March 27, 2017: Invited Speaker Seminar: From Mobile Systems to the IoT: Analysis for Security and Privacy
Dr. Manuel Egele
Monday, March 27, 2017 at 2:00 pm
Just as the explosive growth of mobile (smart) devices over the last decade, the gadgets we call the Internet of Things (IoT) are predicted to experience a similar trajectory. Thus, in this talk we will explore automated program analysis techniques that identify concerns around security and privacy in mobile and IoT systems.
Apple (iOS), as well as Google (Android), sold more than 1 billion of their popular mobile devices each. These devices open exciting new avenues of innovation, such as location-based services and mobile payment. Of course, the user has a legitimate desire to keep the privacy-sensitive data that is managed by these smart devices safe and secure. Unfortunately, mobile devices frequently expose such information to prying third-party applications (apps). In this talk, I will demonstrate how the static analysis techniques provided by my PiOS system can be used to automatically assess whether iOS apps adhere to the user's expectation of privacy.
Besides mobile systems, we increasingly encounter IoT gadgets in all aspects of our digital life. For example, Internet-enabled surveillance cameras allow us to keep an eye on things at home while we are traveling, while at the same time the digital video recorder tapes our favorite late-night talk show. The Internet access to these devices is mediated by a commercial-off-the-shelf WiFi router, and all three of these devices might share a common fate: They are part of an IoT botnet with unprecedented destructive power. Thus, to identify security vulnerabilities in such IoT devices we built the Firmadyne dynamic analysis platform and scanned the firmware of thousands of IoT devices. During this analysis Firmadyne identified 60 known and 14 previously-unknown vulnerabilities in 887 firmware images highlighting the sad state of affairs in today's IoT security.
Manuel Egele is an Assistant Professor in the Department of Electrical and Computer Engineering at Boston University (BU). He also holds an affiliate appointment with the Computer Science department at BU and is a Junior Fellow at the Hariri Institute of Computing. Prior to his appointment at BU, he was a Systems Scientist at Carnegie Mellon University. Before that, he was a post-doctoral researcher at the Computer Security Group of the Department of Computer Science at the University of California, Santa Barbara. He received his M.Sc. (2006) and Ph.D. (2011) degrees in computer science from the University of Technology in Vienna. His research interests span all areas of systems security – in particular mobile and embedded systems security, privacy, and malicious code analysis.
His current research interests include the large-scale and automated analysis of embedded systems firmware that controls the computing devices in our daily lives, such as WiFi routers, surveillance cameras, or a variety of Internet of Things (IoT) gadgets. He is also interested in the threat posed and the mitigation of malicious software that encrypts a victim's files to extort a ransom payment in exchange for the decryption keys (so-called ransomware). His research on privacy violations in iOS applications (PiOS) won a distinguished paper award at the Network and Distributed Systems Security Symposium (2011).