Thwarting attacks on the Internet of Things

Friday, February 10, 2017

In one corner of Professor Catherine Gebotys’s lab, a laser beam is strategically aimed to disrupt circuit board operations. Nearby, electromagnetic pulses bombard an uncapped chip while a couple of graduate students track the results on an oscilloscope screen.

By probing for vulnerabilities that hackers could exploit, her team at the University of Waterloo’s Faculty of Engineering is making the Internet of Things more secure.

They’ve got their work cut out for them. Embedded chips — the kind you find in credit cards, Fitbits, smartphones and a host of other devices — are frequent targets for tech-focused crime.

Take the example of side-channel attacks. When the hardware on a device is encrypting data, Gebotys explains, it gives off electromagnetic waves that can be parsed to reveal the confidential information. Meanwhile, directing laser beams or electromagnetic waves at a device — a so-called fault-injection attack — produces information that hackers can use to infer the encryption key.

Professor Catherine Gebotys (center) poses with PhD student Karim Amin (left) and research associate Mustafa Faraj (right) from her research group working on improving security for the Internet of Things

Professor Catherine Gebotys (center) poses with PhD student Karim Amin (left) and research associate Mustafa Faraj (right) from her research group working on improving security for the Internet of Things.

Prevention isn’t always a possibility

The implications range from mildly worrying to downright scary. Someone could intercept and decrypt a confidential email to your boss. Your fitness tracker could disclose details about your health and location. The bank information embedded in your debit card could fall into the wrong hands.

To reduce those risks, Gebotys draws on both software and hardware approaches. In the case of side-channel attacks, for instance, her team has developed ways to add electromagnetic noise during encryption. That’s not enough to completely protect confidential information, but it slows an attacker down — hopefully long enough that the system will have changed security keys before the code is broken.

“You can’t always stop all attacks, but you can make them harder,” she says.

Price matters when it comes to the Internet of Things

Simply developing effective countermeasures isn’t enough, however. They also have to be cost-effective. Banks and credit card companies may be willing to pour big bucks into cyber-protection, but as we start to see hardware systems embedded in everything from lighting systems to baby monitors, manufacturers want security at a price consumers are willing to pay.

Efficiency is another must. There’s no point in adding layers of security to a smartphone if all that extra computation sucks the life out of the battery or slows the device down to a crawl.

“One of our objectives is to make sure it doesn’t take a lot of energy,” Gebotys says.

Her focus on industry-relevant research has attracted a host of big-name partners, focused on developing technology specifically aligned with the Internet of Things. BlackBerry has incorporated some of the lab’s countermeasures into its phones, while companies like Motorola and COM DEV have also tapped her expertise. Currently, Gebotys is working with the Department of National Defence to produce more hacker-resistant hardware.

“The best research — in my opinion — you can do is work on real problems,” Gebotys says.

Waterloo provides the perfect setting for that, she adds, pointing to topnotch students, a “fantastic” co-op engineering program and an emphasis on industry collaborations.