Jeg er professor i datalogi, og er ekspert indenfor computer- og informationssikkerhed. Da jeg læste på universitet overhørte jeg hvordan min bedstemor beskrev overfor en af hendes ældre venner hvad jeg arbejde med. Tilsyneladende, havde jeg ansvaret for at ingen stjal computere fra universitetet. (latter) Og, som I ved, det er en ganske fornuftig ting for hende at tro, fordi jeg havde fortalt hende at jeg arbejde med computersikkerhed, og det var interessant at se det fra hendes perspektiv. Men det er ikke det mest morsomme jeg har hørt nogen sige om mit arbejde. Det mest latterlige jeg endnu har hørt var - Jeg var til en selskab og en kvinde hørte at jeg arbejde med computersikkerhed og hun spurgte mig -- hun sagde at hendes computer var blevet smittet med en virus, og hun var meget bekymret for hun kunne blive syg af den virus. (Latter) Jeg er ikke en læge, men jeg forsikrede hende om at det var meget meget usandsynligt at det ville ske, men hvis hun følte sig mere sikker kunne hun bruge gummihandsker når hun brugte sin computer og der ville ikke være noget farligt i det. Jeg vil vende tilbage til den opfattelse at det er muligt at få en virus fra sin computer, i en alvorligt sag. Hvad jeg vil tale med jer om i dag er nogle hacks, nogle virkelige cyber-angreb som folk i mit samfund, det videnskabelige forskningssamfund, har udført og som jeg ikke tror at mange mennesker har hørt om. og jeg syntes de er meget interessante og skræmmende og denne tale er en slags greatest hits af hacks indenfor det akademiske samfund. Intet af dette arbejde er mit arbejde, det er alt sammen udført af mine kollegaer og jeg har bedt dem om nogen af deres slides og lagt dem ind i denne tale. Så, det første jeg vil tale om er indopererede medicotekniske apparater. Nu er medicotekniske apparater kommet langt teknologisk. Dette er den første opfindelse af en pacemaker fra 1926. i 1960 den første indre pacemaker var indopereret, forhåbentligt en smule mindre end den I ser her, og teknologien har forsat bevæget sig fremad I 2006, ramte vi en vigtig milesten set ud fra computersikkerhed. Og hvorfor siger jeg dette? Fordi det var dengang man begyndte at indoperere apparater med netværksadgang. En ting som er bekendt vi kan kigge på er Dick Cheney's apparat, han har et apparat som pumper blod fra aorta til en anden del af hjertet, og som I kan se nede i bunden her var det kontrolleret af en computer og hvis I nogensinde har tænkt at software troværdighed var meget vigtigt, så prøv at få en af disse ind i dig. Hvad et forskningshold gjorde var at de fik fat på hvad der kaldes en ICD. Det er en defibrillator, og det er et apparat som placeres inde i personer for at kontrollere deres hjerterytme og disse har reddet mange liv. Okay, for ikke at åbne op ind i personen hver gang vi ønsker at reprogrammere apparatet eller lave noget diagnostik, de har gjort dimsen i stand til at kommunikere trådløst, og hvad dette forskningsteam gjorde var at reverse engineere den trådløse protokol og bygge dette apparat I ser her, med en lille antenne, som kunne tale med apparatet og derved kontrollere det. For at gøre deres eksperiment naturtro -- de kunne ikke nogen frivillige, så de tog noget kød og noget bacon og om bandt det sammen så det svarede til en menneskekrop og de placerede apparatet inde i det for at udføre deres eksperiment nogenlunde realistisk. De gennemførte mange succesfulde angreb. En som jeg vil fremhæve her er at ændre patientens navn. Jeg ved ikke hvorfor du skulle ønske at gøre det, men jeg er sikker på at jeg ikke ønskede at det skete for mig. Og de kunne ændre på behandlinger, herunder at slå apparatet fra -- og dette med ægte, kommercielle, apparater i handlen -- kun ved at lave reverse engineering og sende trådløse signaler til det. Der var en udsendelse på NPR, at nogle af disse ICD'er kan få deres funktion forstyrret ved bare at holde et par hovedtelefoner hen til dem. Okay, trådløst netværk og internettet kan forbedre sundhedspleje enormt. Der er adskillelige eksempler på skærmen med situationer hvor læger kan kigge på implanterede apparater inde i folk, og alle disse apparater kan som standard kommunikere trådløst, og jeg syntes det er fantastisk, men uden fuld forståelse for sikre computere, og uden forståelse for hvad hackere kan gøre og sikkerhedsrisici fra begyndelsen, så er der mange farer ved det. Okay, lad mig skifte gear og vise jer et andet mål. Jeg vil vise jer nogle andre typer mål som dette, og det er min tale. Så vi vil kigge på biler. Dette er en bil og den har en masse komponenter, en masse elektronik i den i dag. Faktisk indeholder den en masse computere, flere pentiumer end mit laboratorium havde da jeg gik i college, og de er forbundne med et kablet netværk. Der er også et trådløst netværk i bilen, som man kan tilgå på en række forskellige måder. Der er Bluetooth, der er FM og der er XM radio, der er