A Cyber-Physical Security Salami Sandwich
Abstract: Cyber-physical systems are computing devices which interact with the physical world. Examples of such devices include wireless sensor networks, augmented reality glasses, mobile phones and even nuclear power plants. The differing security assumptions and expectations between the physical and the logical domains make securing these systems a unique and interesting challenge.
The bottom slice of the talk will discuss our experience in securing radio-frequency identification (RFID) tags. These tags are minuscule transponders which are produced by the billions and attached to physical items, forming the backbone of the “Internet of Things”. Despite the incredibly constrained power, area and price budgets of these tags, we have shown that public-key cryptography makes it is possible to make the RFID ecosystem both secure and respectful of its users’ privacy.
The “meat” of the talk will discuss security issues related to one of world’s most common cyber-physical systems: the television. A new specification was recently introduced to allow broadcast television channels to include embedded HTML content. We show that the broadband and broadcast domains are combined insecurely, enabling a large-scale exploitation technique which requires a minimal budget and infrastructure and is remarkably difficult to detect. A unique aspect of this attack is that, in contrast to most cyber-physical threat scenarios, our attack uses the physical broadcast network to attack the data network and not vice-versa.