tv The Communicators Black Hat Conference CSPAN August 31, 2019 6:30pm-7:01pm EDT
public policy events from washington dc end around the country, so you can make up your own mind. created by cable in 1979, c-span is brought to you by your cable or satellite provider. c-span, your unfiltered view of government. ♪ this week on "the communicators," we want to introduce you to george mason university professor duminda wijesekera. professor wijesekera, what do you do at george mason university? prof. wijesekera: i do research mostly related to cybersecurity and its consequences on the transportation systems. i have a large group of students who work on radio breakers,atic connected breakers, some on
uav's, meaning unmanned areas. -- ariel vehicles. everything that is related to industrial automation. >> what is that word you are using? wakers? prof. wijesekera: yes, like in buses and trains and so on. wakers. >> do you teach any classes as well? prof. wijesekera: yes, i usually teach cybersecurity classes. this fall, i am going to teach a class on connected and automatic vehicles. we have a pretty good selection of graduate students and faculty that lift us update by day. so we are encouraged to do whatever we can to reach out and cybersecurity vulnerabilities and look at the
new areas that are emerging and participate to the best extent we can. peter: you also have worked at the national institute of standards and technology. what is that, and what are you doing? prof. wijesekera: the national institute of standards and technology has a division for , it is a laboratory for cybersecurity. i work there as a visiting researcher, and most of my work there has been forensics. i have worked with a couple of research scientists there, and i also have students from the university that sometimes participate in that research. and it has been going on for a long time. i really enjoy working with the government. peter: professor wijesekera, we
invited you here because you are a presenter at black hat this year. first of all, what is black hat? how would you describe lack hat hat?scribe black prof. wijesekera: that is essentially people who work on the creation side. they are not really hacker hackers, but they are people who like to expose certain vulnerabilities that exist in different systems, and try to bring into society people who should know about that, and make them aware so that the vulnerabilities would be closed, and people would find the loopholes and encourage people to look at similar loopholes in related systems, and work with manufacturers or the people who created those systems to close
the vulnerabilities. peter: it is held in las vegas, and thousands of people attend this event don't they? , prof. wijesekera: that's correct. peter: when you go into black hat, because of the expertise of some of the people there, do you leave your cell phone in your hotel room, or your atm card? prof. wijesekera: i have heard that before, but i don't think that's true anymore, though some people have said that has happened to them. i do not have an experience like students, whoy spend more time there than me. peter: black hat has become pretty mainstream, hasn't it? prof. wijesekera: absolutely true. this time, i think there were about a thousand people there, and there were lots of scientists, companies, even government labs, and universities like ours.
peter: what was your presentation about? it was called "attacking electric motors for fun and profit." prof. wijesekera: what it was is we realized that, looking at the way electric motors are designed and constructed, it might be possible for somebody to attack them in the sense that it makes them do things the original user did not intend to do. like, when the motor gives more horsepower, we would like to reduce it. what it says, turn clockwise, we would like to turn it counterclockwise. so those would create unsafe
electrics, the way motors are used. some are quite benign. if you turn them backwards, they can be such a big problem. but if you use them in a different way with electric motors, you would have a bad consequence. like, it can go back instead of forward or turn left instead of right. so we thought we would experiment with different kinds of electric motors, and we found there was more than one way to attack them. and our presentation was based on about a year and a half worth of research that students did under my direction. and there was a clever young man who was able to reproduce all the attacks we thought we could reproduce.
and the meantime, we did a lot more tests, we did a whole graveyard of things that did not go well. but we were able to produce a lot of attacks that we thought we could produce. peter: so professor, what is in an electric motor that would make it susceptible to an attack? prof. wijesekera: an electric motor has the control system, the power system, and the use of electromagnetism in one way or another. that is how it actually generates the momentum in the moment, by essentially moving an electric wire across a magnetic field. so any and all of these components are subject to some kind of interruption, disruption, a moment that is not expected to be there.
so we do a seven-step method of using electricity, using the pins, disturbing the electromagnetic field, going system, beingol disruptive in the middle of the operation, and the motor control itself. and change them on knowingly, so the controller itself would ignore that something has changed. or on the other hand, do some physical disruption with the magnetic fields and so on that would alter the movement of the electric motor. peter: so not necessarily an attack on software. prof. wijesekera: that's correct. not necessarily an attack on software. it could be physical as well as cyber. peter: were you successful? prof. wijesekera: yes.