faktisk Wifi, der er sensorer i hjulene som trådløst kan kommunikere dæktrykket til et kontrolpanel. Den moderne bil er et sofistikeret multicomputerapparat. Og hvad sker der hvis nogen prøver at angribe det? Well, det var hvad forskerne gjorde. det vil jeg fortælle om i dag. Basalt set koblede en angriber sig på netværket både det kablede og det trådløse netværk. Så, de havde to områder hvor de kunne angribe. Et var det kortrækkende trådløse, hvor du faktisk kan kommunikere med apparatet på tæt hold, enten gennem Bluetooth eller wi-fi, og det andet var langtrækkende hvor du kan kommunikere med bilen vha. mobilnettet, eller gennem en af radiostationerne. Tænk på det. Når bilen modtager et radiosignal, bliver det behandlet af software. Denne software skal modtage og afkode radiosignalet, for derefter at beslutte hvad den skal gøre med det, selvom det bare er musik der skal spilles i radioen, og den software som udfører afkodningen, hvis der er en fejl i den, kan føre til en sårbarhed der kan udnyttes af nogen til at hacke bilen. Måden forskerne gjorde dette var at de læste softwaren i de computerchips der var i bilen og de brugte sofistikerede reverse engineering værktøjer for at finde ud af hvordan softwaren fungerede, og de fandt sårbarheder i denne software, og de byggede exploits for at udnytte disse. De udførte faktisk deres angreb i virkeligheden. De købte to biler, og jeg tror de har bedre budgetter end jeg. Den første trusselsmodel var at se om hvad en angriber kunne gøre hvis han faktisk fik adgang til bilens interne netværk. Okay, forstil dig at nogle kommer hen til din bil, de piler ved den og går igen, og hvilke problemer er du så i? Den anden trusselsmodel er at de kontakter dig direkte over et trådløse netværk f.eks. mobilnettet eller noget tilsvarende, og faktisk aldrig har haft fysisk adgang til bilen. Dette er hvordan deres setup så ud i den første model, hvor de har adgang til bilen. De tog en laptop og forbandt den til vedligeholdelsesenheden i bilene netværk, og de gjorde en masse underlige ting, som her et billede af speedometeret som viser 225 km/t mens bilen står parkeret. Ligeså snart du har kontrol over bilens computere, kan du gøre hvad som helst. Nu kan du sige at det er underligt Men, hvad hvis du fik speedometeret til altid at sige at farten er 30 km/t langsommere end den faktisk er? Du vil modtage en masse fartbøder. Så tog de til en nedlagt lufthavn med to biler, bilen der var mål og en forfølger, og de udførte en række andre angreb. En ting de var istand til fra forfølgerbilen var at styre bremserne i den anden bil, ved at hacke dens computer. De var istand til at slå bremserne fra. De var også istand til at installere malware som ikke ville udføre noget før bilen gjorde noget som at køre over 30 km/t eller noget tilsvarende. Resultaterne var forbløffende og da de præsenterede dem, selvom de gjorde det til en konference til en samling computersikkerhedsforskere, gispede alle. De var istand til at overtage en håndfuld kritiske computere inde i bilen: Bremsernes computer, lysenes computer, motoren, instrumentbrættet, radioen, osv., og de var istand til at gøre det med en rigtig bil som de overtog ved at bruge radioen. De var istand til at bryde ind i hver enkelt stykke software som kontrollerede hver enkelt af de trådløse muligheder i bilen. Alt dette var succesfuldt udført. Hvordan vil du stjæle en bil af denne model? Well, du angriber med en buffer overflow sårbarhed i softwaren eller tilsvarende. Du bruger GPS'en til at finde den. Du åbner døren ved at fjernbetjene dem gennem computeren som kontrollere dem, starter motoren og forbigår tyverikontrollen og du har fået dig en bil. Overvågning er virkeligt interessant. Forfatterne til studiet viste en video hvor havde taget kontrol over bilen og tændt for mikrofonen i bilen og lyttede til hvad de blev sagt samtidigt med at bilen blev fulgt vha GPS på et kort, og det kunne sket uden at bilens fører fandt ud af det skete. Har jeg fået skræmt jer? Jeg har nogle flere spændende eksempler. Der er en fra en konference jeg deltog i, og min hjerne bare skreg og jeg sagde, "Jeg må fortælle andre om dette" Dette er fra Fabian Monrose's lab på University of North Carolina, og hvad de gjorde var noget meget intuitiv når I har set det men noget overraskende. De videofilmede folk i en bus, og de efterbehandlede videoen. Hvad I ser her er de numre der reflekteres i ens briller fra en smartphone som de taster ind. De skrev noget software til at stabilisere -- og selvom de var med en bus og at nogle hold deres telefon i en vinkel -- til at stabilisere telefonen, behandle det og som I ved på jeres smartphone, når i taster et password, talene vises et kort sekund, og de var i stand til at bruge dette til at rekonstruere hvad personen tastede, og havde en sprogmodel til at opfatte indtastningen. Det interessante er at ved at videofilme i en bus er