xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED

Security and Privacy for Ubiquitous Mobile Devices

We live in a world where mobile devices are already ubiquitous. It is estimated that in the United States approximately two thirds of adults own a smartphone, and that for many, these devices are their primary method of accessing the Internet. World wide, it is estimated that in May of 2014 there were 6.9 billion mobile cellular subscriptions, almost as much as the world population. of these 6.9 billion, approximately 1 billion are smart devices, which are concentrated in the developed world. In the developing world, users are moving from feature phones to smart devices as a result of lower prices and marketing efforts. Because smart mobile devices are ubiquitous, security and privacy are primary concerns. Threats such as mobile malware are already substantial, with over 2500 different types identified in 2010 alone. It is likely that, as the smart device market continues to grow, so to will concerns about privacy, security, and malicious software. This is especially true, because these mobile devices are relatively new. Our research focuses on increasing the security and privacy of user data on smart mobile devices. We propose three applications in this domain: (1) a service that provides private, mobile location sharing; (2) a secure, intuitive proximity networking solution; and (3) a potential attack vector in mobile devices, which utilizes novel covert channels. We also propose a first step defense mechanism against these covert channels. Our first project is the design and implementation of a service, which provides users with private and secure location sharing. This is useful for a variety of applications such as online dating, taxi cab services, and social networking. Our service allows users to share their location with one another with trust and location based access controls. We allow users to identify if they are within a certain distance of one another, without either party revealing their location to one another, or any third party. We design this service to be practical and efficient, requiring no changes to the cellular infrastructure and no explicit encryption key management for the users. For our second application, we build a modem, which enables users to share relatively small pieces of information with those that are near by, also known as proximity based networking. Currently there are several mediums which can be used to achieve proximity networking such as NFC, bluetooth, and WiFi direct. Unfortunately, these currently available schemes suffer from a variety of drawbacks including slow adoption by mobile device hardware manufactures, relatively poor usability, and wide range, omni-directional propagation. We propose a new scheme, which utilizes ultrasonic (high frequency) audio on typical smart mobile devices, as a method of communication between proximal devices. Because mobile devices already carry the necessary hardware for ultrasound, adoption is much easier. Additionally, ultrasound has a limited and highly intuitive propagation pattern because it is highly directional, and can be easily controlled using the volume controls on the devices. Our ultrasound modem is fast, achieving several thousand bits per second throughput, non-intrusive because it is inaudible, and secure, requiring attackers with normal hardware to be less than or equal to the distance between the sender and receiver (a few centimeters in our tests). Our third work exposes a novel attack vector utilizing physical media covert channels on smart devices, in conjunction with privilege escalation and confused deputy attacks. This ultimately results in information leakage attacks, which allow the attacker to gain access to sensitive information stored on a user\u27s smart mobile device such as their location, passwords, emails, SMS messages and more. Our attack uses our novel physical media covert channels to launder sensitive information, thereby circumventing state of the art, taint-tracking analysis based defenses and, at the same time, the current, widely deployed permission systems employed by mobile operating systems. We propose and implement a variety of physical media covert channels, which demonstrate different strengths such as high speed, low error rate, and stealth. By proposing several different channels, we make defense of such an attack much more difficult. Despite the challenging situation, in this work we also propose a novel defense technique as a first step towards research on more robust approaches. as a contribution to the field, we present these three systems, which together enrich the smart mobile experience, while providing mobile security and keeping privacy in mind. Our third approach specifically, presents a unique attack, which has not been seen in the wild , in an effort to keep ahead of malicious efforts

A Comprehensive Security Framework for Securing Sensors in Smart Devices and Applications

This doctoral dissertation introduces novel security frameworks to detect sensor-based threats on smart devices and applications in smart settings such as smart home, smart office, etc. First, we present a formal taxonomy and in-depth impact analysis of existing sensor-based threats to smart devices and applications based on attack characteristics, targeted components, and capabilities. Then, we design a novel context-aware intrusion detection system, 6thSense, to detect sensor-based threats in standalone smart devices (e.g., smartphone, smart watch, etc.). 6thSense considers user activity-sensor co-dependence in standalone smart devices to learn the ongoing user activity contexts and builds a context-aware model to distinguish malicious sensor activities from benign user behavior. Further, we develop a platform-independent context-aware security framework, Aegis, to detect the behavior of malicious sensors and devices in a connected smart environment (e.g., smart home, offices, etc.). Aegis observes the changing patterns of the states of smart sensors and devices for user activities in a smart environment and builds a contextual model to detect malicious activities considering sensor-device-user interactions and multi-platform correlation. Then, to limit unauthorized and malicious sensor and device access, we present, kratos, a multi-user multi-device-aware access control system for smart environment and devices. kratos introduces a formal policy language to understand diverse user demands in smart environment and implements a novel policy negotiation algorithm to automatically detect and resolve conflicting user demands and limit unauthorized access. For each contribution, this dissertation presents novel security mechanisms and techniques that can be implemented independently or collectively to secure sensors in real-life smart devices, systems, and applications. Moreover, each contribution is supported by several user and usability studies we performed to understand the needs of the users in terms of sensor security and access control in smart devices and improve the user experience in these real-time systems

