Suraj Kothari's talk of smartphone security quickly took a turn toward sabotage and worst-case scenarios. What happens, he asked, if a soldier's smartphone is hacked for its GPS data? What happens if an attacker drains the battery in a general's phone and essential communication is cut off? Or, what happens if a hacked phone provides false information during a military mission?
Those attacks on a phone's confidentiality, availability and integrity can all be done in ways that elude the security measures that we use on our own phones, said Kothari, Iowa State University's Richardson Professor in Electrical and Computer Engineering and the founder of EnSoft Corp., an Ames- based company that develops tools to manage the complexity of software. So what can be done to assure the security of U.S. Department of Defense smartphones?
A research team led by Kothari is finding answers in the software behind the apps and the operating system on Android-based smartphones. The project to use computational modeling to detect software sabotage is supported by $4.9 million in grants from the Defense Advanced Research Projects Agency (DARPA).
Kothari said securing software is a big and growing challenge. America's F-35 fighter jet, for example, runs with the help of 24 million lines of software code. That has "60 Minutes," the CBS news show, recently calling the plane a "flying computer," reporting on delays caused by the jet's complexity and asking, "Can the U.S. military's new jet fighter be hacked?"
"Cyber warfare is no longer somebody hacking computers and swiping files," Kothari said. "Now software attacks can give people control of missiles, defense systems, nuclear power plants and even smart cars."
Kothari knows what he's talking about. He's been working since the mid-1990s to find better ways to work with software complexity. He started by developing tools that helped researchers move climate modeling software from one supercomputing system to another.
"It's very difficult for humans to go through millions of lines of code," he said. "Humans make mistakes. So I had the idea to develop a tool to transform code." That software tool transformed a job that took people three years to do by hand into one that took two weeks. "We were building software like the Egyptians built the pyramids," he said. "We were building software by the sheer force of human labor. There was no technology to analyze the software. It was just test, test and test."
By 2002, Kothari had established EnSoft in the Iowa State University Research Park to develop solutions for complex software problems. The company, for example, developed tools that helped insurance companies update their software, helped Rockwell Collins of Cedar Rapids certify the codes behind flight control systems and helped companies keep track of changes to the diagrams used to design software systems. EnSoft reports more than 200 companies in 18 countries now use its tools, including major automotive, aerospace and defense companies. So, when Raj Aggarwal, the Iowa State College of Engineering's director of Industrial Research Initiatives and managing director of Advanced Research and Technology, told him the Defense Department was looking for software tools to secure smartphones, Kothari was ready.
"This defense project didn't happen overnight," said Kothari, who directed the development of Iowa State's software engineering program. "We've been doing this for years — even when it wasn't a hot research area. It takes time to develop software and experiment with it. And we have a background of working with real-world software."
Two years into his 3½-year defense project, Kothari said his group is making good progress: Among the teams awarded smartphone security projects by the defense research agency, the Iowa State team has earned top rankings based on the speed and accuracy of detecting malware in the challenges posed by the research agency.
"At the end, we'll have a tool that the Defense Department and other government agencies can use," Kothari said. "And eventually we'll be able to make a phone security tool commercially available." All of that, he said, will help secure the Defense Department's smartphones from dangerous attacks and saboteurs.