Photo: Assistant professor Yeongjin Jang won the “Capture the Flag” award from 2018’s DEF CON. Photo by Johanna Carson.
The word “hacker” often conjures up the stereotype of a nefarious genius typing away on a computer in a darkened room, stealing personal information — or worse. And 30 years ago, hacking was viewed as criminal activity. But the culture has changed. Now companies like Google, Facebook, and United Airlines offer rewards to people who discover and report vulnerabilities in their software.
“I’m fortunate that the world now recognizes ethical hacking,” said Yeongjin Jang, assistant professor of computer science at Oregon State University. “I can use my skills to find and fix weaknesses in software.”
Jang’s fascination with identifying weaknesses in devices and systems began when, as a child growing up in South Korea, he figured out how to pick locks. He moved on to taking apart more complicated mechanical devices, like bicycles and cars, before finally tackling computers. He was especially intrigued by hidden operations and realized he had a knack for unearthing secret doors into software.
Currently, Jang is among the best hackers in the world.
As a graduate student at the Georgia Institute of Technology, he participated in hacking competitions known as Capture the Flag, and he is on a team that has won repeatedly at DEF CON, one of the world’s biggest hacking competitions — first place in 2015 and 2018, and third place in 2016.
“I do the competitions for fun, but more importantly I’ve gained intuition and knowledge of attack and defense that I can utilize in my research,” Jang said.
His research is winning honors too. Just a few days after winning at DEF CON this year, Jang and his co-authors received a distinguished paper award at the USENIX Security Symposium, a top security conference. The award was for research on developing a tool that automatically finds weaknesses that hackers can exploit to gain access to any device or system that uses software, including phones, computers, autonomous vehicles, and the electric grid.
“Right now, the world relies on human effort to detect vulnerabilities in software, and human effort is not scalable to the vast amount of software we use,” Jang said. “I’m working on how to automate detection and embed artificial intelligence into that job.”
Jang has recently extended his work on vulnerabilities to include autonomous vehicles. Since university research funds cannot be used to purchase a car, he bought an $800 kit to convert his Toyota RAV4 into an autonomous vehicle. There will be many restrictions, he says, on where and how it can be driven. And that is not the only factor making the research more complicated.
“Previously we were targeting vulnerabilities of a single program, but in this case we are targeting a car that has several programs and computers that are connected to each other. So, we will take a similar approach but apply it to a whole system to figure out the conditions in which an autonomous vehicle could fail, and fix that before they become popular worldwide,” Jang said.
For future research, Jang is developing collaborations across the College of Engineering related to the security of drones and nuclear power plants. He also anticipates collaborations with the College of Agriculture, since agriculture has modernized to systems that can be susceptible to cyberattacks.
Beyond research, Jang’s presence at Oregon State is a boon to students specializing in cybersecurity. In addition to the graduate students he mentors, he teaches a course on cyberattacks and defense and advises the OSU Security Club. Under his guidance, the club has already won one regional hacking competition. With more practice he hopes the team will be competing at the international level.
“I want to create a pipeline for students that starts with competitions, then leads to applying their knowledge to research that will ultimately help the world become a safer place,” he said.