man i stand til at reproducere præcist hvad folk skrev på deres smartphones, og deres overraskende resultat, som er at deres software ikke kun angreb deres mål, men også andre folk som tilfældigvis var i billedet, de kunne genskabe hvad disse folk havde tastet, og det var en slags tilfældig egenskab ved hvad deres software gjorde. Jeg vil vise jer to eksempler mere. Den første er P25 radioer. P25 radioer bruges af politiet og en række statslige tjenester og soldater til at kommunikere, og der er en krypteringsmulighed på disse telefoner. Her kan I se hvordan telefonen ser ud. Det er ikke en rigtig telefon. Det er mere en tovejs radio. Motorola laver den mest udbredte, og som I kan se er de brugt af Secret Service, de er brugt i kamp, det er en meget, meget udbredt standard i USA og andre steder. Så en af de ting forskerne spurgte sig selv om var: Kan man blokere sådan en ting? Kan man udføre et denial-of-service angreb, fordi den bruges på stedet? Så, kunne en terroristorganisation forsøge at mørkelægge muligheden for at politi og brandvæsen kan kommunikere i en ulykke? De fandt denne GirlTech dims brugt til SMS som viste sig at bruge de eksakt samme frekvenser som P25'eren, og de byggede hvad de kaldte "Min første Jammer". (Latter) Hvis du kigger grundigt på apparatet, har det en vælger for kryptering eller klartekst. Lad mig skifte slide og nu gå tilbage. Kan I se forskellen? Dette er klartekst. Dette er krypteret. Der er en lille prik som bliver vist på skærmen, og et lille drej på kontakten. Og forskerne spurgte dem selv; "Gad vide hvor mange gange meget hemmelige, vigtige og følsomme samtaler foregår med disse tovejsradioer, hvor de har glemt at kryptere og de ikke har opdaget at de ikke kryptere?" Så de købte en skanner, hvilket er fuldstændigt lovligt og kørte den på samme de frekvenser som P25, og hvad de gjorde var at hoppe rundt mellem disse frekvenser og de skrev software for at lytte til med. Hvis de fandt krypteret kommunikation, de blev på kanalen og noterede at på den kanal var de folk som brugte den politiet og de var i 20 storbyområder og lyttede med på de samtaler som foregik på disse frekvenser. De fandt at i hvert storbyområde, kunne de opfange over 20 minutters daglig ukrypteret kommunikation. Og hvad var det for ting folk talte om? Well, de fandt navne og information om om hemmelige meddelere. De fandt information som var blevet optaget af aflytningsudstyr, en flok kriminelle der diskuterede, følsomme oplysninger. Det var mest politi og kriminelle. De rapporterede det til politiet efter at have anonymiseret det, og sårbarheden her er simpelthen at brugergrænsefladen ikke er god nok. Hvis du taler om noget som er virkeligt hemmeligt og følsomt, så skal det være helt klart for dig at samtalen er krypteret. Den er forholdsvis enkelt af ordne. Den sidste er rigtig, rigtig cool, og jeg vil vise den til jer, det er ikke noget der vil holde jer søvnløse om natten som bilerne eller defibrillatorene, men det er at stjæle tastetryk. Vi kender smartphones oppefra og ned. Hver eneste sikkerhedsekspert ønsker at hacke en smartphone, og vi kiggede på USB porten, GPS'en for tracking, kameraet, mikrofonen, men ingen har hidtil kigget på accelerometerne. Et accelerometer er den ting som måler den den lodrette orientering af smartphonen. De havde et simpelt setup. De placerede en smartphone ved siden af keyboardet, og de havde folk til at taste og deres mål var at bruge vibrationerne som var skabt ved at taste til at måle ændringer i accelerometeret for at bestemme hvad person skrev. Da de prøvede det med en iPhone 3GS, er dette en graf over rystelserne som blev skabt af tastningerne. Og som I kan se er det meget vanskeligt at afgøre om nogen taster eller hvad de taster, men iPhone 4 har et meget forbedret accelerometer, og den samme måling skabte denne graf. Dette gav dem en masse information mens nogen tastede, og hvad de gjorde var at anvende en avanceret kunstig intelligensteknik kaldet maskinlæring til at have en træningsfase, hvor de havde en masse studerende til at taste en masse ind, og de satte systemet til at bruge dette maskinlæringsværktøj som var istand til at lære hvad folkene tastede, og de sammenlignede dette med målingerne fra accelerometeret. Og der er en angrebsfase, hvor du får nogen til at taste noget ind, som du ikke ved hvad er, men du bruger den model du har skabt i træningsfasen til at regne ud hvad de taster. De havde temmelig god succes. Dette er en artikel fra USA Today. De tastede følgende: "The Illinois Supreme Court has ruled that Rahm Emanuel is eligible to run for Mayor of Chicago" — se, jeg forbinder den med den forrige taler — "and ordered him to stay on the ballot." Se! systemet er interessant, fordi det producerede "Illinois Supreme" og så var det usikkert. Modellen producerede en række muligheder, og skønheden ved mange kunstig intelligensteknikker, er at