A blog about embedded computing systems, cyber-physical systems, and Internet of Things. We concentrate on technical topics but also discuss their implications.
Friday, June 30, 2017
Recent Attacks May Not Have Been Traditional Ransomware
Tom's Hardware reports here that the recent ransomware attacks may have been intended primarily to disrupt targets, not to extract payments from them. The payments were to be made to an email address that was quickly shut down. Given the simple nature of the payment system, some question whether the attack was intended to generate revenue. Instead, it may have been intended to disrupt operations in the targets with the ransom demands being something of a distraction.
How Hard is Flipping a Presidential Election, Part 3
My earlier posts walked through the arithmetic of two recent Presidential elections. We saw that nullifying a small proportion of the total votes would have been sufficient to change the results. To close out the subject, let's make a few observations.
First, attackers generally have some options as to which regions they can attack. Areas where the vote is expected to be closest make sense as good targets. We saw that in the 2016 elections, a large number of combinations of regions could be put together to affect the required number of votes. The 2012 election offered a fewer number of combinations but options were still available.
Second, the federated nature of the U. S. election system cuts both ways. Design diversity is a good approach in all sorts of high reliability systems. The range of systems and procedures used in different counties means that an attacker cannot roll out a one-size-fits-all attack. On the other hand, a security wall is only as good as its weakest point. Some counties are likely to be more difficult to attack than others. Given that a relatively small proportion of the jurisdictions need to be compromised, and given that multiple combinations of regions can be put together to produce the required number of votes, attackers can probe for weak links to achieve their ends.
First, attackers generally have some options as to which regions they can attack. Areas where the vote is expected to be closest make sense as good targets. We saw that in the 2016 elections, a large number of combinations of regions could be put together to affect the required number of votes. The 2012 election offered a fewer number of combinations but options were still available.
Second, the federated nature of the U. S. election system cuts both ways. Design diversity is a good approach in all sorts of high reliability systems. The range of systems and procedures used in different counties means that an attacker cannot roll out a one-size-fits-all attack. On the other hand, a security wall is only as good as its weakest point. Some counties are likely to be more difficult to attack than others. Given that a relatively small proportion of the jurisdictions need to be compromised, and given that multiple combinations of regions can be put together to produce the required number of votes, attackers can probe for weak links to achieve their ends.
Wednesday, June 28, 2017
IEEE Computer Special Issue on VLSI for IoT
Our new special issue of IEEE Computer on VLSI for IoT has been released here. The special issue was edited by Saibal Mukhopodhyay and myself. Articles in the special issue look at issues in circuits, architectures, and applications that affect the design of VLSI devices for IoT system applications.
Qualcomm Announces Snapdragon Wear 1200
Qualcomm describes here its new Snapdragon Wear 1200 SoC which is aimed at wearables.
How Hard is Flipping a Presidential Election, Part 2
My earlier post ran some numbers to show how many nullified votes would have been required to change the results of the 2016 U. S. presidential election. For comparison, I ran a similar evaluation of the 2012 election. The overall election was not as close and individual states also tended to be less close. I chose one combination of 10 states whose total Electoral College votes would have been enough to change the result; other combinations would also be feasible. Here are the numbers:
Slightly fewer than 1.8 million nullified votes in these states would have been sufficient to change the results. That is less than 2% of the total nationwide popular vote. Changing the results of this election would have been more difficult than it would have been for the 2016 election. The effort would also require attacking considerably more states. But the numbers still show that a small proportion of votes would have been sufficient to change the results.
Slightly fewer than 1.8 million nullified votes in these states would have been sufficient to change the results. That is less than 2% of the total nationwide popular vote. Changing the results of this election would have been more difficult than it would have been for the 2016 election. The effort would also require attacking considerably more states. But the numbers still show that a small proportion of votes would have been sufficient to change the results.
Tuesday, June 27, 2017
The Oscar Mayer Weinerfleet
Given that our global infrastructure is under assault, a little levity is welcome. AV Club reports here on Oscar Mayer's new Weinerfleet, which includes both an autonomous land vehicle and a drone.
International Ransomware Attack
NBC News reports here on a ransomware attack going on at this writing. As with many recent events, the effects of this attack span both IT and cyber-physical/IoT systems. The article shows a photo of a cash terminal with a ransom message displayed. A Russian oil producer stated that it avoided disruptions to its production system through the use of a reserve control system. A Ukranian airport which suffered an attack said that some flight disruptions might be possible.
