Auto-Immune: "Symbiotes" Could Be Deployed to Thwart Cyber Attacks

Charles Q. Choi

Anti-hacker defenses have long focused mainly on protecting personal computers and servers in homes and offices. However, as microchips grow smaller and more powerful, new targets for hackers are becoming widespread—embedded computers such as the electronics handling car engines, brakes and door locks; the routers that form the Internet's backbone; the machines running power plants, rail lines and prison cell doors; and even implantable medical devices such as defibrillators and insulin pumps. Many of these embedded devices can now link with other computers, putting them equally at risk to intruders. Indeed, in October, Secretary of Defense Leon Panetta warned that the U.S. faced the threat of a "cyber Pearl Harbor" if it failed to adequately protect these systems, echoing a warning CIA Director John Deutsch gave to Congress in 1996 about an electronic Pearl Harbor (pdf).

Now computer scientists are devising guardians they call symbiotes that could run on embedded computers regardless of the underlying operating systems. In doing so, they may not only help protect the critical infrastructure of nations and corporations but reveal that warfare against these devices may have been going on unseen for years, researchers say.

The problem is worse than you might think. Already research has shown that a vast number of machines lie completely open to attack. For instance, in 2011, after scanning large sections of the Internet, computer scientists Ang Cui and Sal Stolfo at Columbia University identified more than 1.4 million publicly accessible embedded computers in 144 countries that still had factory default passwords that would give anyone with online access total control over the machines. These devices, which make up about one in five of the embedded computers they found (pdf), included routers, video-conferencing units, cable TV boxes and firewalls used to defend computer networks.

These vulnerabilities pose a host of dangers. In 2011 Cui and Stolfo revealed they could hack into printers (pdf) made by Hewlett–Packard with infected documents or by connecting to them online, allowing them to spy on everything printed with those machines and to break into every computer linked to the printers. (HP has since fixed this vulnerability.) Cui also explains it could be easy to develop malicious software or malware that would allow hackers to shut down infected routers just by pinging them an innocuous data packet.

Attacks against embedded system aren't the kind "where criminals are trying to get credit card data," Cui says. "They're more stealthy. More sophisticated. This is corporate espionage–level stuff. Cyber war–level stuff. The people looking to target these systems aren't out to make a big splash, but might aim to take down a country's critical infrastructure."

One problem researchers face in designing safeguards for these vulnerabilities is the incredible diversity found in the programs running embedded computers. For instance, Cui notes that routers made only by Cisco possess about 300,000 different firmware images—the operating systems of embedded computers and their accompanying programs. 

Now Cui and his colleagues have developed anti-malware systems they say can work on swathes of embedded computers regardless of what systems they run.

"Ang has identified a serious problem that hasn't been thought about seriously and has provided concrete solutions to try to solve this problem," says security researcher Charlie Miller at Twitter, a former analyst for the National Security Agency well known for publicly revealing vulnerabilities in Apple products such as the iPhone and MacBook Air.

Instead of running within an embedded computer's firmware image, these defenses run outside it, directly on the computer's central processing unit (CPU). A symbiote (pdf)—continuing the biological analogy suggested by computer viruses—continuously scans a large number of random chunks of the firmware image's code to check for anomalies that might suggest an intrusion has occurred. "It took a lot of engineering to make sure the symbiote doesn't crash the CPU by taking too much of its processing power," Cui says.

The fact that a symbiote runs independently of the programs it protects means a symbiote designed for one type of CPU—say, ARM, found in many smart phones, or MIPS, found in many routers—can work on any operating system that might run on those CPUs. "It doesn't need to know how the programs it monitors work, only whether they have been modified," Cui says. They plan to deliver a prototype for U.S. government testing by the end of 2012 and to commercialize their work with a company they founded, Red Balloon Security.

Whereas Stolfo and Cui's approach is "very promising," says Scott Borg, director of the nonprofit U.S. Cyber Consequences Unit, he cautions it remains difficult to tell how readily intruders might circumvent these defenses. For instance, there might be ways to prevent the symbiotes from recognizing destructive programs as malware. "Too many destructive acts can be made to look like normal acts from the vantage point of a computer," Borg says. "A cyber-security measure needs to be kicked around for awhile, conceptually and physically, before it is possible to say with any confidence how effective it will be."

Marc Dacier, a senior director at Symantec Research Labs, called the symbiote "a very beautiful piece of work," but notes a major obstacle it faces is getting companies to actually upgrade all their devices with it. The Pentagon is now pushing for legislation that would require baseline cyber-security standards for critical private sector infrastructure, such as power plants, water treatment centers and gas pipelines. Without such legislation, said Panetta in his October speech, "we are and we will be vulnerable."

These symbiotes may not only serve as immune systems for their devices, but also help reveal the potentially huge ecosystem of malware in embedded computers that no one had any way of noticing until now. "We'd be surprised if these vulnerabilities weren't already exploited in the wild for years and years," Cui says. "We could shed light on an untold chapter of the history of Internet warfare."

Follow Scientific American on Twitter @SciAm and @SciamBlogs.
Visit for the latest in science, health and technology news.

© 2013 All rights reserved.