A blog about embedded computing systems, cyber-physical systems, and Internet of Things. We concentrate on technical topics but also discuss their implications.
Wednesday, December 9, 2015
Article on cyber warfare
Politico has posted this article on cyber warfare.
Friday, December 4, 2015
Security Breach at Toy Manufacturer
This New York Times article describes a database security breach at toymaker VTech.
Sunday, November 29, 2015
Database error involved in airplane crash
Aviation Week discusses in a recent editorial this report on the crash of a Turkish airlilner. Pilot error, namely continuing below minimums, was given as the primary cause. But a database error gave a wrong position for the runway threshold. The airplane landed to the left of the runway centerline.
Wednesday, November 18, 2015
Cybercrime-as-a-service
This report by McAfee discusses cybercrime-as-a-service.
Monday, November 16, 2015
FitBit hacking
Enterprise Security Today reports here on a possible FitBit hack.
Tuesday, October 20, 2015
Software Is Tangible
Many people seem to think that software is
non-physical---that unlike the computer keyboard and screen they can touch and
feel, the software that makes their computer do useful work has no physical
existence. This ghost-in-the-machine
view of software doesn’t square up with reality. Computing is a physical act
and software is the physical object that drives computers.
Software is stored in the memory of a computer as
collections of electrons: a certain number of electrons stored at a location represents
a 1 bit while a small number (or no) electrons represents a 0 bit. (Other
storage media represent bits in other ways---magnetic domains, pits in DVDs,
etc.---but the principle remains the same.) In a modern memory, only a few
hundred of these little tiny electrons are enough to store a 1 bit.
But tiny is not the same as non-existent. A little high school physics tells us that,
in fact, electrons do exist in the physical world. Wikipedia gives the mass of
an electron as 9.1 X 10^-39 kg. That’s pretty
darn small. But they do really exist. And we can sense the behavior of
electrons in many ways. For example, we
can steal cryptographic keys from smart cards and computers watching the flow
of electrical energy into the machine.
This technique, known as a power attack, figures out the 1s and 0s of
your security key simply by watching how much power the computer consumes at
different steps of the security process.
The physical nature of those little tiny bits has real and important implications.
And some of the effects of the physical nature of software
are accessible by a simple touch. Running software consumes electric power that
is transformed into heat by the computer, much as our bodies heat up as we
exercise. When your feel your laptop grow hot as you watch a movie, you feel
the physical effects of software. Can a ghost in the machine do that?
Power Attack White Paper
Rambus has posted here an interesting white paper on differential power attacks.
Wednesday, October 7, 2015
Apple Ships Phone with Dual-Sourced Processors
A number of sources, including Anandtech here, report that Apple's new iPhones are shipping with one of two different chips. The chips aren't even the same size. As my student pointed out, Macrumors reports here that initial tests suggest that the two chips consume significantly different levels of power.
Tuesday, October 6, 2015
The Air Gap Myth
The BBC discusses here an interesting report from Chatham House on the vulnerability of worldwide nuclear energy plants to cyber attack. The report says that although many facilities claim that they do not have direct Internet connections---an air gap---that some of them do in fact have Internet connections. For example, a connection may have been installed for maintenance, then not uninstalled and forgotten.
But let's be clear---the notion of an air gap is a fantasy in the modern world. Even if no direct connection exists, indirect connections through storage devices is sufficient to allow hackers to attack a cyber-physical system. Sneakernet---moving data manually from machine to machine---has a long and storied tradition in computing. (Rumor had it that while Sun promoted its Network File System on the outside, it relied on Sneakernet for internal data transfers.) The Stuxnet attacks were initiated through data carried by maintenance workers on flash drives. Those flash drives were infected on outside machines, then carried inside the facility to help the workers with their tasks. The UCSD team showed in its demonstrations of car hacking that the maintenance computers used by mechanics were vectors for attacking cars.
Cyber-physical systems cannot ensure a circle of trust merely by claiming that they are not connected to the Internet. It is hard to imagine a safety-critical system that is not vulnerable to sneakernet attacks. We need to design safety-critical systems that monitor themselves during operation to watch for attacks. Trust but verify...
