Securing the Internet of Things

Speaker/Bio

MANUEL EGELE is an Assistant Professor in the Department of Electrical and Computer Engineering at Boston Univserity (BU). He also holds an affiliate appointment with the Computer Science department at BU and is a Junior Fellow at the Hariri Institute of Computing. Prior to his appointment at BU, he was a Systems Scientist at Carnegie Mellon University. Before that, he was a post-doctoral researcher at the Computer Security Group of the Department of Computer Science at the University of California, Santa Barbara. He received his M.Sc. (2006) and Ph.D. (2011) degrees in computer science from the University of Technology in Vienna. His research interests span all areas of systems security – in particular mobile and embedded systems security, privacy, and malicious code analysis.

His current research interests include the large-scale and automated analysis of embedded systems firmware that controls the computing devices in our daily lives, such as WiFi routers, surveillance cameras, or a variety of Internet of Things (IoT) gadgets. He is also interested in the threat posed and the mitigation of malicious software that encrypts a victim's files to extort a ransom payment in exchange for the decryption keys (so-called ransomware). His research on privacy violations in iOS applications (PiOS) won a distinguished paper award at the Network and Distributed Systems Security Symposium (2011).

Abstract

Just as the explosive growth of mobile (smart) devices over the last decade, the gadgets we call the Internet of Things (IoT) are predicted to experience a similar growth trajectory. Thus, in this talk we will explore automated program analysis techniques that allow us to identify concerns around security and privacy in everyday IoT systems.

We encounter IoT gadgets in all aspects of our digital life. For example, Internet-enabled surveillance cameras allow us to keep an eye on things at home while we are traveling, while at the same time the digital video recorder tapes our favorite late-night talk show. Internet access to these devices is mediated by a commercial-off-the-shelf WiFi router, and all three of these devices might share a common fate: They are part of an IoT botnet. Thus, to identify security concerns in such IoT devices we built the Firmadyne dynamic analysis platform that scanned the firmware of thousands of IoT devices for security vulnerabilities. Firmadyne identified 60 known and 14 previously-unknown vulnerabilities in 887 firmware images. Firmadyne is an exciting new capability that harbors the potential to identify security vulnerabilities in IoT firmware before devices are deployed and thus helps securing the Internet of Things.