The internet links billions of people around the world, facilitating connections that can be useful for commerce, mental health, and entertainment. Unfortunately, this network also means that malware on one user’s computer can have far-reaching security consequences. Even devices working as intended can raise unsettling questions about privacy—like when a webpage includes ads for things users have talked about near their phones, but never typed into a search bar.

Two of UT’s cybersecurity experts, assistant professors Scott Ruoti and Jian Liu, approach both familiar and emerging technologies from new angles to improve cybersecurity for individual users.

Ruoti and the False Silver Bullet

In a 2022 survey, 21% of Americans reported forgetting and resetting a password at least once per week. Many users try to avoid this annoyance by reusing passwords on multiple sites or replacing passwords with secondary authenticator factors (SAFs) like physical USB keys. Unfortunately, both tactics can increase user vulnerability to cyberattacks.

“A good chunk of data breaches and other cybersecurity issues start with somebody being tricked to share their password or having one of their authentication tokens stolen,” said Ruoti, who studies how people utilize passwords, authenticators, and other account security technologies.

Those security concerns are amplified by increases in the number of passwords needed to conduct business, such as the multiple educational, productivity, and data storage apps in use on UT’s campus. In response, many organizations have embraced two-factor authentication (2FA).

“A lot of people treat 2FA like a silver bullet that will solve all their security problems,” Ruoti said, “but that leads to poor decisions in terms of backing up that authentication.”

For example, UT students circumvent password entry every time they verify a login attempt via the Duo app on their phone or tablet. If one of those SAFs gets lost or stolen, an attacker can gain access to a student’s accounts for multiple university-approved applications.

After the initial breach, it is common for attackers to replace the 2FA tokens on a stolen account, tying the victim’s account to the attacker—and effectively making it impossible to recover.

“From the company’s perspective, the attacker with an authentication token looks more legitimate than the original, legitimate user,” Ruoti said.

Ruoti creates tools that reconcile account security with users’ ability to remember and access their own authenticators. Last year, his lab created an internet browser extension that streamlines the setup and maintenance of 2FA across many popular websites, including Facebook, Amazon, and Dropbox.

The new extension increased users’ success rate of correctly setting up SAFs—and, just as crucially, removing them—by 15 to 25 percent.

He is currently working on another extension, prototyped on the Firefox browser, that will improve the coordination between a user’s browser and SAF in a way that makes remote access by attackers impossible. If implemented by other vendors, the feature could rapidly improve the security of billions of users.

“Our results have been adopted into real tools, so they’re already impacting the tens of millions of people,” Ruoti said. “Our goal is that the lives of everyone who uses passwords—pretty much everybody on Earth—will be improved by our research.”

Liu Locates Leaks

In the last few decades, smartphones have revolutionized everyday life, making it easy to access information and conduct business anywhere. Voice-activated search assistants and virtual reality (VR) headsets are further blending the virtual and real environments. While audio and visual integration create more seamless user experiences, they also increase the potential impact of security breaches.

“Both VR and voice search technologies process vast amounts of highly personal and sensitive information,” said Liu. “Those data pose a significant privacy risk if exploited. Moreover, concerns over data security can deter users from trusting and embracing new technologies.”

Liu develops offensive security attacks to expose the security vulnerabilities in emerging user-assistive technologies. His research highlights flaws before cybercriminals can abuse them, raising industry awareness of potential leaks and promoting development of more robust data protections.

For example, VR headsets and controllers detect and respond to a user’s position, movements, and environment to facilitate immersion in the virtual world.
“This exposes a huge attack surface for adversaries, who could potentially reconstruct body movements, intercept gesture-based inputs, and even access information about the user’s surroundings,” Liu said.

Liu recently developed a malware program to steal virtual keystroke data from several VR interfaces, including Valve’s OpenVR, Meta’s Oculus, and Qualium Systems’ WebXR. He found that most of the interfaces allow access to onboard sensor data without any security authorization—letting his proof-of-concept program capture users’ passwords with up to 84.9% accuracy.

Given that VR is gaining popularity in a variety of situations, that vulnerability creates opportunities for attacks across the gaming, socialization, retail, productivity, and education industries.

“The more broadly these technologies are integrated into everyday life, the more attractive their data become to malicious users,” Liu said.

Phones and voice-responsive speakers like Amazon Alexa, Google Assistant, and Apple Siri are prone to similar security issues. The devices typically store user recordings locally, sending only aggregated gradient data to central processors to improve training of the assistive AIs.

However, Liu has found that many of those gradients can “leak,” allowing attackers to closely reconstruct individual users’ voice recordings. Given that voice data can be highly personal and often contains biometric identifiers, attackers could use the reconstructed speech patterns to spoof speaker authentication systems—or even impersonate individuals online.

“I hope my research advances cybersecurity by ensuring that emerging technologies are not only innovative but also built with a foundational emphasis on user privacy and data security,” Liu said. “Improving security standards is not just about protecting data; it’s about ensuring a safe, trustworthy, and sustainable technological environment that respects user privacy and promotes ethical standards.”

Contact

Izzie Gall (865-974-7203, egall4@utk.edu)