ISU professor takes on threat of espionage via hacked smartphones

By Hannah Furfaro
Staff Writer
Ames Tribune

In his office on the Iowa State University campus Thursday, professor Suraj “Suresh” Kothari didn’t hesitate to talk about the realities of cyber warfare.

It’s not exactly dinner-table conversation, but cyber insecurity is bearing down on everyone from company CEOs to generals at U.S. military bases overseas.

Recent incidents, particularly the hacking of government websites by the group Anonymous and the theft of confidential data from online retailers like Zappos, have raised questions about Internet safety. Congress’ recent introduction of the Stop Online Piracy Act exposed how complex the issue has become.

In an age where most American businesses are reliant on computers to help run their day-to-day operations, and citizens habitually keep their tablets or smart phones within reach, the task of locking out cyber threats has become increasingly difficult.

Kothari, a professor of electrical and computer engineering, is researching how to ward off cyber infiltration. His newest endeavor, a $4.1 million project to develop security software for Android-powered smart phones, could potentially affect every American with a hand-held mobile device.

“We hear about cyber security,” Kothari said, “For example, a computer can be attacked, and you will see things on your disk are wiped out so you know something bad has happened. Now, there are new types of attacks that are going to happen or maybe are happening now. Your cell phone has been compromised, but you don’t even know it has been compromised.”

In conjunction with Iowa-based EnSoft Corp., a software management company, Kothari is developing a tool to analyze potentially malicious software on Android phones.

His research, funded through the Defense Advanced Research Projects Agency (DARPA), will focus on software applications commonly used by members of the U.S. military who carry smart phones.

• • •

Since the incident in 2005 when Paris Hilton’s cell phone was hacked and explicit photos were leaked onto the Internet, the ease of hacking into personal devices has become ordinary for some and frightening for others.

In the case of military phones, keeping sensitive information out of the wrong hands could be key to American national security.

“Let’s say a general is talking to somebody else and that conversation is being leaked through the phone because the phone is interacting with the outside world … but somebody has now sneaked in software which is taking sensitive information and leaking it out to other sources,” Kothari said. “And the person who is using the phone doesn’t even know that’s what’s happening. That would be a very serious problem.”

Jeremías Sauceda, a co-principal researcher, said there haven’t been any major hacking incidents on military phones. But, he said, funding research in this area will hopefully help prevent dangerous episodes in the future.

“It’s not that some incident has happened and they are responding,” Sauceda said. “They are being proactive. Now they want to equip their personnel with smart phones. In the process of adopting that technology, they need to make sure it’s secure.”

Sauceda is a researcher for EnSoft Corp., a company located at ISU’s Research Park. Using Kothari’s innovations, Sauceda will develop a product that can be installed on military phones by the end of the 3 1/2-year project.

The idea isn’t simple, but it also isn’t new.

The project, which officially kicks off Feb. 22, will use techniques Kothari has been developing over a 15-year professional career in software analysis.

“Forty or 50 years ago, if somebody went to a doctor, the doctor would say, ‘OK, what are your symptoms?’ … The doctor is observing what’s going on in your body from the outside,” he said. “Testing is like that.”

Kothari’s analysis, however, looks at the software from the inside out, making his technique more like a modern doctor’s MRI machine.

“This is a very different way of analyzing and understanding software,” Kothari said, “and one application of it is to improve reliability.”

Downloadable mobile apps, which are often updated by their developer to improve usability, pose a tricky problem for software analysts who only rely on testing-based methods. Kothari said his goal is to develop a tool capable of probing a downloaded app and understanding its content, even after multiple updates or changes are made to the program.

Raj Aggarwal, managing director of advanced research and technology in ISU’s College of Engineering, has overseen many cyber security research projects at ISU over the past two years. A former executive at aerospace and defense company Rockwell Collins, Aggarwal also worked with Kothari in the early 2000s on safety-critical software used in airplane flight control systems.

He said Kothari’s research would probably translate to a number of other research projects ISU faculty are currently working on. ISU has 20 faculty members who are “involved in various aspects of cyber security” research, Aggarwal said.

“Cyber security has become a major concern across actually most of not only the Department of Defense, but many many other applications,” Aggarwal said. “ISU is very involved in the education and the industry collaboration in many other aspects of cyber security.”

• • •

Tom Deering, a first-year graduate student in electrical and computer engineering, describes himself as “the newb” on the research team.

Over the next few months, Deering will spend his time coming up with a wish list of the various components the team will use to detect malware.

Deering said the significance of the research “lies in the direction software deployment is heading.”

He said many Americans have smart phones, buy all their apps from a centralized online store, and never think twice about the safety of downloading the app. The research from Kothari’s project, Deering said, could lead to the development of security nets for the average consumer smart phone.

• • •

“There needs to be some analyst who says yes, this is a good piece of software, or no, it isn’t,” Deering said. “Everything is moving in that direction, I think, (and) putting tools and techniques that help those analysts makes them very useful for the future.”

During his undergraduate years at ISU, Deering took two courses with Kothari.

“(Kothari) places the highest priority on asking the right questions,” Deering said. “Before working on any problem, he likes to ask whether that problem is in ‘God’s book.’ In other words, is it a fundamental problem whose solution is going to move the world forward?

“We believe that software comprehension is one of these problems that really matters. And, is only going to matter more in the future.”

Hannah Furfaro can be reached at (515) 663-6918 or hfurfaro@amestrib.com.

Commenting automatically closes after 30 days to prevent spamming.