DARPA challenges hackers to weaponise benign devices
DARPA wants to learn how everyday objects could be weaponised
The US Defense Advanced Research Projects Agency (DARPA) has launched a competition to identify how relatively benign technologies and code could be turned into serious security threats.
Dubbed “Improv”, DARPA will bring together experts across multiple disciplines to “look at today's bustling tech marketplace with an inventor's eye and imagine how easily purchased, relatively benign technologies might be converted into serious security threats”.
Last year, DARPA invited proposals from the cyber-security community on how to build better defences against DDoS attacks.
Improv will be overseen by DARPA's program manager John Main. He said that it was being launched “in recognition that strategic surprise can also come from more familiar technologies, adapted and applied in novel ways”.
The competition will look at how to combine or convert commercially available products such as off-the-shelf electronics, IoT devices, components created through rapid prototyping and open-source code to cost-effectively create sophisticated military technologies and capabilities.
The US military research agency is inviting a diverse set of people including engineers, biologists, information technologists and even skilled hobbyists to show how hardware, software, processes and methods might be used to create products or systems that could pose a future threat.
It will assess candidate ideas and offer varying levels of support to develop and test selected proposals. It said the emphasis would be on speed and economy, with the goal of taking winning submissions from concept to simple working prototypes within about 90 days.
“DARPA often looks at the world from the point of view of our potential adversaries to predict what they might do with available technology,” said Main. “Historically we did this by pulling together a small group of technical experts, but the easy availability in today's world of an enormous range of powerful technologies means that any group of experts only covers a small slice of the available possibilities. In Improv we are reaching out to the full range of technical experts to involve them in a critical national security issue.”
The next stage will see DARPA funding selected Improv proposals through a short feasibility-study phase, during which performers will refine their ideas and compete for the opportunity to build prototypes. These would then be evaluated and the remaining prototypes would be subjected to further evaluation. DARPA may then “advance the relevant capabilities in separate follow-on efforts”.
Matthew Aldridge, solutions architect at Webroot, told SCMagazineUK.com that the competition is a good way of uncovering new threats which may not yet have been considered.
“An example combinatorial approach would be to make modifications to a drone so that it could track and home in on a targeted moving vehicle, and then use its proximity to the vehicle's systems to give it a unique opportunity to compromise and control the vehicle's systems, potentially causing an accident or diverting the vehicle from its path,” said Aldridge.
“The goal of this programme is to foster innovation in novel ways to repurpose otherwise benign systems into potential attack tools, and through doing so to aid the effort in anticipating future threats to national security.”
Carl Herberger, Radware vice president of security solutions, told SC that while the competition might drive some new level of awareness and perhaps discover some new and novel risks, it will accomplish nothing in actually identifying IoT as an inherently vulnerable technology as this is established fact already.
“IoT threats have been identified for years both in the private industry sector and through government research. For example, there has been recent demonstrations of such types of attacks on cars and healthcare devices at Blackhat, a computer security industry conference held every year in late July / August. Also, the FDA itself has issued advisories on medical device technical vulnerabilities to cyber-attacks,” he said.
Phani Pandrangi, CPO of IoT development plaform Kii, told SC via email that everything from internet-connected dolls, cameras, kettles, TVs, scales and even cars can be hacked.
“The hacks can be done with easily available tools, too. Just see this really fascinating video that illustrates many of the IoT hacks. The key point is that all these are preventable. So the hacks are possible not because of lack of technology, but simply because of lack of proper coding on the part of the solution maker and/or irresponsible (or uninformed) usage practices on the part of end users,” he said.
Paco Hope, principal security evangelist at Cigital, told SC that the competition highlights the risks faced by society as a whole as a result of increasing digitisation. “It's the risk to society of combining always-on networking with always-on-your-person or always-in-your-house or always-in-your-car electronics. This is ‘security' done at a societal level, not at an individual device or individual service level.”