Article on cyber warfare

Politico has posted this article on cyber warfare.

Security Breach at Toy Manufacturer

This New York Times article describes a database security breach at toymaker VTech.

Database error involved in airplane crash

Aviation Week discusses in a recent editorial this report on the crash of a Turkish airlilner.  Pilot error, namely continuing below minimums, was given as the primary cause.  But a database error gave a wrong position for the runway threshold.  The airplane landed to the left of the runway centerline.

Cybercrime-as-a-service

This report by McAfee discusses cybercrime-as-a-service.

FitBit hacking

Enterprise Security Today reports here on a possible FitBit hack.

Software Is Tangible

Many people seem to think that software is non-physical---that unlike the computer keyboard and screen they can touch and feel, the software that makes their computer do useful work has no physical existence.  This ghost-in-the-machine view of software doesn’t square up with reality. Computing is a physical act and software is the physical object that drives computers.

Software is stored in the memory of a computer as collections of electrons: a certain number of electrons stored at a location represents a 1 bit while a small number (or no) electrons represents a 0 bit. (Other storage media represent bits in other ways---magnetic domains, pits in DVDs, etc.---but the principle remains the same.) In a modern memory, only a few hundred of these little tiny electrons are enough to store a 1 bit. 

But tiny is not the same as non-existent.  A little high school physics tells us that, in fact, electrons do exist in the physical world. Wikipedia gives the mass of an electron as 9.1 X 10^-39 kg.  That’s pretty darn small. But they do really exist. And we can sense the behavior of electrons in many ways.  For example, we can steal cryptographic keys from smart cards and computers watching the flow of electrical energy into the machine.  This technique, known as a power attack, figures out the 1s and 0s of your security key simply by watching how much power the computer consumes at different steps of the security process.  The physical nature of those little tiny bits has real and important implications.

And some of the effects of the physical nature of software are accessible by a simple touch. Running software consumes electric power that is transformed into heat by the computer, much as our bodies heat up as we exercise. When your feel your laptop grow hot as you watch a movie, you feel the physical effects of software. Can a ghost in the machine do that?

Power Attack White Paper

Rambus has posted here an interesting white paper on differential power attacks.

Apple Ships Phone with Dual-Sourced Processors

A number of sources, including Anandtech here, report that Apple's new iPhones are shipping with one of two different chips.  The chips aren't even the same size. As my student pointed out, Macrumors reports here that initial tests suggest that the two chips consume significantly different levels of power.

The Air Gap Myth

The BBC discusses here an interesting report from Chatham House on the vulnerability of worldwide nuclear energy plants to cyber attack.  The report says that although many facilities claim that they do not have direct Internet connections---an air gap---that some of them do in fact have Internet connections.  For example, a connection may have been installed for maintenance, then not uninstalled and forgotten.

But let's be clear---the notion of an air gap is a fantasy in the modern world. Even if no direct connection exists, indirect connections through storage devices is sufficient to allow hackers to attack a cyber-physical system. Sneakernet---moving data manually from machine to machine---has a long and storied tradition in computing.  (Rumor had it that while Sun promoted its Network File System on the outside, it relied on Sneakernet for internal data transfers.)  The Stuxnet attacks were initiated through data carried by maintenance workers on flash drives. Those flash drives were infected on outside machines, then carried inside the facility to help the workers with their tasks.  The UCSD team showed in its demonstrations of car hacking that the maintenance computers used by mechanics were vectors for attacking cars.

Cyber-physical systems cannot ensure a circle of trust merely by claiming that they are not connected to the Internet.   It is hard to imagine a safety-critical system that is not vulnerable to sneakernet attacks. We need to design safety-critical systems that monitor themselves during operation to watch for attacks.  Trust but verify...

Intel HDCP master key cracked

tomshardware.com reports here that the Intel HDCP master key has been cracked.  HDCP is a multimedia encryption standard.

Intel Automotive Security Review Board

Here is an article at tomshardware.com on Intel's new Automotive Security Review Board (ASRB).

Volkswagen Defeats Its Own Emissions Software

Here is an extremetech.com article on Volkswagen's efforts to disable its own emissions control software.

More on IoT Security

Extremetech posts here a nice summary piece on the state of IoT security.

Article on Embedded Multi-Core Performance/Power

Here is a great article from Anandtech with some experimental results on cell phone multicore architectures.  Their experiments show how many threads are at work in some typical cell phone scenarios and provide utilization and power results.