computere er gode til nogle ting, mennesker er gode til andre. Tag det bedste fra begge og lad mennesker løse denne. Spil ikke compterkraft på det. Et menneske vil ikke tænke at det er "Supreme might". Det er "Supreme Court", ikke sandt? og videre, vi er istand til at rekonstruere hvad der blev tastet simpelthen ved at måle med accelerometeret. Hvorfor er dette vigtigt? Fordi, på Android platformen, for eksempel, har udviklerne et manifest hvor hvert apparat der, mikrofonen, osv, skal vi at at du er i gang med at bruge det så hackere ikke kan overtage det, men ingen kontrollerer accelerometeret. Så hvad er pointen? Du kan lægge din iPhone ved siden af en eller andens keyboard og forlade rummet og senere genskabe hvad de gjorde, endda uden at bruge mikrofonen. Hvis nogen kan installere malware på din iPhone, kunne de muligvis se hvad du skriver hver gang du lægger din iPhone ved siden af dit keyboard. Der er flere andre nævneværdige angreb som jeg desværre ikke har tid til at komme ind på, men en som jeg ønsker at fremhæve er lavet af en gruppe fra University of Michigan som var istand til at tage en stemmemaskine, Sequoia AVC Edge DRE, som skal bruges i New Jersey til afstemningen som var efterladt i en gang, og installerede Pac-Man på den. Hvorefter de spillede Pac-Man. Hvad betyder alt dette? Well, jeg tror at samfundet har en tendens til at tage teknologien til sig meget hurtigt. Jeg elsker de nyeste cool gadgets. Men det er meget vigtigt, og disse forskere viser at udviklerne af disse ting skal tænke sikkerhed ind fra begyndelsen, og de må indse at de skal have en trusselsmodel, og at angriberne næppe er så venlige til at begrænse sig til den trusselsmodel, og at at man skal kunne tænke ud af boksen. Hvad vi kan gøre er at være opmærksomme på at apparater kan blive kompromitteret, og at alt hvad der har software i sig vil være sårbart. Det vil have fejl. Mange tak for jeres opmærksomhed. (Bifald)
I'm a computer science professor, and my area of expertise is computer and information security. When I was in graduate school, I had the opportunity to overhear my grandmother describing to one of her fellow senior citizens what I did for a living. Apparently, I was in charge of making sure that no one stole the computers from the university. (Laughter) And, you know, that's a perfectly reasonable thing for her to think, because I told her I was working in computer security, and it was interesting to get her perspective. But that's not the most ridiculous thing I've ever heard anyone say about my work. The most ridiculous thing I ever heard is, I was at a dinner party, and a woman heard that I work in computer security, and she asked me if -- she said her computer had been infected by a virus, and she was very concerned that she might get sick from it, that she could get this virus. (Laughter) And I'm not a doctor, but I reassured her that it was very, very unlikely that this would happen, but if she felt more comfortable, she could be free to use latex gloves when she was on the computer, and there would be no harm whatsoever in that. I'm going to get back to this notion of being able to get a virus from your computer, in a serious way. What I'm going to talk to you about today are some hacks, some real world cyberattacks that people in my community, the academic research community, have performed, which I don't think most people know about, and I think they're very interesting and scary, and this talk is kind of a greatest hits of the academic security community's hacks. None of the work is my work. It's all work that my colleagues have done, and I actually asked them for their slides and incorporated them into this talk. So the first one I'm going to talk about are implanted medical devices. Now medical devices have come a long way technologically. You can see in 1926 the first pacemaker was invented. 1960, the first internal pacemaker was implanted, hopefully a little smaller than that one that you see there, and the technology has continued to move forward. In 2006, we hit an important milestone from the perspective of computer security. And why do I say that? Because that's when implanted devices inside of people started to have networking capabilities. One thing that brings us close to home is we look at Dick Cheney's device, he had a device that pumped blood from an aorta to another part of the heart, and as you can see at the bottom there, it was controlled by a computer controller, and if you ever thought that software liability was very important, get one of these inside of you. Now what a research team did was they got their hands on what's called an ICD. This is a defibrillator, and this is a device that goes into a person to control their heart rhythm, and these have saved many lives. Well, in order to not have to open up the person every time you want to reprogram their device or do some diagnostics