But let's be clear---the notion of an air gap is a fantasy in the modern world. Even if no direct connection exists, indirect connections through storage devices is sufficient to allow hackers to attack a cyber-physical system. Sneakernet---moving data manually from machine to machine---has a long and storied tradition in computing. (Rumor had it that while Sun promoted its Network File System on the outside, it relied on Sneakernet for internal data transfers.) The Stuxnet attacks were initiated through data carried by maintenance workers on flash drives. Those flash drives were infected on outside machines, then carried inside the facility to help the workers with their tasks. The UCSD team showed in its demonstrations of car hacking that the maintenance computers used by mechanics were vectors for attacking cars.
Cyber-physical systems cannot ensure a circle of trust merely by claiming that they are not connected to the Internet. It is hard to imagine a safety-critical system that is not vulnerable to sneakernet attacks. We need to design safety-critical systems that monitor themselves during operation to watch for attacks. Trust but verify...
Monday, October 5, 2015
Intel HDCP master key cracked
tomshardware.com reports here that the Intel HDCP master key has been cracked. HDCP is a multimedia encryption standard.
Tuesday, September 22, 2015
Intel Automotive Security Review Board
Here is an article at tomshardware.com on Intel's new Automotive Security Review Board (ASRB).
Volkswagen Defeats Its Own Emissions Software
Here is an extremetech.com article on Volkswagen's efforts to disable its own emissions control software.
Tuesday, September 8, 2015
Wednesday, September 2, 2015
Article on Embedded Multi-Core Performance/Power
Here is a great article from Anandtech with some experimental results on cell phone multicore architectures. Their experiments show how many threads are at work in some typical cell phone scenarios and provide utilization and power results.
SIMON block cypher
Here is an interesting paper on a hardware design for the SIMON block cypher. The paper comes from Patrick Schaumont's group at Virginia Tech.
Sunday, August 9, 2015
Blackhat: x86 Design Flaw Enables Root Kits
This article from PC World reports on a talk at Blackhat that describes how a design flaw in a number of x86 models allows powerful root kits to be created.
Thursday, July 30, 2015
New York Subway System Infrastructure
Slate provides here a link to a video on the machines used to operate the New York subway system. Much of this equipment dates to the first half of the 20th century. It's a great video. I had read about some of this before but never in this much detail.
The Slate columnist refers to this equipment "delightful, sure, but also deeply baffling." I think that this view misses a few points. First, modern computer equipment isn't always reliable in many aspects, ranging from computer security to electromigration. Second, much computer equipment isn't designed to last more than a few years. Replacing computers regularly is OK for data centers but it just doesn't work for a lot of infrastructure. Infrastructure has to be built to operate safely and reliably for years. Unfortunately, the computer industry isn't very good at designing things that last.
I find the video's discussion of the old-fashioned signaling system to be much more important than the age of the wires and relays. The old equipment can't identify the location of a train very accurately, which means that trains have to be spaced farther apart. One of the important benefits of new equipment and control system---known as CBTC---will be more efficient transit thanks to better location and control.
The Slate columnist refers to this equipment "delightful, sure, but also deeply baffling." I think that this view misses a few points. First, modern computer equipment isn't always reliable in many aspects, ranging from computer security to electromigration. Second, much computer equipment isn't designed to last more than a few years. Replacing computers regularly is OK for data centers but it just doesn't work for a lot of infrastructure. Infrastructure has to be built to operate safely and reliably for years. Unfortunately, the computer industry isn't very good at designing things that last.
I find the video's discussion of the old-fashioned signaling system to be much more important than the age of the wires and relays. The old equipment can't identify the location of a train very accurately, which means that trains have to be spaced farther apart. One of the important benefits of new equipment and control system---known as CBTC---will be more efficient transit thanks to better location and control.
Wednesday, July 22, 2015
Georgia Tech Center for the Development and Application of Internet-of-Things Technologies
CDAIT, the Georgia Tech Center for the Development and Application of Internet-of-Things Technologies, is run by Alain Louchez. Their web site posts a number of interesting items. Here is one item on our research on long-term care for people with special needs.
Monday, July 6, 2015
Yet Another Software Timing Bug
Extremetech reports here that New Horizons, the NASA Pluto probe, stopped communicating for an hour and that NASA says the bug was probably caused by a "hard-to-detect timing flaw" in software.
Thursday, June 25, 2015
A Great Tagline
See this article from Tom's Hardware: the founder of Kapersky refers to IoT as the "Internet of Threats."
