Uncategorized

Post-Doctoral Research Fellow in Mobile Phone Forensics

The Information Security Group (ISG) at Royal Holloway, University of London, is seeking a highly motivated postdoctoral research fellow for the EU Horizon2020-funded EXFILES project. The successful candidates will join the Smart Card and IoT Security Centre (SCC), of the ISG, supporting the SCC research activities related to mobile phone forensics. The position is fixed term full-time.

Application closing date: 08 October 2020.

Full description: https://jobs.royalholloway.ac.uk/vacancy.aspx?ref=0720-153-R

Smart Card and IoT Security Centre Open Day 2019

Smart Card and IoT Security Centre Open Day 2019

The ISG Smart Card and IoT Security Centre Open-Day 2019 marks the 17th anniversary of the Smart Card Centre. It will be held in the Picture Gallery at Royal Holloway, and acts as a relaxed networking and exhibition event for its sponsors, supporters and industry representatives. There will also be VIP guests and students in attendance (some of whom will be looking for jobs).

This year’s event will be held in memory of Professor Mike Walker, who help to set up the Smart Card Centre in 2002. We really hope you can support us and we look forward to welcoming you in August.

The event is held biannually and comprises a mix of exhibits from our students and industry/organisations. There is also a distinguished guest lecture by Prof Steve Babbage, Vodafone Group. Our Open Days include practical demonstrations and lectures from recognised experts. A buffet lunch and refreshments will be provided.

To attend this event, please click here to get your free ticket.

Quote from Professor Konstantinos Markantonakis, Director of the Smart Card and IoT Security Centre:

The SCC Open Day was once again a great success attracting more than 100 visitors and 8 exhibiting companies. Our twenty-eight Undergraduate, Master and PhD student posters included topics from drone security, trusted execution environments, automotive security, Internet-of-Things (IoT), smart home and e-health, trusted supply chains, carbon labelling, as well as overall application/system security solutions. All our students demonstrated professionalism, commitment and expertise that was widely recognised by all visitors. Their hard work is leading into academic publications and commercialisation activities. This year’s event was held in memory of Professor Mike Walker, who help to set up the Smart Card Centre in 2002 and demonstrated that the SCC research and commercialization activities maintain their highly respected academic and real world significance.

Agenda:

09:00 ~ Registration/Coffee
10:00 ~ Introduction and Welcome to the Event
* Welcome to Royal Holloway: Prof. Paul Layzell (Principal)
* Welcome to the Open-Day: Prof. Konstantinos Markantonakis (Director of the SCC)
10:20 ~ Exhibition Morning Session Start
12:00 ~ Buffet Lunch Start
13:00 ~ Exhibition Afternoon Session Start
14:30 ~ Exhibition Awards Ceremony
15:00 ~ Guest Lecture (Main Lecture Theatre), in the memory of Prof. Mike Walker
* Introduction by Prof. Keith Mayes and TBC
* Guest Speaker: Prof. Steve Babbage (Vodafone Group) (see description below)
16:00 ~ Speaker thanks and closing remarks from Prof. Konstantinos Markantonakis

Guest Lecture, Steve Babbage (Vodafone Group): “The History of Mobile Network Security”

This lecture is a tribute to Professor Mike Walker (1947 – 2018).  Steve will talk about the history and motivation behind different generations of mobile network security, including the roles played by Mike and by Royal Holloway.

Exhibitors List:

[slideshow_deploy id=’3008′]

[slideshow_deploy id=’3016′]

Gallery:

[slideshow_deploy id=’3153′]

Student best poster awards

[slideshow_deploy id=’3183′]

ISG SCC Workshop 2018

On the 1st of November 2018, the ISG SCC Workshop 2018 showcased the excellent work carried out by its summer internship recipient students of the 2017-2018 academic year. The SCC provided the necessary funding and had the privilege of collaborating with eleven amazing undergraduate (UG) Computer Science students investigating a range of topics including data provenance, machine/deep learning, visualisation, blockchain, smart contracts, e-voting, syscall and database monitoring.

The ISG SCC undergraduate internship programme is designed to provide a first-hand experience of research and development at the highest level, by enabling undergraduate students to work with experienced researchers on real world problems related to cybersecurity and privacy.

The ISG SCC staff provides support and direction in selecting a real world research question, co-developing it, finding the core issues that need to be tackled and propose realistic solutions. The programme has a significant active research and programming (development) component, along with extensible emphasis towards exploring commercialisation opportunities.

During the workshop, each intern delivered a soundbite talk summarising their work, the skills they gained and the challenges they had to overcome during the 10 week programme.

