The Critical Infrastructure Resilience Institute (CIRI) gained a $640,000 grant for research into prepositioned cyber-threats in mobile devices that originate in the supply chain.
CIRI, a Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Center of Excellence (COE) led by the University of Illinois at Urbana-Champaign, will team with Kryptowire, LLC of Fairfax, Virginia for this research and development (R&D) project.
They will examine mobile devices and related supply-chain vectors for prepositioned cyber-threats, including malware or questionable behavior built into the devices by design. The project is being managed by the Homeland Security Advanced Research Project Agency’s Cyber Security Division (CSD) in partnership with the Office of University Programs (OUP).
“Malicious actors — both foreign and domestic — constantly find new ways to pierce the security safeguarding the privacy of mobile device users, including compromising the supply chain to insert software that can extract Personally Identifiable Information,” said Vincent Sritapan, DHS S&T’s Mobile Security R&D Program Manager. “This project will develop a security framework to assess at scale the supply chain of mobile devices.”
This project will focus on the creation of a framework that will enable analysts to automatically determine possible threats stemming from prepositioned threats, including the collection of Personal Identifiable Information, software Trojans, inconsistent validation checks, ineffective security checks, and production code with debug functionality for mobile device operating systems (e.g., Android and iOS). The work initially will analyze firmware updates and culminate with extending the framework to implement a prototype that provides network trace analysis of firmware components even for encrypted traffic.
“The research will provide a better understanding of the complex business of risk-management in the context of potential cyber-threats to infrastructure systems that rely upon mobile networks,” said DHS S&T OUP Deputy Director Matthew Coats. “This OUP-CSD partnership demonstrates how S&T structures its programs to move concepts from the lab to the marketplace.”
DHS S&T OUP manages the R&D portfolios of its Centers of Excellence to support the long-term needs of the Department’s operational Components. The CIRI COE is pursuing research in four thematic areas, one of which is improving the understanding of critical infrastructure dependency on key technologies such as information and communications technology. This and other projects at the CIRI COE are focused on understanding and providing solutions to secure critical infrastructure supply chains.
“When we think of smartphones we usually only consider what we do with them, not all the other things going on in the background. Understanding what the devices are capable of and how updates are made will facilitate security as a building block for device operations,” said Sritapan. “Identifying prepositioned cyber-threats will provide greater insight into the security posture of mobile devices.”
The CIRI-led R&D project will enable S&T to provide cutting-edge, secure technologies that will create a more secure mobile experience to the Department, other government agencies, and enterprise organizations.