I'm at Embedded Systems Week, the major research conference for embedded computing. Today, I attended the Embedded Systems Security Workshop. The speakers presented some very interesting results. But let me concentrate on the keynote by Wayne Burleson of the University of Massachusetts, who spoke on privacy in embedded computing.
He made the very interesting point that trust and security are not the same thing; we don't understand as much about trust as we do about security. We have identified quite a few threat models in traditional computer security. The same cannot be said for privacy. It isn't always clear from whom the threat comes from or what constitutes an invasion of privacy. Some releases of personal information are natural, intended, and necessary; some breaches are unnecessary but not particularly consequential; while others can have devastating consequences. Unfortunately, if we don't understand the threat models, we can't do much to mitigate those threats.
He described two of his projects. The first developed new techniques for electronic fare payment for transportation systems. He and his colleagues developed a form of electronic cash that allows the user to pay for a fare and obtain special fares such as senior citizen fares without disclosing other information about themselves.
He then talked about his work on medical system privacy. The medical community is busy developing all sorts of implanted medical devices that can transmit information about the state of your body to your doctor. The trick is to be sure that only intended people have access to that information. Medical devices operate under severe energy constraints, on the order of 10 joules per operation, so any security and privacy techniques employed in the device must be able to be performed at these very low energy levels. Burleson also pointed out that the risk/benefit analysis in medical devices must be carefully performed. For example, hacks on pacemakers were revealed a few years ago. The manufacturers very quickly addressed the problems because of concerns that patients would decide not to have a pacemaker in order to avoid being hacked. Of course, the risk of dying from lack of a pacemaker is much, much higher than is the risk of having your pacemaker hacked into, but there is no point in taking chances with such analysis.