There are two types of hackers out there; one that attacks systems and companies to cause damage, espionage or criminal profit, and the other that is an ethical hacker who finds vulnerabilities and tries to get them fixed before there is a big problem.
“I’m fortunate that the world now recognizes ethical hacking,” said Yeongjin Jang, assistant professor of computer science at Oregon State University. “I can use my skills to find and fix weaknesses in software.”
Jang’s fascination with identifying weaknesses in devices and systems began when, as a child growing up in South Korea, he figured out how to pick locks. He moved on to taking apart more complicated mechanical devices, like bicycles and cars, before finally tackling computers. He was especially intrigued by hidden operations and realized he had a knack for unearthing secret doors into software.
As a graduate student at the Georgia Institute of Technology, he participated in Capture the Flag hacking competitions, and he is on a team that has won repeatedly at DEF CON, one of the world’s biggest hacking competitions — first place in 2015 and 2018, and third place in 2016.
“I do the competitions for fun, but more importantly I’ve gained intuition and knowledge of attack and defense that I can utilize in my research,” Jang said.
His research is winning honors too. Just a few days after winning at DEF CON this year, Jang and his co-authors received a distinguished paper award at the USENIX Security Symposium, a top security conference. The award was for research on developing a tool that automatically finds weaknesses that hackers can exploit to gain access to any device or system that uses software, including phones, computers, autonomous vehicles, and the electric grid.
“Right now, the world relies on human effort to detect vulnerabilities in software, and human effort is not scalable to the vast amount of software we use,” Jang said. “I’m working on how to automate detection and embed artificial intelligence into that job.”
Jang extended his work on vulnerabilities to include autonomous vehicles. Since university research funds cannot be used to purchase a car, he bought an $800 kit to convert his Toyota RAV4 into an autonomous vehicle. There will be many restrictions on where and how it can be driven, he said. And that is not the only factor making the research more complicated.
“Previously we were targeting vulnerabilities of a single program, but in this case we are targeting a car that has several programs and computers that are connected to each other. So, we will take a similar approach but apply it to a whole system to figure out the conditions in which an autonomous vehicle could fail, and fix that before they become popular worldwide,” Jang said.
Beyond research, Jang’s presence at Oregon State is a boon to students specializing in cybersecurity. In addition to mentoring graduate students, he teaches a course on cyberattacks and defense, and advises the OSU Security Club. Under his guidance, the club has already won one regional hacking competition. With more practice, he hopes the team will be competing at the international level.
“I want to create a pipeline for students that starts with competitions, then leads to applying their knowledge to research that will ultimately help the world become a safer place,” he said.