Sophos Cloud Optix
You probably don’t need reminding that emanations from your computer can provide hints about what’s going on.
When you’re logging on, you tend to type two short, fluent bursts of characters, because you know the key sequences really well.
That’s followed by a decisive-sounding whack on the [Return] key.
Then comes a brief but perfect typing silence while you wait for logon scripts to run, windows to open, and so on.
So you probably weren’t surprised, at the end of 2013, when we wrote up an academic paper that suggested that even CPU instructions at modern gigahertz speeds might leave an audio fingerprint that a mobile phone microphone was sensitive enough to record.
And if you hear your laptop fan suddenly fire up when you’re doing little more than some casual browsing, you know you probably left some Flash-heavy video-rending tab open somewhere.
So you probably weren’t surprised to read of research from Germany in which researchers claimed that by keeping their eye on your smart electricity meter, they could not only tell that you were watching TV, but also (or they said) take a stab at guessing what you were watching.
Power usage data considered harmful
Here’s another one.
Computer scientists from Stanford, realising that Android devices make it easy to grab regular readings of your battery’s voltage and current, wondered what that might tell them.
As you will be acutely aware from your own mobile phone, one of the biggest “invisible” power drains is the phone component itself.
Indeed, you may even have noticed, or at least convinced yourself, that when you are moving around, in and out of different network cells, your phone tends to eat the battery more quickly.
It seems reasonable: as you move, the device needs to keep chatting to the network so that each end can keep track of the other.
Messrs Michalevsky, Boneh, Schulman and Nakibly went one step further: they decided to see whether changes in power consumption as you moved through the mobile network could tell them something, anything, about your location.
They might not know that you just left the cell at the corner of Fifteenth and King George Street and wandered into range of the one at Seventeenth and Sir Samuel Adams Avenue.
But they might be able to guess something about where you might be, at least if they had some idea of your general location to start with, and a map of how the cells were arranged around those parts.
And that would be bad.
After all, if you’ve turned off location services in your device, or limited which apps can access your location, you’d like to think that even malware (or some slightly-less-than-kosher adware) would struggle to find out where you were and call home with that information.
What happened?
To cut a long story short (13 fairly dense pages of analytical story, in fact), our researchers sort-of succeeded.
To summarise their main result in greatly abbreviated form: they correctly guessed which of four known routes were driven, from power usage alone, 93% of the time.
To be honest, that’s not a spectacular outcome, especially when they admit than driving from A to B is considered an entirely distinct route from driving form B to A over the same path.
(They were rather coy in the paper about where they’d been driving, having carefully blurred the map, but you tell me they didn’t leave the Stanford campus and take US 101 along the southern end of San Francisco Bay, past Google’s private jet parking lot, to Santa Clara.)
The results may have ended up a bit half-hearted, but they are nevertheless a big reminder that computers give away information in many ways, and not only via the programming interfaces you might expect.
Most importantly, in this paper, the power data was not sampled rapidly.
The results were derived from just 43 measurements over 19 kilometers, or roughly once every quarter-mile in US parlance.
The fact that the researchers could work out anything at all from data at that granularity is important, just as our friends at MIT found out recently when drawing inferences from extremely vague credit card records.
Never, ever, forget that when you are auditing or assessing the security of a new technology or product!
So is there any way to really plug all the leaks? Data like power usage could be valuable to many legitimate applications for legitimate purposes. So how do we build a platform that doesn’t stifle legitimate purposes, but does prevent abuse? Or have we reached the point where we have to use the legislative and judicial systems to simply go after abusers with teeth?
Maybe adding permission controls to the power data might be a start…it seems to be considered “not of too much security significance” at the moment.
Twenty years ago, two things got me interested in computer security: The Cuckoo’s Egg, and one day, while reading a file online using a telnet connection, my hard drive, which was noisy when is did read/writes, started clicking away, odd I thought and looked at my dial up modem to see the Tx light flashing. I shutdown and went and bought an antivirus program, which found a virus that was sending everything from my computer to someplace, at 2400 baud, so not much damage was done.