If There’s Malware In Your Toaster, the US Military Wants to Find It

The Defense Advanced Research Projects Agency is funding research that may allow future users to wirelessly monitor internet of things devices for malicious software.

The technique measures devices’ thermal outputs. The logic is that semiconductors, capacitors and other components of owned devices—those that have malware installed or have been hacked—emit different electromagnetic signals than devices in normal operation.

The Computational Activity Monitoring by Externally Leveraging Involuntary Analog Signals, or CAMELIA, project team, composed of members from the Georgia Institute of Technology and Northrop Grumman, believe those “unintended side-channel emissions” can be remotely measured and used to tell whether IoT devices are infected.

This type of research could be important given most IoT devices don’t have the capacity to run malware protection and the fact that they may tally some 38 billion by 2020.

“We will be looking at how the program is changing its behavior,” said Alenka Zajic, the project’s principal investigator and an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology, in a blog post. “If an internet of things device is attacked, the insertion of malware will affect the program that is running, and we can detect that remotely.”  

DARPA awarded CAMELIA a $9.4 million grant as part of a broader DARPA program called Leveraging the Analog Domain for Security,which includes five other initiatives that address security in the internet of things.

As Zajic explained, the system outlined in the CAMELIA project will compile a before and after recording of each combination of IoT device and software – things like automated heating and cooling sensors – to create a database. To avoid an overwhelming amount of data, they’ll take “periodic samples” of data from different stages of program loops.

"If somebody inserts something into the program loop, the peaks in the spectrum will shift and we can detect that," Zajic said. "This is something that we can monitor in real time using advanced pattern-matching technology that uses machine learning to improve its performance."

This data is collected through a technique called “zero-overhead profiling,” which does not affect the observed system.

Yet, profiling is the simpler aspect of what the CAMELIA team hopes to accomplish, said professor Milos Prvulovic. The technique can, with 95 percent accuracy already, pinpoint exactly where an IoT program code is executing based on the remote observation of its emissions. 

Detecting malware “is a much more difficult problem,” Prvulovic said.

“Profiling is about identifying which part of the program is the best match for the signal, whereas malware detection is about detecting, with sufficient confidence, that the signal does not match any part of the original program, even when the malware is designed to resemble the original code of the application,” Prvulovic said.

Researchers believe CAMELIA may result in systems that monitor multiple IoT devices, according to the blog post, though it will require some processing breakthroughs and new antennas to pick up signals from farther away.