SIMON block cypher

Here is an interesting paper on a hardware design for the SIMON block cypher.  The paper comes from Patrick Schaumont's group at Virginia Tech.

Blackhat: x86 Design Flaw Enables Root Kits

This article from PC World reports on a talk at Blackhat that describes how a design flaw in a number of x86 models allows powerful root kits to be created.

New York Subway System Infrastructure

Slate provides here a link to a video on the machines used to operate the New York subway system.  Much of this equipment dates to the first half of the 20th century.  It's a great video.   I had read about some of this before but never in this much detail.

The Slate columnist refers to this equipment "delightful, sure, but also deeply baffling."  I think that this view misses a few points.  First, modern computer equipment isn't always reliable in many aspects, ranging from computer security to electromigration.  Second, much computer equipment isn't designed to last more than a few years.  Replacing computers regularly is OK for data centers but it just doesn't work for a lot of infrastructure.  Infrastructure has to be built to operate safely and reliably for years.  Unfortunately, the computer industry isn't very good at designing things that last.

I find the video's discussion of the old-fashioned signaling system to be much more important than the age of the wires and relays.  The old equipment can't identify the location of a train very accurately, which means that trains have to be spaced farther apart.  One of the important benefits of new equipment and control system---known as CBTC---will be more efficient transit thanks to better location and control.

Georgia Tech Center for the Development and Application of Internet-of-Things Technologies

CDAIT, the Georgia Tech Center for the Development and Application of Internet-of-Things Technologies, is run by Alain Louchez.  Their web site posts a number of interesting items.  Here is one item on our research on long-term care for people with special needs.

Jeep Cherokee Zero-Day Exploit

Wired reports here on the demonstration of a zero-day exploit on Jeep Cherokees. 

Yet Another Software Timing Bug

Extremetech reports here that New Horizons, the NASA Pluto probe, stopped communicating for an hour and that NASA says the bug was probably caused by a "hard-to-detect timing flaw" in software.

A Great Tagline

See this article from Tom's Hardware: the founder of Kapersky refers to IoT as the "Internet of Threats."

Samsung phone security problem

NowSecure reports here that they have found a way \for an attacker to use the keyboard update mechanism on several Samsung phone models to execute privileged code on the phone.  The vulnerability leverages the software update mechanism for the Swift keyboard software, which is from a third party.  Software updates download files in privileged mode but as a plaintext zip file. The exploit modifies this download zip and its associated manifest to install malicious files on the phone.

Mac suspend/resume vulnerability

Reverse Engineering Mac OS X described here a bug in Mac suspend/resume code that allows malicious programs to modify BIOS, getting around traditional virus protection checks.  This isn't strictly embedded but given the emphasis on low energy in the embedded/CPS/IoT world, who knows what other devices have similar problems.

Hello, Cyber-Physical Sewing Machine

The gearbox on my mechanical sewing machine broke.  It sounded like it was mixing gravel; I didn't investigate further.  I decided to replace it with a cyber-physical model but one that didn't have a lot of features that I wouldn't use.  I think this model will have a strong drivetrain as well as fairly reliable electronics, but only time will tell.
<p>
My first sewing machine suffered an electronics failure, and a rather mundane one at that.  As we integrate electronics and computers into all sorts of devices, I hope that system designers keep in mind that consumer electronics devices (cell phones, audio players, etc.) are designed with very short lifespans in mind.  In contrast, many of the cyber-physical devices, such as sewing machines, have much longer lifespans.  All the components should be designed to have consistent lifespans.  This means building printed circuit boards and chips to higher quality standards than those to which the electronics industry has become accustomed.  And, of course, more components of any type means more opportunities for failure.

Software Bug on LightSail

Extremetech.com reports here on a software bug on LightSail.  It appears that when a log file reaches 32 MB, it crashes the OS.

Possible software bug implicated in accident

Aviation Week provides this interesting report of a potential software bug and its effects.  An Airbus A400M airlifter crashed on May 9, killing four people. Aviation Week's sources indicate that the crash may have involved new software that manages the fuel levels in the fuel tanks.

IoT Symposium Keynote

Prof. Mani Srivastava of UCLA will deliver the keynote at the IoT Symposium.  His talk will be titled "Towards a Trustworthy Pervasive Sensing Substrate for the Internet of Things."