How Hard is Flipping a Presidential Election?
This article is an exercise in arithmetic---we will run some numbers to see how much vote tampering would be required to change the results of, in this example, the 2016 presidential election. It appears that no foreign power was able to change the results of that election, but some commentators have assumed that changing election results would require a great deal of effort. If the goal of the bad guys is to put out a banana republic-style 99% win, that would be the case. But changing a democratic election requires changing a much smaller number of votes.
Here are some notes on my process. I used election data from Politico that you can find here. I also used public data on the number of counties in various states. My analysis is based on knowledge of the results---I know which states to flip. An adversary wouldn't know the exact total in advance although polling would give them some guidance; this assumption makes my analysis optimistic. On the other hand, I will count the number of votes that needed to be nullified to flip the result, which is an optimistic assumption. As in baseball, in which front runners playing each other has a larger effect than each team playing another, flipping a vote both takes it away from your opponent and gives a vote to you.
The popular vote totaled 62,523,126 for Clinton and 61,201,031 for Trump. That gives a difference of 1,322,095 or 1.1% of the total votes cast.
However, the United States presidential election is based on the Electoral College. The adversary needs to flip enough states to change those results, namely 270 out of 538. (As an aside, I believe that the wisdom of the Founding Fathers has been repeatedly affirmed and I understand their reasons for creating the Electoral College. Each voting system has its own concerns, as Martin Gardner showed in his outstanding article.) The election results gave 232 Electoral College votes to Clinton and 306 to Trump, a difference of 38. The winning difference was 7.1% of the total number of Electoral College votes.
In order to change the Electoral College results, we need to flip enough states to make up that difference. States with close popular vote totals require nullifying fewer votes to flip the state. I scanned the state-by-state results and found nine states whose popular vote difference between Clinton and Trump were 4% or less: Arizona, Colorado, Florida, Maine, Michigan, Nevada, North Carolina, Pennsylvania, and Wisconsin. The large number of close states gives attackers many options in how to affect results.
There are, in fact, several two-state combinations that provide the required Electoral College margin. I chose to look at two, Florida and Pennsylvania. Florida's vote was 4,485,745 for Clinton and 4,605,515 for Trump, a difference of 119,770 or 1.3% of the total. Pennsylvania's vote was 2,844,705 for Clinton and 2,912,941 for Trump, a difference of 68,236 or 1.2% of the total number of votes. Each of these states, as it turns out, has 67 counties. This difference is within the polling error of many polls, so nullifying the required number of votes may be difficult to detect by comparisons to polling.
Flipping the overall election results would require nullifying only 188,006 votes or 0.15% of the nationwide popular vote. That seems like a pretty small number to me. Even if the attacker chose to attempt to nullify many more votes to maximize their chance of success, the result would be a relatively small proportion of the votes cast.
My Princeton colleague Andrew Appel describes here his extensive work on voting machine technology. Some non-technical commentators, when faced with the work of Andrew and others, claim that changing machines would require too much effort, but the small number votes in danger calls that claim into question. And attacking the machines is not the only avenue available to attackers, who could also target voter registration systems. Voter registration attacks are sufficient to prevent voters from voting, which falls under the conservative vote nullifying methodology we have used here.
The underlying principle---that a relatively small number of votes need to be compromised to change the results of a democratic election---have been pointed out before. Our exercise on the 2016 election shows that changing the results of this election would have required affecting a small proportion of the vote, despite the unambiguous margins in the vote totals. Protecting the integrity of American voting will require significant and steady effort.
Here are some notes on my process. I used election data from Politico that you can find here. I also used public data on the number of counties in various states. My analysis is based on knowledge of the results---I know which states to flip. An adversary wouldn't know the exact total in advance although polling would give them some guidance; this assumption makes my analysis optimistic. On the other hand, I will count the number of votes that needed to be nullified to flip the result, which is an optimistic assumption. As in baseball, in which front runners playing each other has a larger effect than each team playing another, flipping a vote both takes it away from your opponent and gives a vote to you.
The popular vote totaled 62,523,126 for Clinton and 61,201,031 for Trump. That gives a difference of 1,322,095 or 1.1% of the total votes cast.