Wednesday, June 17, 2015
Samsung phone security problem
NowSecure reports here that they have found a way \for an attacker to use the keyboard update mechanism on several Samsung phone models to execute privileged code on the phone. The vulnerability leverages the software update mechanism for the Swift keyboard software, which is from a third party. Software updates download files in privileged mode but as a plaintext zip file. The exploit modifies this download zip and its associated manifest to install malicious files on the phone.
Thursday, June 4, 2015
Mac suspend/resume vulnerability
Reverse Engineering Mac OS X described here a bug in Mac suspend/resume code that allows malicious programs to modify BIOS, getting around traditional virus protection checks. This isn't strictly embedded but given the emphasis on low energy in the embedded/CPS/IoT world, who knows what other devices have similar problems.
Wednesday, June 3, 2015
Hello, Cyber-Physical Sewing Machine
The gearbox on my mechanical sewing machine broke. It sounded like it was mixing gravel; I didn't investigate further. I decided to replace it with a cyber-physical model but one that didn't have a lot of features that I wouldn't use. I think this model will have a strong drivetrain as well as fairly reliable electronics, but only time will tell.
<p>
My first sewing machine suffered an electronics failure, and a rather mundane one at that. As we integrate electronics and computers into all sorts of devices, I hope that system designers keep in mind that consumer electronics devices (cell phones, audio players, etc.) are designed with very short lifespans in mind. In contrast, many of the cyber-physical devices, such as sewing machines, have much longer lifespans. All the components should be designed to have consistent lifespans. This means building printed circuit boards and chips to higher quality standards than those to which the electronics industry has become accustomed. And, of course, more components of any type means more opportunities for failure.
Monday, June 1, 2015
Software Bug on LightSail
Extremetech.com reports here on a software bug on LightSail. It appears that when a log file reaches 32 MB, it crashes the OS.
Wednesday, May 20, 2015
Possible software bug implicated in accident
Aviation Week provides this interesting report of a potential software bug and its effects. An Airbus A400M airlifter crashed on May 9, killing four people. Aviation Week's sources indicate that the crash may have involved new software that manages the fuel levels in the fuel tanks.
IoT Symposium Keynote
Prof. Mani Srivastava of UCLA will deliver the keynote at the IoT Symposium. His talk will be titled "Towards a Trustworthy Pervasive Sensing Substrate for the Internet of Things."
More on Airplane Hacking
The FBI has released a notice on media claims about aircraft hacking. You can see the document here (among other places). Thanks very much to Nicholas Larrieu for the pointer to this document. The notice asks for assistance in identifying potential incidents and vigilance in preventing such events. It also says:
"The FBI and TSA are currently analyzing claims in recent media reports which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion. At this time, the FBI and TSA have no information to support these claims but continue to leverage public and private sector partnerships to evaluate potential threats posed by intrusions into a commercial aircraft’s secure networks. The FBI and TSA also continuously monitor and analyze reporting on cyber and technical threats to proactively deter individuals from using remote intrusions to disrupt any portion of the aviation sector, including its business networks, critical navigation and air traffic control signals, and the onboard networks of commercial aircraft."
"The FBI and TSA are currently analyzing claims in recent media reports which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion. At this time, the FBI and TSA have no information to support these claims but continue to leverage public and private sector partnerships to evaluate potential threats posed by intrusions into a commercial aircraft’s secure networks. The FBI and TSA also continuously monitor and analyze reporting on cyber and technical threats to proactively deter individuals from using remote intrusions to disrupt any portion of the aviation sector, including its business networks, critical navigation and air traffic control signals, and the onboard networks of commercial aircraft."
Monday, May 18, 2015
IoT Symposium at Embedded Systems Week
Jason Xue and I are organizing the IoT Symposium at Embedded Systems Week. ESWeek is October 4-9 in Amsterdam; the IoT Symposium is on October 8-9. The submission deadline for the symposium is June 29. We hope you attend! Even better, we hope you submit! Here is the call for papers:
The ESWeek IoT Symposium is organized as a part of the Embedded Systems Week 2015. The Internet of Things (IoT) promises to revolutionize fields ranging from health care to manufacturing to personal living by connecting the Internet to physical things. Embedded computing and VLSI are central to the achievement of the IoT vision - advanced computation and communication must be delivered at extremely low energy levels and manufacturing costs. The IoT Symposium is devoted to research on advanced IoT systems.The IoT symposium will be a part of Embedded System week, and will provide a forum for researchers, from academia and industry, to present and discuss innovative ideas and solutions related to all facets of internet-of-things.
