April 11, 2011

Thwarting info security threats

Greg Vorsanger bets that RFID technology can stymie malicious flash drive users. Photo: Will Kirk/Homewoodphoto.jhu.edu

Name: Greg Vorsanger

Age: 21

Hometown: Yardley, Pa.

Major: computer engineering, Whiting School of Engineering

Faculty sponsor: Gerald Masson, professor of computer science and founding director of the Johns Hopkins Information Security Institute, Whiting School of Engineering

Project title: “RFID-Protected USB Flash Drive Hub”

Pocket-size USB flash drives have become a simple and popular way to move information from one computer to another. They have also become so inexpensive that “thumb drives” imprinted with logos are commonly handed out as promotional gifts. But these seemingly harmless devices can pose a serious information security threat. Identity thieves and military or industrial spies can use the drives to grab confidential data from unattended computers, or even to insert a computer virus. When Whiting School undergraduate Greg Vorsanger, now a junior, learned that researchers at the Johns Hopkins Information Security Institute had proposed the use of radio-frequency identification, or RFID, to block the malicious use of flash drives, he applied for a PURA grant to help him design and build a prototype system based on this idea. The Johns Hopkins technology transfer staff recently filed for a provisional patent covering the invention.

Questions for Greg Vorsanger:

Why do we have to worry about flash drives stealing information from our computers or planting a virus in them? Won’t our anti-virus software prevent this? If not, why not?  Flash drives have reached the point where they can hold a lot of data. People can load whole operating systems onto that flash drive and then make your computer run that operating system instead of the one safely installed on the hard drive, bypassing a lot of your security measures. Viruses aren’t the main concern with this, but once there is a security breach, flash drives can make it easier to steal data from your computer, including system passwords, financial records and other important files.

How can RFID technology create an invisible “lock and key” to protect against evil flash drives? RFID stands for radio-frequency identification, a technique to get basic data from an object at a distance. A good example is the Johns Hopkins J-Card that is used to access buildings on campus. If you wave the card instead of swiping—to enter a dorm, for example—you’re using RFID. Basically, there is a radio module called a reader, and an identification tag. The reader sends out a signal looking for any tags within the region, and the tag, embedded in the J-Card in this instance, responds with a specific identification number. You can think of it as kind of a wireless barcode system. Using this technology, you can identify authorized users based on those identification numbers. By combining this system with some other computer electronics, an RFID device can block people who aren’t authorized and protect against people with malicious intentions.

Who came up with the idea for using RFID to protect against malicious flash drive users, and what was your role in producing the prototype?  Johns Hopkins professors Jorge Vasconcelos and Gerald Masson came up with an idea to use RFID with USB flash drives in some degree to protect both flash drives and computers from data theft. I took this concept and focused it on just protecting the computer, then expanded it to produce a prototype based on these ideas. I designed and built the electronic system, wrote the code and tested it.

Describe how this system works. The device is connected to your computer, and a program runs on the computer as well. The device first disables the use of USB flash drives and the physical USB ports where these drives are plugged in. It waits for a user with appropriate access rights by checking the area for an RFID tag, which gives an ID number. The ID number is checked against a database of valid users, and if the number is on the list, the device turns on the USB ports. Then, it checks the flash drive in the USB port to make sure that flash drive is registered to the ID number. If it is, it lets the user use it. This process lets the computer filter out flash drives based on each user.

You and your co-inventors have filed for a provisional patent as a first step toward getting this system out into the market. Who would your future customers include? Computer manufacturers? The general public? The Pentagon? Industrial security experts?  I think this device would do best if manufacturers could integrate it into computers at the production level, so that would be the ideal place to see it develop. If that doesn’t happen, the device could appeal to businesses, the government or any place where you have sensitive data and a lot of people. Picture a busy office building, where it would not be too hard to carry away a lot of private data on a small flash drive. I don’t think our device would necessarily be needed inside most homes. If someone in your home is trying to steal data from your computer, you probably have bigger issues, anyway.

What was the most important thing you learned while working on this project? I learned a lot about technology, but I also learned a lot about the whole development process and myself. It’s really tough when your tests don’t work, and it’s really tough when you can’t seem to solve a really crucial problem. But it’s worth it because it’s really rewarding to see it work at the end of the day. The toughest part had to be realizing when I had hit a dead end with one of my ideas, I had to basically backtrack and scrap about three weeks of hard work, and that was really demoralizing. Making it through that was great, though, because ultimately, I knew I made the right choice.

On TV and in the movies, spies are always using tiny flash drives to steal information from their target’s computer. Isn’t your invention going to spoil a lot of scripts?  I’m sure Mr. Bond will find his way around it; he’s a pretty clever guy. The other guys, well, who knows? Maybe they’ll just handle it like in the movie Zoolander, where the characters discover the files are in the computer, so they haul away and destroy the entire desktop machine.

If this device someday shows up on the shelves at Best Buy, what would the product be called? The Cybernetic Sentry? The Flash Drive Defense System? The Hub of Horrors?  I’d go for something short and sweet. I’m sure anything will be catchier than the current name, which is kind of a mouthful.

Sponsor Gerald Masson says:

What Greg and the group have done is to insightfully combine some interesting information technologies, and the whole has become more than the sum of the parts. I think the “RFID-Protected USB Flash Drive Hub” project has some practical and interesting applications.

Jorge Vasconcelos, assistant research scientist in Computer Science, says:

Greg has played a key role in the development of this project. With his willingness to tackle the most diverse challenges, from learning the intricacies of several technologies to working with complex electronics and programming, he has taken a theoretical idea and made it into a viable prototype.