Researchers use power anomalies to detect malware in IoT devices (proof of concept)

Researchers from North Carolina State University and the University of Texas at Austin have released a proof-of-concept using power fluctuations as the basis for a malware detection mechanism for embedded devices.

According to co-author Aydin Aysu, micro-architectural attacks – using malware designed to exploit a system’s architectural design – can effectively hijack an embedded system in a way that gives attackers control of the system and access to its data

“Embedded systems are basically any computer that doesn’t have a physical keyboard — from smartphones to Internet of Things devices,” says Aysu. “Embedded systems are used in everything from the voice-activated virtual assistants in our homes to industrial control systems like those used in power plants. And malware that targets those systems can be used to seize control of these systems or to steal information.”

Micro-architectural attacks are difficult to detect, but the paper authors believe they have found a way to detect them with a fair degree of precision – by looking at anomalies in power consumption. Aysu explains:

“We have a good idea of what power consumption looks like when embedded systems are operating normally. By looking for anomalies in power consumption, we can tell that there is malware in a system — even if we can’t identify the malware directly.”

Currently only a proof-of-concept, the ‘solution’ has its limitations. First off, it requires incorporating the technology into ‘smart batteries’ for use with new embedded systems and technologies. In other words, it requires a new industry standard, which typically takes years to implement. Second, the new detection technique relies on an embedded system’s power reporting, which requires a lab setting in most instances. Third, the authors are the first to admit that “the power monitoring detection tool could be fooled if the malware modifies its activity to mimic ‘normal’ power usage patterns.”

“We found that the effort required to mimic normal power consumption and evade detection forced malware to slow down its data transfer rate by between 86 and 97 percent. In short, our approach can still reduce the effects of malware, even in those few instances where the malware is not detected,” Aysu says.

The research certainly proposes an interesting new approach for addressing security challenges in embedded systems, but its caveats seem to eclipse the practicality of such a solution. For the time being, the best solutions for securing embedded, internet-connected systems remain those dedicated to that mission – and with a proven track record at that.