Ang Cui has a lot of power. With enough time he can take control of pretty much any networked device. He could watch you through your iSight or track the Netflix on your smart TV. But he has bigger fish to fry, so your Catfish marathons are safe for now. From him, at least.
A Columbia PhD student in computer science, Cui has been working for the last five years on developing offensive attacks and defensive solutions for vulnerabilities in embedded devices. This Thursday his company, Red Balloon Security—cofounded by Cui's advisor Sal Stolfo—will present proof that its security software, the "symbiote," can protect a standard IP office phone from malicious attacks. And this IP phone demo is just the beginning.
Eventually, the symbiote could protect virtually any connected device you can think of.
"Really [IP phones] are just computers too, and they're running these super secret proprietary operating systems that very few people have actually seen, and very few people have actually tested the security of," Cui told us in a recent interview. "And you know, the work that we've been doing in the lab is to show that those things are just as insecure as the general purpose computers you have, and once you exploit those things there are definitely advantages to that over just getting root access to a server somewhere, which is what everybody in security largely has been focused on for the last forever."
The symbiote is a tiny piece of code, about 200 bytes, that is injected into an IP phone's kernel (the thing that bridges applications and hardware-level data processing) without impacting computing speed or device functionality. And the symbiote is operating-system agnostic, meaning it can run on and monitor any device without being tailored to a specific OS. When it is injected, the symbiote uses Cui's firmware evaluation tool, Firmware Reverse Analysis Konsole (FRAK) to unpack the device's firmware, replace its signing key (a basic security feature) and repack. Then it runs in the background, and randomly samples executed code at regular intervals to ensure that nothing unusual is going on.
Without knowing detailed specifics about an OS, the symbiote can still establish a baseline for normal behavior in a device using functions that are shared among different types of firmware and can reasonably be expected to be present. In Cui's demonstration, two IP phones sit side by side. One is running the symbiote and the other isn't. When Cui launches an attack, the unguarded phone is easily exploited, but the symbiote on the other phone detects the intrusion and alerts Cui by calling his cellphone. When he answers, an automated message says, "Hello neighbor. My IP phone has been pon3d."
The goal of Red Balloon Security is to offer the symbiote as a security solution for all embedded devices. If an IP phone can be hacked, so can any other internet-enabled device, but because the symbiote is OS agnostic it can easily translate to any device—even a rice cooker—and be incorporated seamlessly. Multiple symbiotes running on the same network could even monitor each other as an additional way of checking for unusual activity on any one device.