However, the United States presidential election is based on the Electoral College. The adversary needs to flip enough states to change those results, namely 270 out of 538. (As an aside, I believe that the wisdom of the Founding Fathers has been repeatedly affirmed and I understand their reasons for creating the Electoral College. Each voting system has its own concerns, as Martin Gardner showed in his outstanding article.) The election results gave 232 Electoral College votes to Clinton and 306 to Trump, a difference of 38. The winning difference was 7.1% of the total number of Electoral College votes.
In order to change the Electoral College results, we need to flip enough states to make up that difference. States with close popular vote totals require nullifying fewer votes to flip the state. I scanned the state-by-state results and found nine states whose popular vote difference between Clinton and Trump were 4% or less: Arizona, Colorado, Florida, Maine, Michigan, Nevada, North Carolina, Pennsylvania, and Wisconsin. The large number of close states gives attackers many options in how to affect results.
There are, in fact, several two-state combinations that provide the required Electoral College margin. I chose to look at two, Florida and Pennsylvania. Florida's vote was 4,485,745 for Clinton and 4,605,515 for Trump, a difference of 119,770 or 1.3% of the total. Pennsylvania's vote was 2,844,705 for Clinton and 2,912,941 for Trump, a difference of 68,236 or 1.2% of the total number of votes. Each of these states, as it turns out, has 67 counties. This difference is within the polling error of many polls, so nullifying the required number of votes may be difficult to detect by comparisons to polling.
Flipping the overall election results would require nullifying only 188,006 votes or 0.15% of the nationwide popular vote. That seems like a pretty small number to me. Even if the attacker chose to attempt to nullify many more votes to maximize their chance of success, the result would be a relatively small proportion of the votes cast.
My Princeton colleague Andrew Appel describes here his extensive work on voting machine technology. Some non-technical commentators, when faced with the work of Andrew and others, claim that changing machines would require too much effort, but the small number votes in danger calls that claim into question. And attacking the machines is not the only avenue available to attackers, who could also target voter registration systems. Voter registration attacks are sufficient to prevent voters from voting, which falls under the conservative vote nullifying methodology we have used here.
The underlying principle---that a relatively small number of votes need to be compromised to change the results of a democratic election---have been pointed out before. Our exercise on the 2016 election shows that changing the results of this election would have required affecting a small proportion of the vote, despite the unambiguous margins in the vote totals. Protecting the integrity of American voting will require significant and steady effort.
Monday, June 26, 2017
SiLabs CEO Talk on IoT
EE Times reports here on the DAC keynote talk by SiLabs CEO Tyson Tuttle. He predicts that the IoT chip markets will take several decades to fully develop. He believes that chip companies must understand the needs of system designers and provide tool sets as well as comprehensive hardware solutions.
Exynos i T200 SoC
Extremetech reports here on the Exynos iT200 SoC for IoT devices. The chip features two arm processors and WiFi.
Thursday, June 22, 2017
Honda Plant Shut Down by Virus
Extremetech reports here that the WannaCry virus shut down a Honda plant in Japan for a day.
Saturday, June 17, 2017
Mediabench
This is a joint blog post with my food blog. A trip through St. Louis gave me a chance to catch up with my former student Jason Fritts, who is now a professor at St. Louis University. Jason is well known for his work in multimedia computing and is the main organizer of the MediaBench benchmark series. Over pizza he told me about his amazing project to builod accelerometers into a flycasting rod. I think he said that the tip hits 30-40 Gs. Very cool stuff.
Friday, June 16, 2017
EU Draft Report on Privacy and Electronic Communication
The European Parliament has released here a draft report on a proposed regulation on privacy and electronic communication. This report is long and technical, but it does describe at least encouraging a variety of measures to protect the privacy of electronic communications, such as enryption. It also specifically mentions metadata as worthy of privacy protection.
This report probably is intended to cover email, social media, etc. But it does seem to me that much of the language is general enough to cover all sorts of other communications. Messages and data samples from IoT devices are, after all, electronic communications. The data and control packets on a distributed control bus are also electronic communications.
Commuication within and between IoT and CPS devices and systems deserve privacy. A large body of work has shown that quite a bit can be inferred about a person and their activities from a small number of samples. However, these systems often run in real time and under power constraints. The encryption and privacy techniques appropriate to IoT and CPS are, in general, quite different from those for information technology (IT) systems. Let's hope that privacy protections cover all the bases and do so in a manner appropriate to the wide ranging ways in which we use computers.