Results

  • All projects achieved their identified objectives.
  • One proposal is already in the commercialisation stage (by RHUL).
  • Four papers accepted (published) in international conferences; another paper is under submission and a journal paper under development.

Responsible Disclosure: XiongMai uc-httpd 1.0.0 – Buffer Overflow

As part of his MSc Project, Andrew Watson discovered a previously unknown buffer overflow vulnerability in ‘XiongMai uc-httpd 1.0.0’ – a web server used in multiple IoT devices including routers, CCTV cameras and DVR’s. Following best practice and with the full support of RHUL ISG, he attempted responsible disclosure to assist XiongMai in fixing the vulnerability, but unfortunately the company did not respond to any of the multiple attempts to discuss the vulnerability with them. After 111days of no responses, he released the 0day exploit publicly, further details available here.

The vulnerability (CVE ID: CVE-2018-10088) has since been given a CVSS score of 10.0 – the highest any vulnerability can score.

Andrew’s Proof of Concept exploit (PoC) was accepted to the Offensive Security Exploit Database as EDB-ID: 44864 and is also included in Kali Linux via the SearchSploit tool.

Soon after the PoC exploit was publicly released, it was reported that the Satori Botnet integrated the PoC exploit into their botnet code. Quoting Security Affairs: “The code recently included in the Satori botnet exploits a buffer overflow vulnerability, tracked as CVE-2018-10088, in XionMai uc-httpd 1.0.0. The exploit could be used by remote attackers to execute arbitrary code by sending a malformed package via ports 80 or 8000.”

The vulnerability was also reported by Bleeping Computer: “The sudden surge in port 8000 activity turned the heads of multiple security experts specialized in botnet tracking, as it came out of nowhere and at an incredible scale”.

SCC Open Day 2017

Save the date!

openday 2015 fred2The next Smart Card Centre Open Day will be on August 30th 2017, in the Picture Gallery, Founders Building, Royal Holloway, University of London.

The Smart Card Centre Open Day is a free exhibition (50:50 mix of industry and student exhibits) for sponsors, supporters, lecturers, students and visitors as a friendly and informal networking event.

More details can be found at this page.

Best Paper Award at Digital Avionics Systems Conference (DASC)

shawn logoA paper written by Raja Naeem Akram, Konstantinos Markantonakis, Sharadha Kariyawasam, Shahid Ayub, Amar Seeam, and Robert Atkinson, “Challenges of Security and Trust in Avionics Wireless Networks” has won the best paper award in the security track at IEEE/AIAA 34th Digital Avionics Systems Conference (DASC), September 2016.

 

 

The abstract of the paper is:

“Avionics networks have a set of stringent reliability and safety requirements. In existing deployments, most of these networks are based on wired technology, which provide a high degree of reliability and safety. Furthermore, it simplifies the security management of the network as certain assumptions including an inability for an attacker to access the network can be safely made. The proposal for having an Avionics Wireless Network (AWN), as being developed by multiple aerospace working groups, promises reduction in complexity of electrical wiring harness design & fabrication, reduction in wiring weight, increased configurability, and potentially monitoring of otherwise inaccessible moving or rotating aircraft parts. While providing these benefits, the AWN must ensure that it provides at a minimum the equivalent levels of safety offered by the wired network. Substituting the wired network for a wireless network, even for a specific set of well defined and non critical tasks, brings a whole set of new challenges related to assurance, reliability, and security.  In this paper, we discuss the security and trust challenges an AWN deployment might face along with highlighting potential directions for solutions. Furthermore, as a case study we will elaborate on AWN deployment variants like Secure High-Availability Avionics Wireless Networks (SHAWN). Finally, the paper makes suggestions that set the agenda for security, reliability and trust work that could if successful provide an AWN system, meeting the required safety standards.”

ISG Open Day June 22nd 2016

Professor Markantonakis is the lead organiser of the first ISG Open Day on June 22nd 2016.

The Open Day is designed to showcase our world leading Information Security department featuring presentations from current research students, exhibitions and demos, talks from ISG staff and keynote lectures from exciting guest speakers. There will be opportunities to network and engage in discussions with current professionals who are based here at Royal Holloway.

The event is sponsored by:

Thales, GSK, KPMG, Qinetic and Royal Holloway Enterprise

Stuart Atwood Prize at SCC Open Day 2015

Multos prize

At the SCC Open Day 2015, a special prize in memory of Stuart Atwood was awarded by MULTOS to MSc student Shreya Singh for her work on Secure Authentication in Vehicular Ad Hoc Networks (VANET).

More details can be found on the MULTOS website.

  • 1
  • 2