More on Airplane Hacking

The FBI has released a notice on media claims about aircraft hacking.  You can see the document here (among other places).  Thanks very much to Nicholas Larrieu for the pointer to this document. The notice asks for assistance in identifying potential incidents and vigilance in preventing such events.  It also says:

"The FBI and TSA are currently analyzing claims in recent media reports which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion. At this time, the FBI and TSA have no information to support these claims but continue to leverage public and private sector partnerships to evaluate potential threats posed by intrusions into a commercial aircraft’s secure networks. The FBI and TSA also continuously monitor and analyze reporting on cyber and technical threats to proactively deter individuals from using remote intrusions to disrupt any portion of the aviation sector, including its business networks, critical navigation and air traffic control signals, and the onboard networks of commercial aircraft."

IoT Symposium at Embedded Systems Week

Jason Xue and I are organizing the IoT Symposium at Embedded Systems Week.  ESWeek is October 4-9 in Amsterdam; the IoT Symposium is on October 8-9.  The submission deadline for the symposium is June 29.  We hope you attend!  Even better, we hope you submit!   Here is the call for papers:

The ESWeek IoT Symposium is organized as a part of the Embedded Systems Week 2015. The Internet of Things (IoT) promises to revolutionize fields ranging from health care to manufacturing to personal living by connecting the Internet to physical things. Embedded computing and VLSI are central to the achievement of the IoT vision - advanced computation and communication must be delivered at extremely low energy levels and manufacturing costs. The IoT Symposium is devoted to research on advanced IoT systems.The IoT symposium will be a part of Embedded System week, and will provide a forum for researchers, from academia and industry, to present and discuss innovative ideas and solutions related to all facets of internet-of-things.
Topics of interest at IoT Symposium include but not limited to:
- VLSI Systems Track: ultra low energy systems, integrated sensors, 3D, platform architectures.
- Networking and Communications Track: Physical layer, protocols, network management.
- Algorithms and Infrastructures Track: Distributed and cloud computing, big data methods, heterogeneous sensors, sensor fusion, standards, design methodologies.
- Security and Privacy Track: Low-energy encryption, authentication, hardware security, privacy management.
- Applications Track: Industrial control, logistics, smart homes, smart cities, office management, smart vehicles and fleets.
- Ultra-low Energy System Track: Energy harvesting, hybrid energy systems, storage-less energy systems

DAC special session on cyber-physical systems

The Design Automation Conference is coming to the Moscone Center in San Francisco during the week of June 7.  Mohammed Al Faruque and I have organized a special session on cyber-physical systems architectures and methodologies; it will take place Wednesday, JUne 10, from 1:30 to 3 PM.  The session will feature three talks: I will give the introductory talk; Janos Sztipanovits from Vanderbilt will talk about their experience with CPS tool chains; and Rajesh Gupta will discuss models, abstractions, and architectures.  You can find the program here.

Airplane Hacking

CNN just posted this story about the ongoing saga of Chris Roberts, who has (depending on who you believe) either hacked into commercial airliners in flight or has investigated the possibility of such activities.

Cheap Thermal Imagers

A number of sites have reported on new thermal imagers that cost only a few hundred dollars: one from Seek here; another from Flir here. Not so long ago, thermal imagers cost $10K-$20K.  These new low-cost imagers will open up new categories of applications.

New 787 battery problems

CNN reports here that the FAA has issued a repetitive maintenance task directive for the Boeing 787.  This mandate was put into place after testing found that, after being continuously powered for 248 days, the 787 could lose all AC power.

Imagination releases academic version of MIPSfpga design

As described by AnandTech in this article, Imagination has announced a university license for its MIPSfpga design.

Asparagus-Carrying Drone Crashes and Explodes

You can't make this stuff up, folks.  Read this story in Time.

SSL certificate security flaws found

Extremetech reported on some newly found security holes in SSL.  It turns out that another entity issued unauthorized certificates for Google domains.  Beyond the specific implications for SSL security, this in my view is another blow to the reputation of open systems and standards.

More Stuipid Ideas in Consumer Electronics

Tom's Hardware reports that a new Barbie records your child's conversations with the doll and saves them in the cloud---here is the article.  Doesn't anyone in the consumer electronics industry know how to spell privacy?

Stupid Ideas in Consumer Electronics

Samsung's Smart TV seems to have been not so smart after all.  A variety of press reports indicate that Samsung's user agreement allows them to share voice input with third parties.  Reports also indicate that voice data is being transferred to the cloud in an insecure manner.  One of the several good reports on this topic comes from Tom's Hardware.