Design of an embedded system and cloud backend for remote monitoring of smart traps

The convergence of low cost cloud services, widespread Internet deployment and low cost SOCs gives rise to systems placing the Internet’s vast compute power at the service of simple, everyday devices. Assisted by ubiquitous Wi-Fi deployment and smartphone ownership, a default infrastructure is emerging that supports rapid development of easy to use, low cost, Internet enabled devices. This nascent extension of the Internet into common, everyday devices has been termed the Internet of Things (IoT) and is attracting considerable commercial and academic interest. This paper evaluates the selection and application of IoT technologies to the operations of an existing industry that would benefit from a low cost, remote monitoring system by reducing the cost of delivering their services to their customers. The US pest control industry was selected for analysis as it has a healthy, growing revenue base ($7B in 2013) with a service delivery model that requires expensive manual monitoring (~$45 per inspection) of deployed traps and cages. A prototype system was built entailing a Wi-Fi connected smart rat trap, a cloud based monitoring system and a smartphone app for associating the trap with a Wi-Fi access point.Electrical and Computer Engineerin

Development of A Versatile Multichannel CWNIRS Instrument for Optical Brain-Computer Interface Applications

This thesis describes the design, development, and implementation of a versatile multichannel continuous-wave near-infrared spectroscopy (CWNIRS) instrument for brain-computer interface (BCI) applications. Specifically, it was of interest to assess what gains could be achieved by using a multichannel device compared to the single channel device implemented by Coyle in 2004. Moreover, the multichannel approach allows for the assessment of localisation of functional tasks in the cerebral cortex, and can identify lateralisation of haemodynamic responses to motor events. The approach taken to extend single channel to multichannel was based on a software-controlled interface. This interface allowed flexibility in the control of individual optodes including their synchronisation and modulation (AM, TDM, CDMA). Furthermore, an LED driver was developed for custom-made triple-wavelength LEDs. The system was commissioned using a series of experiments to verify the performance of individual components in the system. The system was then used to carry out a set of functional studies including motor imagery and cognitive tasks. The experimental protocols based on motor imagery and overt motor tasks were verified by comparison with fMRI. The multichannel approach identified stroke rehabilitation as a new application area for optical BCI. In addition, concentration changes in deoxyhaemoglobin were identified as being a more localised indicator of functional activity, which is important for effective BCI design. An assessment was made on the effect of the duration of the stimulus period on the haemodynamic signals. This demonstrated the possible benefits of using a shorter stimulus period to reduce the adverse affects of low blood pressure oscillations. i

Development of A Versatile Multichannel CWNIRS Instrument for Optical Brain-Computer Interface Applications

This thesis describes the design, development, and implementation of a versatile multichannel continuous-wave near-infrared spectroscopy (CWNIRS) instrument for brain-computer interface (BCI) applications. Specifically, it was of interest to assess what gains could be achieved by using a multichannel device compared to the single channel device implemented by Coyle in 2004. Moreover, the multichannel approach allows for the assessment of localisation of functional tasks in the cerebral cortex, and can identify lateralisation of haemodynamic responses to motor events. The approach taken to extend single channel to multichannel was based on a software-controlled interface. This interface allowed flexibility in the control of individual optodes including their synchronisation and modulation (AM, TDM, CDMA). Furthermore, an LED driver was developed for custom-made triple-wavelength LEDs. The system was commissioned using a series of experiments to verify the performance of individual components in the system. The system was then used to carry out a set of functional studies including motor imagery and cognitive tasks. The experimental protocols based on motor imagery and overt motor tasks were verified by comparison with fMRI. The multichannel approach identified stroke rehabilitation as a new application area for optical BCI. In addition, concentration changes in deoxyhaemoglobin were identified as being a more localised indicator of functional activity, which is important for effective BCI design. An assessment was made on the effect of the duration of the stimulus period on the haemodynamic signals. This demonstrated the possible benefits of using a shorter stimulus period to reduce the adverse affects of low blood pressure oscillations. i