Topics of interest at IoT Symposium include but not limited to:
- VLSI Systems Track: ultra low energy systems, integrated sensors, 3D, platform architectures.
- Networking and Communications Track: Physical layer, protocols, network management.
- Algorithms and Infrastructures Track: Distributed and cloud computing, big data methods, heterogeneous sensors, sensor fusion, standards, design methodologies.
- Security and Privacy Track: Low-energy encryption, authentication, hardware security, privacy management.
- Applications Track: Industrial control, logistics, smart homes, smart cities, office management, smart vehicles and fleets.
- Ultra-low Energy System Track: Energy harvesting, hybrid energy systems, storage-less energy systems
The ESWeek IoT Symposium is organized as a part of the Embedded Systems Week 2015. The Internet of Things (IoT) promises to revolutionize fields ranging from health care to manufacturing to personal living by connecting the Internet to physical things. Embedded computing and VLSI are central to the achievement of the IoT vision - advanced computation and communication must be delivered at extremely low energy levels and manufacturing costs. The IoT Symposium is devoted to research on advanced IoT systems.The IoT symposium will be a part of Embedded System week, and will provide a forum for researchers, from academia and industry, to present and discuss innovative ideas and solutions related to all facets of internet-of-things.
Topics of interest at IoT Symposium include but not limited to:
- VLSI Systems Track: ultra low energy systems, integrated sensors, 3D, platform architectures.
- Networking and Communications Track: Physical layer, protocols, network management.
- Algorithms and Infrastructures Track: Distributed and cloud computing, big data methods, heterogeneous sensors, sensor fusion, standards, design methodologies.
- Security and Privacy Track: Low-energy encryption, authentication, hardware security, privacy management.
- Applications Track: Industrial control, logistics, smart homes, smart cities, office management, smart vehicles and fleets.
- Ultra-low Energy System Track: Energy harvesting, hybrid energy systems, storage-less energy systems
Sunday, May 17, 2015
DAC special session on cyber-physical systems
The Design Automation Conference is coming to the Moscone Center in San Francisco during the week of June 7. Mohammed Al Faruque and I have organized a special session on cyber-physical systems architectures and methodologies; it will take place Wednesday, JUne 10, from 1:30 to 3 PM. The session will feature three talks: I will give the introductory talk; Janos Sztipanovits from Vanderbilt will talk about their experience with CPS tool chains; and Rajesh Gupta will discuss models, abstractions, and architectures. You can find the program here.
Airplane Hacking
CNN just posted this story about the ongoing saga of Chris Roberts, who has (depending on who you believe) either hacked into commercial airliners in flight or has investigated the possibility of such activities.
Monday, May 4, 2015
Cheap Thermal Imagers
A number of sites have reported on new thermal imagers that cost only a few hundred dollars: one from Seek here; another from Flir here. Not so long ago, thermal imagers cost $10K-$20K. These new low-cost imagers will open up new categories of applications.
Saturday, May 2, 2015
New 787 battery problems
CNN reports here that the FAA has issued a repetitive maintenance task directive for the Boeing 787. This mandate was put into place after testing found that, after being continuously powered for 248 days, the 787 could lose all AC power.
Monday, April 27, 2015
Imagination releases academic version of MIPSfpga design
As described by AnandTech in this article, Imagination has announced a university license for its MIPSfpga design.
Thursday, April 9, 2015
Asparagus-Carrying Drone Crashes and Explodes
You can't make this stuff up, folks. Read this story in Time.
Wednesday, March 25, 2015
SSL certificate security flaws found
Extremetech reported on some newly found security holes in SSL. It turns out that another entity issued unauthorized certificates for Google domains. Beyond the specific implications for SSL security, this in my view is another blow to the reputation of open systems and standards.
Sunday, February 22, 2015
More Stuipid Ideas in Consumer Electronics
Tom's Hardware reports that a new Barbie records your child's conversations with the doll and saves them in the cloud---here is the article. Doesn't anyone in the consumer electronics industry know how to spell privacy?
Friday, February 20, 2015
Stupid Ideas in Consumer Electronics
Samsung's Smart TV seems to have been not so smart after all. A variety of press reports indicate that Samsung's user agreement allows them to share voice input with third parties. Reports also indicate that voice data is being transferred to the cloud in an insecure manner. One of the several good reports on this topic comes from Tom's Hardware.
Subscribe to:
Posts (Atom)