This report probably is intended to cover email, social media, etc. But it does seem to me that much of the language is general enough to cover all sorts of other communications. Messages and data samples from IoT devices are, after all, electronic communications. The data and control packets on a distributed control bus are also electronic communications.
Commuication within and between IoT and CPS devices and systems deserve privacy. A large body of work has shown that quite a bit can be inferred about a person and their activities from a small number of samples. However, these systems often run in real time and under power constraints. The encryption and privacy techniques appropriate to IoT and CPS are, in general, quite different from those for information technology (IT) systems. Let's hope that privacy protections cover all the bases and do so in a manner appropriate to the wide ranging ways in which we use computers.
US-CERT Warning on North Korean DDoS Botnet
The U. S. Computer Emergency Readiness Team (US-CERT) has issued this alert TA17-164A on North Korea's HIDDEN COBRA cyberwarfare unit and their efforts on building botnets for DDoS attacks. This page includes links to indicators of compromise (IoC) to be checked by system administrators. US-CERT that people who find evidence of these tools should be reported to either the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch). The alert identifies tools and capabilities including DDoS botnets, keyloggers, remote access tools, and wiper malware. It says that HIDDEN COBRA primarily targets older versions of Microsoft OSs as well as Adobe Flash.
Wednesday, June 14, 2017
Personal and Public in IoT Security
IoT devices present us with an interesting combination of concerns in the private and public spheres. On the one hand, a poorly secured IoT device can present a safety hazard to its owner. An insecure or poorly designed IoT garage door controller, for example, can lead to burglaries, improper operation of the door, etc. Some of those same vulnerabilities can allow the device to be used in attacks on other parties, the recent Dyn attack being a prime example. I am hard pressed to find a corresponding linkage between personal safety and public safety in non-computerized devices. But even if other parallels exist, the scope of possible problems that can be caused by insecure IoT devices is troublesome.
Monday, June 12, 2017
Point-of-View Article on Safe and Secure CPS and IoT
The latest issue of Proceedings of the IEEE is out and it contains a short point-of-view article by Dimitrios Serpanos and me on safe and secure CPS and IoT. We argue that safety and security are no longer separable. We observe that best practices in both safety and security need to be applied to modern systems, but that new methods will also be necessary. A special issue on this topic will appear in PIEEE a few months from now. In the mean time, this article summarizes our vision for the design of these critical systems.
Thursday, June 8, 2017
IT Methodologies Should Learn from CPS
I have said on more than one occasion that Internet connectivity makes the CPS V methodology inadequate. The V methodology works top down for design, then bottom up for implementation, forming a V. It implicitly assumes that the specification is static, giving a known target for the end of the V. The changing threat from the Internet undermines that assumption.
<p>
However, we should keep in mind that many CPS systems make use of software from the IT world, whether it be licensed or open source. IT developers can no longer assume that their customers are solely from the IT world. They need to take into account the requirements of cyber-physical systems. To satisfy those requirements, they should adopt the more stringent verification and validation approaches embodied by the V methodology.
<p>
Many software IP modules are developed relatively independently of applications. A V-methodology-based approach would condition the release of these modules on validation within some exemplary systems. System-integrated testing from both IP and CPS domains would help to shake out bugs in both the implementation and specification.
<p>
Agile software development emphasizes fast development of disposable software. That approach makes sense for some domains. But long-lived modules require a different, more deliberate approach. The confluence of IT and CPS encourages us to invest in the careful design and construction of building block modules.
<p>
However, we should keep in mind that many CPS systems make use of software from the IT world, whether it be licensed or open source. IT developers can no longer assume that their customers are solely from the IT world. They need to take into account the requirements of cyber-physical systems. To satisfy those requirements, they should adopt the more stringent verification and validation approaches embodied by the V methodology.
<p>
Many software IP modules are developed relatively independently of applications. A V-methodology-based approach would condition the release of these modules on validation within some exemplary systems. System-integrated testing from both IP and CPS domains would help to shake out bugs in both the implementation and specification.
<p>
Agile software development emphasizes fast development of disposable software. That approach makes sense for some domains. But long-lived modules require a different, more deliberate approach. The confluence of IT and CPS encourages us to invest in the careful design and construction of building block modules.
Thursday, June 1, 2017
Criminal Gang Steals Jeeps Using Authentication Codes
Extremetech reports here on a motorcycle gang that stole 150 Jeeps using replacement key codes in a stolen database.
Subscribe to:
Posts (Atom)