba (UCI)
  • Evita Bakopoulou (UCI)
  • Athina Markopoulou (UCI)

"Oligo-Snoop: A Non-Invasive Side Channel Attack Against DNA Synthesis Machines" (Poster)

  • Sina Faezi (UCI)
  • Sujit Rokka Chhetri(UCI)
  • Arnav Vaibhav Malawade,(UCI)
  • John Charles Chaput (UCI)
  • William Grover (UCR)
  • Philip Brisk (UCR)
  • Mohammad Abdullah Al Faruque (UCI)

"Enhancing Security of Java-based IoT Applications through Detection and Repair of Architecture Inconsistencies” (Poster)

  • Negar Ghorbani (UCI)
  • Joshua Garcia (UCI)
  • Sam Malek (UCI)

"Towards Privacy-Aware Smart Buildings: Capturing, Communicating, and Enforcing Privacy Policies and Preferences" (Demo)

  • Primal Pappachan (UCI)
  • Roberto Yus (UCI)
  • Sharad Mehrotra (UCI)

"PKRU-Safe: Sandboxing unsafe code on modern hardware" (Poster)

  • Paul Kirth (UCI)
  • David Gens (UCI)
  • Yeuol Na (UCI)
  • Stijn Volckaert (KU Leuven)
  • Michael Franz (UCI)

"C2Rust: Migrating legacy code to a safe programming language" (Poster)

  • Fabian Parzefall (UCI)
  • Mitchel Dickerson (UCI)
  • Per Larsen (UCI and Immunant, Inc.)
  • Michael Franz (UCI)

"Security Analysis of Multi-Sensor Fusion based Localization in Autonomous Vehicles" (Poster)

This poster won the Distinguished Poster Presentation Award for New Work at the NDSS 2019 Symposium.

  • Junjie Shen (UCI)
  • Jun Yeon Won (UCI)
  • Shinan Liu (University of Electronic Science and Technology of China)
  • Qi Alfred Chen (UCI)
  • Alexander Veidenbaum (UCI)

Speaker Summaries

The Physics of Sensor Cybersecurity
Kevin Fu

Medical devices, autonomous vehicles, and the Internet of Things depend on the integrity and availability of trustworthy data from sensors to make safety-critical, automated decisions. How can such cyber-physical systems remain secure against adversary using intentional interference to fool sensors? Building upon classic research in cryptographic fault injection and side channels, research in analog cybersecurity explores how to protect digital computer systems from physics-based attacks. Analog cybersecurity risks can bubble up into operating systems as bizarre, undefined behavior. For instance, transduction attacks exploit vulnerabilities in the physics of a sensor to manipulate its output. Transduction attacks using audible acoustics, ultrasonic or radio interference can inject chosen signals into sensors found in devices ranging from Fitbits to implantable medical devices to smartphones, drones and CubeSats.

Defenders can fight back with physics, more trustworthy software APIs and a shift in thinking toward system engineering. Fu will explain how to respect von Neumann’s 1956 admonition to design reliable organisms from unreliable components in the context of embedded security. He will also discuss the need for science and engineering national leadership by faculty in Washington on strategic matters of cybersecurity R&D and education.

Minding the Gaps: Mitigating Cyber Threats Over the Next Decade by Closing Seams in the Internet of Everything
Bryan Cunningham

Bryan will identify several trends which, taken together, will shape the growing global cyber threat landscape. He will identify an approach to mitigating these threats by identifying – and developing technical and policy solutions for – emerging security seems between Internet-of-Things devices and the traditional Internet.

Mobile Application Security
Sam Malek

Mobile devices are ubiquitous, with billions of smartphones and tablets used worldwide. Fueling the popularity of such devices is the abundance of apps available on a variety of markets (e.g., Google Play). This abundance of apps arises, in large part, due to the platform’s low barrier to entry for amateur and professional developers alike, where a re-usable infrastructure enables relatively quick production of apps. However, this low barrier to entry is associated with an increased risk of apps with defects, particularly in the form of security vulnerabilities. Consequently, developers and designers of such apps are in need of appropriate approaches, tools, and frameworks that aid them in producing secure apps. In this talk, I will first provide an overview of the security vulnerabilities in Android and the attacks that exploit them. I will then describe a few promising approaches that aim to resolve these security threats.

Patient: “Alexa has ordered 100 packs of Ricola. Do I have the flu or does she have the virus?” How can we help IOT devices to think straight?
Sriram Bharadwaj

Organization leaders want to know that the organization is protected and their investments in the security tools they paid for are working. Unfortunately, security professionals are all too often presenting slides which show hundreds of thousands of anti-malware alerts to evidence return on investment.

Business leaders are more interested in enterprise risk management and a top down approach to managing risk. C-SUITE want to understand the high-impact risks and would like to hear from the CISO what gets in the way of the organization being successful. A dashboard with red, yellow and green doesn’t prove that security is actually working. Threats are dynamic, sporadic and varied depending on the hardware/software deployed and it is imperative that the CISO can provide an overview and not just spend time in “trees than the forest”.

We will also focus on educating C-SUITE members on the intricacies of dealing with IOT devices in a healthcare environment.

Ghost Cars and Fake Obstacles: Automated Security Analysis of Emerging Smart Transportation Systems
Alfred Chen

Transportation systems today will soon be transformed profoundly due to two recent technology advances: Connected Vehicle (CV) and Autonomous Vehicle (AV). However, this also brings new features and operation modes into the transportation ecosystem, e.g., network connectivity and machine learning based sensing, which may introduce new security problem and challenges. In this talk, I will describe my current research that initiates the first effort towards systematically understanding the robustness of the software-based control in CV and AV systems. I will first describe my work that performs the first security analysis of the next-generation CV-based traffic signal control, which discovers new vulnerabilities at the traffic control algorithm level that can cause massive traffic jams. Next, I will describe my work that performs the first security analysis of LiDAR-based object detection in AV systems. I will conclude by discussing defense directions, and also future research directions in securing emerging CAV systems.

Oligo-Snoop: A Non-Invasive Side Channel Attack Against DNA Synthesis Machines
Sina Faezi on behalf of Mohammad Al Faruque

Synthetic biology is developing into a promising science and engineering field. One of the enabling technologies for this field is the DNA synthesizer. It allows researchers to custom-build sequences of oligonucleotides (short DNA strands) using the nucleobases: Adenine (A), Guanine (G), Cytosine (C), and Thymine (T). Incorporating these sequences into organisms can result in improved disease resistance and lifespan for plants, animals, and humans. Hence, many laboratories spend large amounts of capital researching and developing unique sequences of oligonucleotides. However, these DNA synthesizers are fully automated systems with cyber-domain processes and physical domain components. Hence, they may be prone to security breaches like any other computing system. In our work, we present a novel acoustic side-channel attack methodology which can be used on DNA synthesizers to breach their confidentiality and steal valuable oligonucleotide sequences.

Our proposed attack methodology achieves an average accuracy of 88.07 % in predicting each base and is able to reconstruct short sequences with 100 % accuracy by making less than 21 guesses out of 415 possibilities. We evaluate our attack against the effects of the microphone’s distance from the DNA synthesizer and show that our attack methodology can achieve over 80 % accuracy when the microphone is placed as far as 0.7 meters from the DNA synthesizer despite the presence of common room noise. In addition, we reconstruct DNA sequences to show how effectively an attacker with biomedical-domain knowledge would be able to derive the intended functionality of the sequence using the proposed attack methodology. To the best of our knowledge, this is the first methodology that highlights the possibility of such an attack on systems used to synthesize DNA molecules.