THaW researcher Kevin Fu’s work on acoustic device hacking has recently been featured in the New York Times. The article discusses the team’s work on using acoustic signals to fool sensors in mobile device, and create the potential for security violations. For more information beyond the article, click here for a quick video, or read the complete paper below.
WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks
In mid-November THaW was excited to co-host, along with the Center For Digital Strategies at the Tuck School of Business and the Owen School of Management, a workshop on building secure connected healthcare organizations.
The workshop was attended by CISOs from twelve interested healthcare organizations, as well as members of the THaW project. It provided for a day of conversation about cybersecurity best practices and challenges. Over the course of the workshop, with moderation by Eric Johnson and Hans Brechbuhl, the group touched upon a wide array of subjects; we are now happy to present some key insights and a summary of the day’s proceedings. Highlights include insights regarding phishing attacks, medical device security, and the emerging Internet of things.
Click through below to review the document, and feel free to share with your colleagues!
Overview: Building Secure Connected Healthcare Organizations
A few months ago we announced the results of our Wanda project, as published in INFOCOM 2016. Today we’re excited to share this new video description of the project! Thanks to Abby Starr and Shiyao Peng of Dartmouth’s DALI lab, and Tim Pierson of the THaW team, for this fun and informative production.
Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We call our approach Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.
THaW PhD student, Tim Pierson, along with the Wanda team have built a ‘magic wand’ that simplifies the integration of new medical devices into existing wireless networks. A detailed description of their work is found below in the abstract to their recently accepted IEEE INFOCOM paper.
Abstract: Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.
A prepublication version is available here.
Professor Kotz, at the request of the Center for the Clinical Trials Network, presented a webinar on the 26th of January 2016. His presentation was an overview of the THaW research agenda as it relates to the security challenges faced by health care professionals.
Here is a brief synopsis of Professor Kotz’s presentation:
The Mobile medical applications offer tremendous opportunities to improve quality and access to care, reduce cost, and improve individual wellness and public health. These new technologies, whether in the form of software for smartphones as specialized devices to be worn, carried, or applied as needed, may also pose risks if they are not designed or configured with security and privacy in mind. For example, a patient’s insulin pump may accept dosage instructions from unauthorized smartphones running a spoofed application; another patient’s fertility-tracking app may be probing the Bluetooth network for its associated device, exposing her use of this app to nearby strangers. In this webinar, Dr. David Kotz presents an overview of the security and privacy challenges posed by mobile medical applications, including important open issues that require further research.
To view the entire presentation click here.
NSF highlighted the THaW project on its website last week, gaining notice in blogs like Politico morning eHealth, the HealthITSecurity, and FierceMobileHealthcare. NSF’s article describes THaW research on mobile-app security and on the authentication of clinical staff to clinical information systems, among other things.
ACM SIGMOBILE’s group N2Women announced today its inaugural list of “10 women in networking/ communications that you should know”, including THaW co-PI Klara Nahrstedt from UIUC. She is in impressive company – details on these ten amazing women, as well as quotes from the many people who nominated these women, are available at the link below.
Congratulations to Professor Klara Nahrstedt!
It made it seem a lot more fun and engaging of a pursuit. The consensus in the student panel seemed to be that it was very difficult but well worth it.
Student participant, Explore Graduate Studies in CSE Workshop
Launched by Prof. Kevin Fu in November, 2014 and co-led by Profs. Jenna Wiens and David Kotz in 2015, THaW professors and students led two workshops in October 2015 on “Exploring Graduate Study in CS and Engineering”. These workshops targeted undergraduate students, primarily juniors and seniors, majoring in Computer Science or related fields. The workshops aimed to educate students about the potential for an exciting career in CS&E research, either in academia and industry, and to coach them in effective ways to prepare their graduate school application.
Both the University of Michigan and Dartmouth College hosted one-day workshops that were open to students from around the country. A diverse set of more than 60 students enjoyed
- an overview of the exciting research underway at the two schools,
- Q&A panels of faculty and current graduate students,
- a writing clinic with tips and tricks for preparing their academic statement of purpose, and
- one-on-one advising by professors.
Survey results show that students overwhelmingly found the workshops to be helpful in thinking about their career options. Several students mentioned that the workshops increased their overall interest in pursuing graduate studies in CSE. The workshops were funded by the NSF through the THaW grant, by Dartmouth, and by the University of Michigan.
Researchers: Professor Avi Rubin, Michael Rushanan – Johns Hopkins University
After some researchers proposed the use of electrocardiograms (ECG) as a source of biometric information for secure authentication and identification of individuals, THaW Professor Rubin and graduate student Michael Rushanan set out to test this assumption by extending work done at MIT on the post-processing of ECG data.
Their research grew out of concern with the proliferation of implantable medical devices and how to secure these devices against external network-based attacks.
Commercial companies have built their businesses upon the unique nature of ECG data. Most of the current applications have been focused on the supposed uniqueness of ECG as a biometric identifier for use in commercial transactions. Rubin and Rushanan set out to determine whether a person’s ECG really is a secure and reliable means of identification and authentication.
The ECG example below uses three different electrode placements and IPI peak identification. The purpose of this experiment was to validate if the authentication scheme under test works with slightly, but expected, noisy experiments that require physical contact.
Rushanan identified temporal granularity as their biggest research challenge and expects his first research results should be available in the coming months.
Earlier this year, President Obama presented a plan to launch the Precision Medicine Initiative (PMI), an ambitious research effort to recruit over one million participants in a long-term effort to understand the individual characteristics of health and disease. The research effort will aggregate clinical data as well as behavioral and environmental data – including, potentially, sensor data from smartphones and wearables – which will, needless to say, require careful security precautions and wise privacy policies.
The PMI advisory board invited THaW researcher David Kotz to a summer workshop on the potential for mobile technology in collecting data for PMI, and specifically to comment on mechanisms to support privacy. The PMI’s proposed Privacy and Trust Principles are an interesting read! [pdf]
Today, the White House Office of Science and Technology Policy (OSTP) gathered a dozen thought leaders – including THaW team members Darren Lacey and David Kotz – to advise them as they begin developing a security framework for the Precision Medicine Initiative. This fascinating discussion was led by Chief Data Scientist DJ Patil, and is just the first step in developing a comprehensive security framework for this important national research initiative.