on it, they made the thing be able to communicate wirelessly, and what this research team did is they reverse engineered the wireless protocol, and they built the device you see pictured here, with a little antenna, that could talk the protocol to the device, and thus control it. In order to make their experience real -- they were unable to find any volunteers, and so they went and they got some ground beef and some bacon and they wrapped it all up to about the size of a human being's area where the device would go, and they stuck the device inside it to perform their experiment somewhat realistically. They launched many, many successful attacks. One that I'll highlight here is changing the patient's name. I don't know why you would want to do that, but I sure wouldn't want that done to me. And they were able to change therapies, including disabling the device -- and this is with a real, commercial, off-the-shelf device -- simply by performing reverse engineering and sending wireless signals to it. There was a piece on NPR that some of these ICDs could actually have their performance disrupted simply by holding a pair of headphones onto them. Now, wireless and the Internet can improve health care greatly. There's several examples up on the screen of situations where doctors are looking to implant devices inside of people, and all of these devices now, it's standard that they communicate wirelessly, and I think this is great, but without a full understanding of trustworthy computing, and without understanding what attackers can do and the security risks from the beginning, there's a lot of danger in this. Okay, let me shift gears and show you another target. I'm going to show you a few different targets like this, and that's my talk. So we'll look at automobiles. This is a car, and it has a lot of components, a lot of electronics in it today. In fact, it's got many, many different computers inside of it, more Pentiums than my lab did when I was in college, and they're connected by a wired network. There's also a wireless network in the car, which can be reached from many different ways. So there's Bluetooth, there's the FM and XM radio, there's actually wi-fi, there's sensors in the wheels that wirelessly communicate the tire pressure to a controller on board. The modern car is a sophisticated multi-computer device. And what happens if somebody wanted to attack this? Well, that's what the researchers that I'm going to talk about today did. They basically stuck an attacker on the wired network and on the wireless network. Now, they have two areas they can attack. One is short-range wireless, where you can actually communicate with the device from nearby, either through Bluetooth or wi-fi, and the other is long-range, where you can communicate with the car through the cellular network, or through one of the radio stations. Think about it. When a car receives a radio signal, it's processed by software. That software has to receive and decode the radio signal, and then figure out what to do with it, even if it's just music that it needs to play on the radio, and that software that does that decoding, if it has any bugs in it, could create a vulnerability for somebody to hack the car. The way that the researchers did this work is, they read the software in the computer chips that were in the car, and then they used sophisticated reverse engineering tools to figure out what that software did, and then they found vulnerabilities in that software, and then they built exploits to exploit those. They actually carried out their attack in real life. They bought two cars, and I guess they have better budgets than I do. The first threat model was to see what someone could do if an attacker actually got access to the internal network on the car. Okay, so think of that as, someone gets to go to your car, they get to mess around with it, and then they leave, and now, what kind of trouble are you in? The other threat model is that they contact you in real time over one of the wireless networks like the cellular, or something like that, never having actually gotten physical access to your car. This is what their setup looks like for the first model, where you get to have access to the car. They put a laptop, and they connected to the diagnostic unit on the in-car network, and they did all kinds of silly things, like here's a picture of the speedometer showing 140 miles an hour when the car's in park. Once you have control of the car's computers, you can do anything. Now you might say, "Okay, that's silly." Well, what if you make the car always say it's going 20 miles an hour slower than it's actually going? You might produce a lot of speeding tickets. Then they went out to an abandoned airstrip with two cars, the target victim car and the chase car, and they launched a bunch of other attacks. One of the things they