It’s unlikely — but possible — that right now, someone, somewhere, is trying to hack the components in a pacemaker from hundreds of miles away.

Hacking a pacemaker is an extreme example, but Ning Zhang uses it to emphasize the very real threat posed by vulnerabilities in the interactions between the cyber and physical worlds. And Zhang says these vulnerabilities extend beyond medical equipment to objects such as delivery drones and much more.

Zhang is an assistant professor in the Department of Computer Science & Engineering in the McKelvey School of Engineering. He joined the faculty in 2018 after 11 years at Raytheon, a defense contractor, where he worked to protect critical network and cyber-physical infrastructures.

“Clearly, no one has the free time to exploit the vulnerabilities inside the pacemaker to kill you from hundreds of miles away,” he says. “However, it’s still not good knowing this is possible.”

Recognizing those vulnerabilities is Zhang’s first research goal: “We want to recognize the possibility and then, as a second goal, try to stop it before it manifests into a bigger threat.”

Although a super strong pacemaker disrupter may not show up anytime soon, Zhang says the idea of a cyberattack encroaching on the physical world in a direct and deadly way isn’t just a hypothetical.

“Ransomware is already doing just that at hospitals,” he says. In 2020, a patient died while being transported to another hospital after hackers shut down the computer systems at Düsseldorf University Hospital, where she was being treated.

Although he is a specialist in the technological side of things, Zhang says it’s often the hidden complexities of the physical world that we can use to our advantage. Take deepfake videos, a somewhat new technology that allows anyone to make a video that looks and sounds real, using real people’s images and voices. This technology is widely available, and some people think it has the potential to do enormous harm, including ruin a marriage with a fake rendezvous or start a war by issuing fake videos of heads of state.

“It might be possible to leverage the properties of a physical phenomenon to prove that an image is not a deepfake,” Zhang says. “Fabricating physical properties is very difficult, as opposed to copying bits of 0s and 1s.”

In September 2020, Zhang and collaborators were awarded a $1.2 million grant from the National Science Foundation to strengthen the security and safety of cyber-physical systems across a variety of fields, from defense to the medical industry.

“Our project aims to develop technology,” he says, “and to push this technology to the limit to see where it breaks down, so the broader community can build on top of our results and make an informed decision.”

It’s this method of developing and testing technology that pitted Zhang against a cell-phone personal assistant. He exposed a vulnerability in the security that would allow a person to take control of a cell phone from a distance by using ultrasonic waves. And then, he proposed ways to use the physical world to protect against such an attack: the interlayer-based defense, which uses a soft, woven fabric to increase the “impedance mismatch.”

In other words, put the phone on a tablecloth. Or better yet, just keep it in your pocket.

Click on the topics below for more stories in those areas