Surprisingly, while there’s been interest in the security implications of wearable devices, the focus within the research community has been on how these devices might be attacked rather than on how these devices challenge existing social assumptions.
— Alex Migicovsky on Freedom to Tinker
I don’t think this is surprising at all. Researchers are rewarded for working on attacks, and, in comparison, penalized for working on defenses.
This attack bias is damaging for security research; we need more defenses, not more attacks. Since some people, at least, don’t realize that there is a such a bias, let’s look at the evidence.
Security research is one of those disciplines that actually gets reported on outside of academia, in more mainstream media. I took a look at all academic papers mentioned in security articles at ArsTechnica so far in 2013:
- Grammar badness makes cracking harder the long password
- “Lucky Thirteen” attack snarfs cookies protected by SSL encryption
- Puzzle box: The quest to crack the world’s most mysterious malware warhead
- How Spamhaus’ attackers turned DNS into a weapon of mass destruction
- Quantum encryption keys obtained from a moving plane
- Amid a barrage of password breaches, “honeywords” to the rescue
- It’s official: Password strength meters aren’t security theater
- After burglaries, mystery car unlocking device has police stumped
- New attack cracks iPhone autogenerated hotspot passwords in seconds
- High court bans publication of car-hacking paper
- Tampering with a car’s brakes and speed by hacking its computers: A new how-to
- Professor fools $80M superyacht’s GPS receiver on the high seas
- “Bloodsucking leech” puts 100,000 servers at risk of potent attacks
- Seemingly benign “Jekyll” app passes Apple review, then becomes “evil”
- iOS and Android weaknesses allow stealthy pilfering of website credentials
- Snoops can identify Tor users given enough time, experts say
- The NSA’s work to make crypto worse and better
- New York Times provides new details about NSA backdoor in crypto spec
- Gov’t standards agency “strongly” discourages use of NSA-influenced algorithm
- Fatal crypto flaw in some government-certified smartcards makes forgery a snap
- Researchers can slip an undetectable trojan into Intel’s Ivy Bridge CPUs
- Top sites (and maybe the NSA) track users with “device fingerprinting”
- Stealthy technique fingerprints smartphones by measuring users’ movements
- The best way to take control of Bitcoin? Rally other greedy “selfish miners”
- It’s official: Computer scientists pick stronger passwords
- Scientist-developed malware prototype covertly jumps air gaps using inaudible sound
- In airport security scanning, ultra-rare items are harder to catch
That’s 27 articles. Out of those 27 I count 3 primarily defensive papers, 1 paper that is evenly balanced between attack and defense, and 2 papers that I would not classify as either attack or defense. The remaining 21 papers I would classify as attack focused. You can see the attack focus of the reporting just by looking at the article headlines.
It’s not surprising that mainstream media outlets would focus on sensationalist stories. Within the academic community itself, things are a bit better. In some fields—cryptography—I don’t think there is an attack bias at all. The attack bias gets stronger as the field gets more applied, culminating in the kind of presentations you see at BlackHat.
In any case, I’m sure most academic security researchers know that the way to get publicity is to work on attacks. The research that Migicovsky mentions in his post is itself a perfect example: it shows how to use smart watches to cheat. That’s attack research, not defense research.