were able to do from the chase car is apply the brakes on the other car, simply by hacking the computer. They were able to disable the brakes. They also were able to install malware that wouldn't kick in and wouldn't trigger until the car was doing something like going over 20 miles an hour, or something like that. The results are astonishing, and when they gave this talk, even though they gave this talk at a conference to a bunch of computer security researchers, everybody was gasping. They were able to take over a bunch of critical computers inside the car: the brakes computer, the lighting computer, the engine, the dash, the radio, etc., and they were able to perform these on real commercial cars that they purchased using the radio network. They were able to compromise every single one of the pieces of software that controlled every single one of the wireless capabilities of the car. All of these were implemented successfully. How would you steal a car in this model? Well, you compromise the car by a buffer overflow of vulnerability in the software, something like that. You use the GPS in the car to locate it. You remotely unlock the doors through the computer that controls that, start the engine, bypass anti-theft, and you've got yourself a car. Surveillance was really interesting. The authors of the study have a video where they show themselves taking over a car and then turning on the microphone in the car, and listening in on the car while tracking it via GPS on a map, and so that's something that the drivers of the car would never know was happening. Am I scaring you yet? I've got a few more of these interesting ones. These are ones where I went to a conference, and my mind was just blown, and I said, "I have to share this with other people." This was Fabian Monrose's lab at the University of North Carolina, and what they did was something intuitive once you see it, but kind of surprising. They videotaped people on a bus, and then they post-processed the video. What you see here in number one is a reflection in somebody's glasses of the smartphone that they're typing in. They wrote software to stabilize -- even though they were on a bus and maybe someone's holding their phone at an angle -- to stabilize the phone, process it, and you may know on your smartphone, when you type a password, the keys pop out a little bit, and they were able to use that to reconstruct what the person was typing, and had a language model for detecting typing. What was interesting is, by videotaping on a bus, they were able to produce exactly what people on their smartphones were typing, and then they had a surprising result, which is that their software had not only done it for their target, but other people who accidentally happened to be in the picture, they were able to produce what those people had been typing, and that was kind of an accidental artifact of what their software was doing. I'll show you two more. One is P25 radios. P25 radios are used by law enforcement and all kinds of government agencies and people in combat to communicate, and there's an encryption option on these phones. This is what the phone looks like. It's not really a phone. It's more of a two-way radio. Motorola makes the most widely used one, and you can see that they're used by Secret Service, they're used in combat, it's a very, very common standard in the U.S. and elsewhere. So one question the researchers asked themselves is, could you block this thing, right? Could you run a denial-of-service, because these are first responders? So, would a terrorist organization want to black out the ability of police and fire to communicate at an emergency? They found that there's this GirlTech device used for texting that happens to operate at the same exact frequency as the P25, and they built what they called My First Jammer. (Laughter) If you look closely at this device, it's got a switch for encryption or cleartext. Let me advance the slide, and now I'll go back. You see the difference? This is plain text. This is encrypted. There's one little dot that shows up on the screen, and one little tiny turn of the switch. And so the researchers asked themselves, "I wonder how many times very secure, important, sensitive conversations are happening on these two-way radios where they forget to encrypt and they don't notice that they didn't encrypt?" So they bought a scanner. These are perfectly legal and they run at the frequency of the P25, and what they did is they hopped around frequencies and they wrote software to listen in. If they found encrypted communication, they stayed on that channel and they wrote down, that's a channel that these people communicate in, these law enforcement agencies, and they went to 20 metropolitan areas and listened in on conversations that were happening at those frequencies. They found that in every metropolitan area, they