Jefferson's Wheel

Karsten Nohl is in the news again, this time for demonstrating how bad the proprietary crypto used for car immobilizers is. Here are a few articles:

• NewScientist, Criminals find the key to car immobilisers, 6 December 2010. (Note that the criminals in the title refers to evidence that actual car theft is increasing, after many years of steady decline, not to Karsten!)
• Schneier on Security, Proprietary Encryption in Car Immobilizers Cracked, 23 December 2010.
• The Register, Car immobilisers easily circumvented by crafty carjackers: Crap crypto to blame, 20 December 2010. (British publications as so much better at titling than American ones!)

Karsten presented the technical aspects in a talk at the 8th Embedded Security in Cars conference in Berlin.

Even if car manufacturers get the crypto right, relay attacks pose a serious threat, especially for modern cars that do away with the mechanical key completely. See the upcoming NDSS paper by Aurelien Francillon, Boris Danev, and Srdjan Capkun: Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars.

We’ve released our code and paper on efficient privacy-preserving biometric identification:

Yan Huang (University of Virginia), Lior Malka (Intel/University of Maryland), David Evans (University of Virginia), and Jonathan Katz (University of Maryland). Efficient Privacy-Preserving Biometric Identification. To appear in 18^th Network and Distributed System Security Conference (NDSS 2011), 6-9 February 2011. [PDF, 14 pages]

We present an efficient matching protocol that can be used in many privacy-preserving biometric identification systems in the semi-honest setting. Our most general technical contribution is a new backtracking protocol that uses the by-product of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacy-preserving fingerprint matching system.

Yan will present the paper at NDSS in February. The code for our system is available under the MIT open source license.

flickr cc: didbygraham

Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri will present GuardRails at AppSec DC on Wednesday, 10 November. The conference is at the Walter E. Washington Convention Center in Washington, DC.

GuardRails is a framework for automating many of the tasks necessary to build a security web application. For more, see the talk abstract: GuardRails: A Nearly Painless Solution to Insecure Web Applications. (and video and slides will appear there soon)

Update 9 December: The slides are here [PDF].

I’m a judge for the Deutsche Post “Security Cup” contest being organized by our former student, Karsten Nohl. The goal of the contest is to incentivize enterprising students and practitioners to bash on the Deutsche Post’s E-Postbrief web application. They are offering some fairly significant prizes (up to 5,000 Euro per bug) to teams that identify vulnerabilities in their application, as well as providing up-front funding to qualified teams that enter the contest.

Deutsche Post Page
EPostal News

Yuchen Zhou will present a paper [PDF] on HTTP-only cookies and why it is so hard to deploy security technologies at Web 2.0 Security and Privacy (attached to the Oakland conference) on May 20.

HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed.

Nate Paul, who finished a PhD in our group a few years ago and is now a research scientist at Oak Ridge National Labs, is the focus of this CNN story: Scientists work to keep hackers out of implanted medical devices, CNN, 16 April 2010.

Nathanael Paul likes the convenience of the insulin pump that regulates his diabetes. It communicates with other gadgets wirelessly and adjusts his blood sugar levels automatically.

But, a few years ago, the computer scientist started to worry about the security of this setup.

What if someone hacked into that system and sent his blood sugar levels plummeting? Or skyrocketing? Those scenarios could be fatal.

“If your computer fails, no one dies,” he said in a phone interview. “If your insulin pump fails, you have problems.”

As sci-fi as it sounds, Paul’s fears are founded in reality.
…

The list of papers accepted to the 31st IEEE Symposium on Security and Privacy is now posted:
http://oakland10.cs.virginia.edu/papers.html.

The PC accepted 26 research papers (from 237 submissions) and 5 Systematization of Knowledge papers (from 30 submissions).

Hope to see everyone at the conference in Berkeley this May!