Hacking cybersecurity in order to anticipate attacks

One of the papers that achieved the reproducibility label involved smartphone jamming. In mobile security, jamming means blocking communication. The researchers in this study showed that with a combination of tools, they could remotely gain access to a cellphone’s computer chip and and modify the Wi-Fi chipset code to transmit radio jamming signals. The signals can block other targeted devices or applications from sending or receiving data.

Researchers carried out this project as a way of anticipating a potential cyberattack.

“You want to understand what is possible so you can defend against these kinds of things” Noubir said. “You have to also ask yourself, ‘what could someone do?’”

Self-authentication still a major cybersecurity challenge
In his keynote speech at the conference, John Manferdelli, director of the Northeastern University Cybersecurity and Privacy Institute, recalled the early 2000s when he worked at some of the country’s largest technology companies. He remembers telling leaders at many companies that there were serious security flaws in many of the systems the companies were building. But many of those leaders weren’t worried. They acknowledged there might be risks, but said it didn’t matter because nobody knew about them.

“I was incensed,” said Manferdelli. And for good reason. Not long after his warning, various cyberattacks made it clear that people were not only finding the vulnerabilities, but exploiting them. After that, companies changed their tune. They decided to fix some security flaws—but only those they knew had been exploited.

Of course, that wasn’t enough. New attacks sprang up, often getting more creative and advanced. Eventually, tech companies started to realize they had to anticipate exploitation and protect against attacks before they occurred.

Fast-forward to 2017, and massive cyberattacks have already plagued the first half of the year. They range from the hacked emails of political leaders, to ransomware targeting utility companies, to stolen CIA documents. “I don’t have to argue quite as much anymore that cybersecurity is important,” Manferdelli said.

One of the biggest pitfalls of internet security is that people authenticate themselves online with passwords. “Everybody knows that’s a disaster,” Manferdelli said. “Once I know your password, I can masquerade for you anywhere.”

Even though websites have required passwords to be increasingly long and complex, most of them are still relatively easy for a hacker to guess. And once a single employee’s account has been compromised, the entire company they work for could be at risk.

Manferdelli said another major challenge is that unlike the physical world, a virtual security breach is rarely immediately obvious.

“You have a really good sense that your apartment is safe and hasn’t been broken into. I’d like that same thing to happen on computers,” Manferdelli said.

But hackers are tricky. When they can’t break into a person’s device or information directly, they exploit side channels. For example, electromagnetic radiation emanating from a device can reveal a person’s location, even if no one has actually hacked the person’s phone.

With more than 4.8 billion mobile subscribers and 275,000 different apps available, there are plenty of opportunities for security and privacy breaches. And in the wireless world, they are typically not isolated to one feature of the phone, tablet, or computer. A cyber-assault can infect the entire machine.

“It’s not like a car where the broken door affects just the door,” Manferdelli says. “The broken door affects your steering.”