would capture over 20 minutes a day of cleartext communication. And what kind of things were people talking about? Well, they found the names and information about confidential informants. They found information that was being recorded in wiretaps, a bunch of crimes that were being discussed, sensitive information. It was mostly law enforcement and criminal. They went and reported this to the law enforcement agencies, after anonymizing it, and the vulnerability here is simply the user interface wasn't good enough. If you're talking about something really secure and sensitive, it should be really clear to you that this conversation is encrypted. That one's pretty easy to fix. The last one I thought was really, really cool, and I just had to show it to you, it's probably not something that you're going to lose sleep over like the cars or the defibrillators, but it's stealing keystrokes. Now, we've all looked at smartphones upside down. Every security expert wants to hack a smartphone, and we tend to look at the USB port, the GPS for tracking, the camera, the microphone, but no one up till this point had looked at the accelerometer. The accelerometer is the thing that determines the vertical orientation of the smartphone. And so they had a simple setup. They put a smartphone next to a keyboard, and they had people type, and then their goal was to use the vibrations that were created by typing to measure the change in the accelerometer reading to determine what the person had been typing. Now, when they tried this on an iPhone 3GS, this is a graph of the perturbations that were created by the typing, and you can see that it's very difficult to tell when somebody was typing or what they were typing, but the iPhone 4 greatly improved the accelerometer, and so the same measurement produced this graph. Now that gave you a lot of information while someone was typing, and what they did then is used advanced artificial intelligence techniques called machine learning to have a training phase, and so they got most likely grad students to type in a whole lot of things, and to learn, to have the system use the machine learning tools that were available to learn what it is that the people were typing and to match that up with the measurements in the accelerometer. And then there's the attack phase, where you get somebody to type something in, you don't know what it was, but you use your model that you created in the training phase to figure out what they were typing. They had pretty good success. This is an article from the USA Today. They typed in, "The Illinois Supreme Court has ruled that Rahm Emanuel is eligible to run for Mayor of Chicago" — see, I tied it in to the last talk — "and ordered him to stay on the ballot." Now, the system is interesting, because it produced "Illinois Supreme" and then it wasn't sure. The model produced a bunch of options, and this is the beauty of some of the A.I. techniques, is that computers are good at some things, humans are good at other things, take the best of both and let the humans solve this one. Don't waste computer cycles. A human's not going to think it's the Supreme might. It's the Supreme Court, right? And so, together we're able to reproduce typing simply by measuring the accelerometer. Why does this matter? Well, in the Android platform, for example, the developers have a manifest where every device on there, the microphone, etc., has to register if you're going to use it so that hackers can't take over it, but nobody controls the accelerometer. So what's the point? You can leave your iPhone next to someone's keyboard, and just leave the room, and then later recover what they did, even without using the microphone. If someone is able to put malware on your iPhone, they could then maybe get the typing that you do whenever you put your iPhone next to your keyboard. There's several other notable attacks that unfortunately I don't have time to go into, but the one that I wanted to point out was a group from the University of Michigan which was able to take voting machines, the Sequoia AVC Edge DREs that were going to be used in New Jersey in the election that were left in a hallway, and put Pac-Man on it. So they ran the Pac-Man game. What does this all mean? Well, I think that society tends to adopt technology really quickly. I love the next coolest gadget. But it's very important, and these researchers are showing, that the developers of these things need to take security into account from the very beginning, and need to realize that they may have a threat model, but the attackers may not be nice enough to limit themselves to that threat model, and so you need to think outside of the box. What we can do is be aware that devices can be compromised, and anything that has software in it is going to be vulnerable. It's going to have bugs. Thank you very much. (Applause)