peter: does that worry you? prof. wijesekera: to a large extent, yes. because if you look at the consumption of electric motors, about 40% to 45% of electricity used are used by electric motors. you may not realize that you are using electric motors, but they are always there. when you get onto any train or bus or car, there are so many electric motors in them, they do consume electricity, and there is a whole division in the department of energy that devotes their entire time into making them efficient, making them better, making them not waste too much electricity or produce kinetic energy that is unnecessary for the application. but what we are showing is that into possible to interfere
all of those [indiscernible] if you intended to make some harm. peter: what about software attacks? did you experiment with those? prof. wijesekera: yes. we did experiment with software attacks. peter: when did you find? prof. wijesekera: it is not that difficult to install a controller and replace the controller that can do the opposite of the specific performance of the motor. peter: a couple years ago, a jeep was hacked on purpose by "wired" magazine, and it was controlled remotely. is that a countrywide danger that this could happen? , prof. wijesekera: i think --
let me answer that question directly. if we believe in human ingenuity and something was created by one human being, others should be able to find ways to find loopholes to either misuse it, abuse it, or use it in a way that it was not intended to be used. i myself was an engineer in the workforce, for honeywell. and i know that, despite our best efforts, we could make mistakes. there are so many software systems, tools that will show you what you should not do and , prevent you from doing certain things. despite all of that, we are humans, so at some point someone
will realize, if i am paid to, or if i am sufficiently motivated for whatever reason, i will devote my time to making it not work the way it is supposed to work. peter: one of the things you write about and talk about are cyber physical systems. what are those? prof. wijesekera: those are physical equipment that, based on some phenomenon of physics , chemistry for that matter, such as batteries, electric bands, automobiles, train engines, anything that moves or rotates or provides a physical service that is usually controlled by some form of software, it could be through an application, that could still be
interfered with, and can degrade the performance because of this interference. an example is that if you have a , car with a speedometer, it can show you that you drive at 30 miles per hour when you are actually driving at 50 miles per hour. this could be a problem because when you apply the brakes, you don't want to apply that much, but then you realize it it is not slowing down. it is not necessarily a problem with the braking system, but if somebody interfered with that -- i know the manufacturer goes through great extents to make this impossible. i am not saying this as a real example. i just made up one to show you what this system would do. peter: how do they interact with so-called intelligent transportation systems? prof. wijesekera: if you look at intelligent transportation systems, most of the transportation systems today are
migrating to be controlled by software. our traffic lights are controlled by software. most of our vehicles have intelligence built-in. they have radar, sonar detectors there are cameras that show you , different things, such as they make you keep your lane, so that if you deviate from the lane, it will make a sound or somehow make you come back. so it is becoming very much computerized, if i may say, and using different kinds of computer systems to make sure that we as human beings don't make intentional mistakes, and if we do, try to correct our mistakes. a great example is abs systems,
automatic braking systems, that are a very high-frequency, like 400 times per second, so that it balances the friction of the four wheels, that is even beyond novel human capability. this came about in the 1970's, through very, very detailed by the automobile manufacturers and other manufacturers like bausch and so on. that has been a great task now. most cars come with it. at the beginning, it was limited to expensive luxury cars. but today, a normal passenger vehicle has abs. now tractor-trailers and so on have that facility built in, to make the drive more comfortable, more safe, and also the vehicles around you, so that you don't just jump out of your lane and
hit somebody unintentionally because one of the tires went over a patch of ice. so these things are great inventions. peter: so is a system like abs hackable, or can it be attacked remotely? prof. wijesekera: remotely is a much more difficult thing, because you have to get into the vehicle and into the system that connect the brakes and the abs itself. peter: well, we are moving into an age of autonomous vehicles. so does that increase the danger attack?ote prof. wijesekera: if you look at it as a purely software system, you bring in more software, more vulnerabilities. -- you bring in more software, you bring in more vulnerabilities. one would think that yes, it does, but if you look at the engineering that goes into the autonomous vehicles, they are supposed to come tomorrow.
a lot of effort that is being paid to make sure that there are no vulnerabilities, there are no mistakes. they look at all the cases where we unintentionally did not address a particular issue and bring the engineering and human factor stuff to ensure that accidents do not happen that did not go unnoticed. and there are great testing efforts devoted to making sure properly, andve even if there is an accident that is quite unintentional, that it protects the passengers in the vehicle and the
passengers around the vehicle. russia therely in has been a tesla crash, a couple of those around the country, some loss-of-life. what is your take on that? and they have been in the drivers assist mode at the time. what is your take? prof. wijesekera: that is correct, yes. it could happen to any software system, but i think most of the manufacturers go through great efforts. nissan has a document that they put out in 2017 and 2018. the government takes a great effort as a third party to show advise happening, and both the consumers and producers of the vehicles, such as the automobile industry and all the equipment manufacturers, and the research community that is like a third party, looking at it to ensure that every case
addressed, but also, even if we did not address them, it is still in testing loops trying to make everything better. hopefully we close those loops one by one. peter: professor wijesekera, the 737 max, does this fit into the category of malfunctioning software or software taking over for human function? prof. wijesekera: eventually some of the software should take over some of our functions, such as abs, because it is not humanly possible to control at that frequency. so once the control systems would have these types of issues, but i think the engineering disciplines are such that we find ourselves responsible if we find something, and usually we would
try to address those issues in the next revelation while we are trying to find an immediate remedy. i am optimistic that, just like when people find that some of the mistakes or accidents happen, that we would go back and ensure it never happens again. but there was no guarantee that we have gone through all the potential possibilities and all the environments in which this givement operates, and to a license of absolute guarantee of total safety. in fact, we have to look at every operation and make equipment that can withstand most of the initial cases.
