Keynote address: The Internet of Bad Things, Observed

Wednesday 30 September 10:50 - 11:30, All rooms

Ross Anderson (University of Cambridge)

  download slides (PDF)

We have traditionally thought of malware research as something that mattered only for Windows PCs. However, as CPUs and communications end up in everything we buy for more than a few bucks and that we don't immediately eat or drink, that will change.

In this presentation I will describe a number of research projects we've undertaken at the University of Cambridge. First, we have studied new side channels, finding that a malicious app can steal the PIN entered into a banking app on the same phone merely with access to the camera — the rocking of the device on PIN entry is enough to give the game away. Second, we found that the remote lock and remote wipe features offered by the ten leading AV products for mobile phones were defective, mostly because they rely on factory reset functions in Android that the majority of OEMs have not implemented particularly well. Third, we have discovered PIN entry devices for bank card transactions with malicious software that can carry out horrendous attacks (one client we helped was debited an extra €33,000 for a transaction of €33 and had to engage lawyers to get the money back). Faced with such threats, how can we scale up security research to cope? Our latest project in Cambridge is a new cybercrime centre that will collect lots of data for sharing with bona fide researchers. This will include not just traditional malware collection but also substantial quantities of spam, phish and DNS traffic, and surveillance of a large sample of mobile devices. We have a number of collaborators in this project, and are looking for many more.

Click here for more details about the conference.

Ross Anderson

Ross Anderson

Prof. Ross Anderson was educated at the High School of Glasgow. In 1978, he graduated with a Bachelor of Arts in mathematics and natural science from Trinity College, Cambridge, and subsequently received a qualification in computer engineering. Anderson worked in the avionics and banking industry before moving in 1992 back to the University of Cambridge, to work on his doctorate and start his career as an academic researcher. He received his Ph.D. in 1995, and became a lecturer in the same year.