7 research outputs found
Trick or Heat? Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks
Temperature sensing and control systems are widely used in the closed-loop
control of critical processes such as maintaining the thermal stability of
patients, or in alarm systems for detecting temperature-related hazards.
However, the security of these systems has yet to be completely explored,
leaving potential attack surfaces that can be exploited to take control over
critical systems.
In this paper we investigate the reliability of temperature-based control
systems from a security and safety perspective. We show how unexpected
consequences and safety risks can be induced by physical-level attacks on
analog temperature sensing components. For instance, we demonstrate that an
adversary could remotely manipulate the temperature sensor measurements of an
infant incubator to cause potential safety issues, without tampering with the
victim system or triggering automatic temperature alarms. This attack exploits
the unintended rectification effect that can be induced in operational and
instrumentation amplifiers to control the sensor output, tricking the internal
control loop of the victim system to heat up or cool down. Furthermore, we show
how the exploit of this hardware-level vulnerability could affect different
classes of analog sensors that share similar signal conditioning processes.
Our experimental results indicate that conventional defenses commonly
deployed in these systems are not sufficient to mitigate the threat, so we
propose a prototype design of a low-cost anomaly detector for critical
applications to ensure the integrity of temperature sensor signals.Comment: Accepted at the ACM Conference on Computer and Communications
Security (CCS), 201
Electromagnetic Sensor and Actuator Attacks on Power Converters for Electric Vehicles
Alleviating range anxiety for electric vehicles (i.e., whether such vehicles
can be relied upon to travel long distances in a timely manner) is critical for
sustainable transportation. Extremely fast charging (XFC), whereby electric
vehicles (EV) can be quickly recharged in the time frame it takes to refuel an
internal combustion engine, has been proposed to alleviate this concern. A
critical component of these chargers is the efficient and proper operation of
power converters that convert AC to DC power and otherwise regulate power
delivery to vehicles. These converters rely on the integrity of sensor and
actuation signals. In this work the operation of state-of-the art XFC
converters is assessed in adversarial conditions, specifically against
Intentional Electromagnetic Interference Attacks (IEMI). The targeted system is
analyzed with the goal of determining possible weak points for IEMI, viz.
voltage and current sensor outputs and gate control signals. This work
demonstrates that, with relatively low power levels, an adversary is able to
manipulate the voltage and current sensor outputs necessary to ensure the
proper operation of the converters. Furthermore, in the first attack of its
kind, it is shown that the gate signal that controls the converter switches can
be manipulated, to catastrophic effect; i.e., it is possible for an attacker to
control the switching state of individual transistors to cause irreparable
damage to the converter and associated systems. Finally, a discussion of
countermeasures for hardware designers to mitigate IEMI-based attacks is
provided.Comment: Accepted by IEEE S&P Workshop on the Internet of Safe Things 202
Susceptibility of Commercial-Off-The-Shelf Sensors to IEMI using Pulse Modulated Signals
The use of sensors has grown dramatically in recent years and many devices
rely on the information they provide. The lack of proper security mechanisms
available to control the use of sensors and the high degree of integration
make them more vulnerable to Intentional Electromagnetic Interference
(IEMI). The aim of this paper was to investigate the impact of IEMI on
separate sensors with privileged access to the hardware and software to
pursue a deep analysis of the effects of IEMI attacks using pulse modulated
signals. Measurements were carried out in a shielded hall using an open TEM
(Transverse Electromagnetic) waveguide in the 100 MHz–7.5 GHz frequency
range. A variety of effects were observed and significant differences were
found with pulse modulated signals compared to continuous wave signals.
These results indicate weak points in the sensors hardware leading to
possible hardening measures.</p
They See Me Rollin': Inherent Vulnerability of the Rolling Shutter in CMOS Image Sensors
In this paper, we describe how the electronic rolling shutter in CMOS image
sensors can be exploited using a bright, modulated light source (e.g., an
inexpensive, off-the-shelf laser), to inject fine-grained image disruptions. We
demonstrate the attack on seven different CMOS cameras, ranging from cheap IoT
to semi-professional surveillance cameras, to highlight the wide applicability
of the rolling shutter attack. We model the fundamental factors affecting a
rolling shutter attack in an uncontrolled setting. We then perform an
exhaustive evaluation of the attack's effect on the task of object detection,
investigating the effect of attack parameters. We validate our model against
empirical data collected on two separate cameras, showing that by simply using
information from the camera's datasheet the adversary can accurately predict
the injected distortion size and optimize their attack accordingly. We find
that an adversary can hide up to 75% of objects perceived by state-of-the-art
detectors by selecting appropriate attack parameters. We also investigate the
stealthiness of the attack in comparison to a na\"{i}ve camera blinding attack,
showing that common image distortion metrics can not detect the attack
presence. Therefore, we present a new, accurate and lightweight enhancement to
the backbone network of an object detector to recognize rolling shutter
attacks. Overall, our results indicate that rolling shutter attacks can
substantially reduce the performance and reliability of vision-based
intelligent systems.Comment: 15 pages, 15 figure
No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems
In recent years, a number of process-based anomaly detection schemes for
Industrial Control Systems were proposed. In this work, we provide the first
systematic analysis of such schemes, and introduce a taxonomy of properties
that are verified by those detection systems. We then present a novel general
framework to generate adversarial spoofing signals that violate physical
properties of the system, and use the framework to analyze four anomaly
detectors published at top security conferences. We find that three of those
detectors are susceptible to a number of adversarial manipulations (e.g.,
spoofing with precomputed patterns), which we call Synthetic Sensor Spoofing
and one is resilient against our attacks. We investigate the root of its
resilience and demonstrate that it comes from the properties that we
introduced. Our attacks reduce the Recall (True Positive Rate) of the attacked
schemes making them not able to correctly detect anomalies. Thus, the
vulnerabilities we discovered in the anomaly detectors show that (despite an
original good detection performance), those detectors are not able to reliably
learn physical properties of the system. Even attacks that prior work was
expected to be resilient against (based on verified properties) were found to
be successful. We argue that our findings demonstrate the need for both more
complete attacks in datasets, and more critical analysis of process-based
anomaly detectors. We plan to release our implementation as open-source,
together with an extension of two public datasets with a set of Synthetic
Sensor Spoofing attacks as generated by our framework
THaW publications
In 2013, the National Science Foundation\u27s Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions, led by Dartmouth College, to enable trustworthy cybersystems for health and wellness. As of this writing, the Trustworthy Health and Wellness (THaW) project\u27s bibliography includes more than 130 significant publications produced with support from the THaW grant; these publications document the progress made on many fronts by the THaW research team. The collection includes dissertations, theses, journal papers, conference papers, workshop contributions and more. The bibliography is organized as a Zotero library, which provides ready access to citation materials and abstracts and associates each work with a URL where it may be found, cluster (category), several content tags, and a brief annotation summarizing the work\u27s contribution. For more information about THaW, visit thaw.org