actually, all the initial cases, but the problem is, if you go through such an engineering process, it will take a lifetime to produce equipment, and an incredible amount of effort and energy that will result in what's called over engineering. usually we try to be on the safe side and give ample warning, so when it should be operated, how it should be operated, and cases in which we cannot ensure that complete autonomous behavior can be guaranteed to provide absolute safety. we say in these cases we would ask the human being to interfere and take over and make some , decisions that would take you through those cases and bring you back to a safe state, so
that the control system can go for the rest of the journey. peter: so much of our communication today is wireless, so do you fear an electromagnetic attack more than you do a software attack? prof. wijesekera: yes. that is a very pertinent question. one of the things that will be affected are the electric motors and the radio frequencies. this naturally happens at the very low rate. for example, due to sunspots, some communications are disturbed. but it could happen to any wireless media. peter: including airplanes? prof. wijesekera: yes, it could. because it is the rays of the sun that we actually cannot control. sometimes they penetrate, due to all kinds of atmospheric conditions.
there could be a sunburst that does bring it in. peter: but what about a malicious attack? prof. wijesekera: a malicious attack, you have to be able to produce an electromagnetic field, just like the radiation attacks at the time. this was risky then, and it could be risky now because a lot of things are possible, but at the enormous cost of producing the attack, especially when it involves physical equipment, it is very difficult to make them in absolute secrecy and bring them out just for the attack. peter: let's talk about something that you talk about in your black hat presentation attacking electric motors for , fun and profit. you spend quite a bit of time on drones. those are out there in the world today.
is there a -- help me here. prof. wijesekera: it is conceivable. so one of the attacks that we had there was attacking a grown, it is a four-rotor drone. so it is possible to attack the four rotors using different techniques. so if there is a solution to one, maybe the other one does not work. you can go through engineering that but the , others interfering in the radio are taking it over and issuing commands that the actual driver never intended. peter: knowing what you know, how much time you spend worrying about these things?
prof. wijesekera: i would say it concerns me, but it does not worry me. one of the things somebody asked me about three months ago, this was again related to newer equipment on cars, would you drive a car with all these new features? and my answer was, absolutely, yes. if i don't drive my own car, how would i find out whether they are good or bad? and i have things i have experimented with attached to my car, but it does it drive my car. i just think about, if i had the opportunity, how would i use it? peter: are we on the right path in this country when it comes to cybersecurity? prof. wijesekera: we are.
i think we are better than anybody that is my opinion, again, but i think people who are dedicated to the cause, both in industry and government, they give their life to it, and they have great appreciation for what they do. peter: because of what we have been discussing, is that one of the reasons that huawei phones are under suspicion? prof. wijesekera: i don't know too much about that phone, but it is always good -- when you find vulnerabilities, more than average people suspect it would be abused, but one wonders if they are intentional or not. but going back into intention is a much more difficult thing, because most of these systems , other that are used in safety
critical systems, they are made out of commodity components. the honeywell, it was so-called supply chain security, how you ensure that every piece of equipment you use was tested for security and there is no way of introducing unintentional things? despite the occasional black sheep in every industry, people tried to go through this detail, but i think most of the issues like huawei -- i consider them to be sociopolitical issues. and there are people who also look at that. that is why we do some of the supply chain work. there are lots of great people in the u.s., like lockheed martin and so on that invented these concepts and spent a great
amount of time on the open internet and darknet, trying to find out if there is something that is evolving but not publicly disclosed, and bring that into the development lifecycle so that we could take some precautionary actions that may prevent incidents that otherwise would happen. : duminda wijisekera a professor at george, mason university, thank you. changed in 40
years, but today that big idea is more relevant than ever. on television and online, c-span is your unfiltered view of government, so you can make up their own mind. brought to you as a public service by your cable or satellite provider. day weekend on american history tv, tonight at 8:00 p.m. eastern on lecturers in history, a discussion about abraham lincoln and native americans. lunday at 4:00 p.m. on ree america, the 1950 army film, invasion of southern france. eastern,y at 8:00 p.m. the commemoration of the 400th anniversary of virginia's first assembly held at jamestown. american history tv, every weekend on c-span3. >> during a town hall with
constituents, california congresswoman katie porter was asked about impeaching president trump. her district includes irvine and mission viejo and she was also asked about a number of other issues including immigration, climate change, and public transportation access. she worked under then california attorney general kamala harris and had elizabeth warren as a law school professor. the event was held at the islamic center of irvine. [applause] >> good afternoon and welcome.