The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
Adversarial Attacks on a Self-Driving Car
The Keen Security Lab published a report detailing their findings from continued security research on Tesla vehicles. The report builds on their earlier work and details their ability to steer a Tesla Model S remotely. More interestingly, the report delves into Tesla's use of AI to control various vehicular processes, including rain detection for windshield wipers, and lane detection for self-driving features. Both of these systems rely on machine learning neural networks to interpret visual sensor data for decision making. The Keen team displayed adversarial images on a nearby screen to activate the windshield wipers in the absence of rain as a proof of concept. Additionally, they were able to use three small stickers on the road in an intersection to confuse a self-driving Model S into steering itself into the oncoming traffic lane. These findings have been reported to Tesla, who has since updated their systems to protect against these vulnerabilities.
IISP Analyst Adonis Bovell: This report is interesting because of the class of attacks it executes against this self-driving vehicle. Here, the Keen team shows that adversarial images and other almost imperceptible changes in the physical world have the power to cause intentional, and potentially devastating effects.
Teslas rely on visual data to power self-driving systems, though these attacks may still be possible with LIDAR systems. This means the car "sees" what the driver sees (and more). What's fundamentally different is how these images are interpreted by humans versus the computer vision neural network. What appears as an almost random colorful image on a monitor to a driver may contain a targeted attack on the car's AI.
It is commendable that there was a swift response to address the concerns mentioned in the report to ensure that these attacks cannot occur in the wild. However, our increasing reliance on neural networks in cars, medicine, network security, and other critical systems means that these types of attacks have the potential to be devastating, and difficult to understand as they are occurring. This drums up interest in the security of AI in attackers and defenders alike as we move forward.
There has been an increased level of research in adversarial attacks, and the robustness of AI from commercial vendors, research institutions and within the government. For example, the Defense Advanced Research Projects Agency (DARPA) recently launched the GARD program to create a new generation of defenses for ML algorithms.
The general takeaway is that as our reliance on ML grows, so too will the desire to attack it. These attacks are not limited to the targeted misclassifications discussed in this report, but also include other attacks such as model stealing (where adversaries steal their competitor's "secret sauce"), and attacks on user's privacy (where adversaries steal data used to train the system). Many threads of research have been started, but more still needs to be done to fully understand and defend this new attack surface.
ShadowHammer Malware Targets Specific ASUS Laptops
Taiwan-based computer maker ASUS has acknowledged that its ASUS Live Update system was used to send out malicious software to owners of ASUS laptop computers. The campaign, dubbed ShadowHammer, was active between June and November 2018. The ShadowHammer malware installs a backdoor on a victim's system that attempts to connect to a command-and-control server to download a second stage of the malware, allowing the attacker to run arbitrary software on the victim's computer. The malware only reaches out to the command-and-control system if the victim's MAC address matches a particular list of about 600 addresses, indicating that the campaign is precisely targeted. It is unclear whether or not there are variants of the malware that target different MAC addresses, or if all variants of the malware target the same set of MAC addresses. The end game of the malware is also unknown at this time because the command-and-control server, which pushes out the second stage of the malware, has been shut down since November and no versions of the second stage malware are publicly available.
IISP Analyst Joel Odom: Even though technical details on ShadowHammer are still thin, there is enough technical detail in the current reporting on the campaign to make some interesting technical observations about the campaign and to theorize on the attacker's motivations and capabilities from these technical observations.
One of the first things that stands out about this technical campaign is how the malware was not built from source code, but that an old version of an ASUS update utility was modified at the binary level to check a victim's unique MAC address and to reach out to a command-and-control server if the victim was one of those with a MAC address targeted for second-stage payload delivery. Since the update utility was digitally signed, the modification to it required the attacker to sign the malicious version of the utility after modification. The attacker signed the initial version of the malicious update utility with a valid ASUS private key, and after that key expired, the attacker released a new version of the utility that was signed with a new version of a valid ASUS private key. The fact that the attacker was able to compromise the ASUS signing infrastructure, combined with the fact that the attacker apparently had control of the ASUS Live Update infrastructure, hints that the attacker has deeply penetrated ASUS through technical means or via a human insider.
Since there are only about 600 known MAC addresses that trigger ShadowHammer's malicious payload, we can infer that this is a targeted attack. Perhaps the attacker knows one or a few particular MAC addresses of interest and the other MAC addresses are to obfuscate the identity of the intended victim, or perhaps the attacker has a database of MAC addresses used on a production run of laptops and knows that one or a few of the laptops of the victim fall within this pool of MAC addresses. Either way, the combination of a likely deep penetration of Taiwan-based ASUS and an obviously targeted piece of malware points toward a nation state actor.
Dr. Web May Be Operating in Your Gaming Console
Last month, the NSA publicly released their reverse engineering tool Ghidra, followed by releasing the source code to Ghidra this month. Ghidra has similar features to the commercial IDA Pro, which allows users to disassemble and decompile software. The NSA developed Ghidra internally for many years as a classified project. By open sourcing the project, the public at large gets access to the power of Ghidra, and the NSA can accept community contributions to improve Ghidra.
IISP Analyst Kennon Bittick: Prior to the release of Ghidra, the only mainstream offering in the reverse engineering space was IDA Pro, which is prohibitively expensive for most individuals. Although there are some cheaper commercial products (Binary Ninja, Hopper) and open source tools (Radare) available, none are competitive with IDA Pro in terms of features and supported processor architectures. Ghidra, however, is able to compete with IDA in most categories and even boasts some long-requested missing features of IDA (undo functionality and collaborative working).
Releasing Ghidra has the potential to change the nature of reverse engineering for individuals who cannot afford to purchase IDA. As an example, Ghidra will have a large impact on students. IDA does have a free version available, but it is limited, making it difficult to use even as a learning platform. Ghidra will likely become the tool of choice of students who are learning about reverse engineering, as it gives them a free state-of-the-art platform on which to hone their trade. From the NSA’s perspective, this is beneficial as well, as it allows schools and universities to train students in the reverse engineering skills that the NSA is looking for.
Ghidra was a classified tool for years, likely due to concern that releasing it publicly would improve adversaries’ reverse engineering capabilities. Most users of both tools think that Ghidra and IDA both have advantages over the other and that neither is clearly superior – thus, releasing Ghidra may increase capabilities of foreign countries or criminal actors, allowing them to more easily reverse engineer U.S. systems, find vulnerabilities, and exploit them.
On the other hand, by releasing it, Ghidra gets improved by the community. As of the writing of this article, there are 215 reported issues and 25 pull requests on Ghidra’s GitHub page, as well as numerous pull requests that have been merged in already. These features and bug fixes improve Ghidra for everyone, including the NSA, without them having to invest as much in developer time. The public release also gives Ghidra a much broader test base, which allows bugs to be detected more easily. In addition, to pull requests to the main tool, releasing Ghidra also allows the community to develop plugins to extend Ghidra’s functionality. For example, researcher Rolf Rolles ported a deobfuscation plugin from IDA to Ghidra and released the source publicly.
Releasing Ghidra was clearly a calculated tradeoff by the NSA between advantages, like improving the tool and training the new generation of reverse engineers, and disadvantages, like supplying adversaries with a potentially useful tool. It will be interesting to see future decisions about open sourcing government tools and whether the decisions are informed by the success and impact of Ghidra’s release.