Tadayoshi Kohno spends his career looking at life through the eyes of a criminal, and he’s teaching University of Washington students to do the same. The UW computer science and engineering assistant professor studies computer security and privacy, which to Kohno means anticipating the bad guy’s moves before he does. I chatted with him recently to find out more about the “security mindset,” how you teach it, and what this mysterious bad guy could do using ingenious technology hacks.
“We’re seeing computers in all aspects of our lives, in medical devices, exercise equipment, cars, airplanes, utility systems, power lines, everywhere,” Kohno said. “One of my main concerns is that while we’ve thought a lot about security for our desktop computers, computing is much broader than that, and we need to address security for all of it.”
Kohno’s interest in security goes back to his teenage years, when as a 10th grader he won the Colorado History Day competition with an essay about the history of cryptography. During his doctoral work, Kohno revealed security flaws in the software of electronic voting machines. The machines, which were rising in popularity following the 2000 presidential election, could easily be hacked to manipulate votes or reveal people’s voting choices, Kohno said.
Since then, he and his graduate students at the UW have pointed out security holes in technologies such as implantable cardiac defibrillators, pacemakers, radio frequency identification tags (which are used, among other places, on many credit cards and Washington state’s new enhanced driver licenses), and the Nike + iPod sport kit (the workout tracker that fits inside running shoes). His group has also recently developed software that causes messages or data to self-destruct after a set period of time. The program, Vanish, is one step towards a security answer to the problem of putting all your information into the “cloud” of sites such as Facebook or Google, Kohno said, where it might be backed up and never fully deleted.
I found his group’s revelations about implantable medical devices especially chilling. Right now, devices such as cardiac defibrillators signal wirelessly only over short distances, to allow doctors to adjust them without surgery. But in the future, Kohno said, he can see technology advancing to the point where those wireless signals have a longer range, and that’s where the real danger to the patient comes in. Beyond just gleaning a patient’s medical and other personal information, a defibrillator hacker could send signals to shut off the device or send electric shocks to the patient’s heart. In 2008, Kohno’s group managed to perform these potentially fatal hacks on a real defibrillator (not in a person).
“This is a wake-up call for the industry and the FDA that these are serious issues, or could become serious in the future,” Kohno said. “I believe that providing the first concrete evidence is the first step toward having a broader impact.”
To figure out which piece of technology he’s going to hack into next, Kohno asks what the next big thing in technology is going to be over the next five to 10 years, that people might not have examined for security gaps. Then he tries to think of every damaging thing a devious person could do with that technology, if they hacked into it. “I think I have always liked to play the game of looking for holes in the system,” Kohno said, when I asked him how he first got interested in security.
Kohno, who is kicking off the Technology’s Alliance’s Science and Technology Discovery Series with a lecture this morning, also teaches undergraduate and graduate classes on computer security at UW, and is planning a security lecture or event for middle school and high school students sometime in the next year. Even though most of his students won’t go on to become security professionals, Kohno sees his courses on the “security mindset,” or how to think one step ahead of the hackers, as valuable for the computer industry, so that those working on new technologies will know when to call in the experts. “I want students have the habit of saying ‘what if’ when they see a new system,” he said. “The gritty details are much less important than having the mentality of asking, ‘What if something bad happens?'”