mobile security - carnegie mellon...
TRANSCRIPT
©2011 Patrick Tague
Mobile Security14-829 – Fall 2011
Patrick Tague
Class #17 – Location Security and Privacy
©2011 Patrick Tague
Announcements• HW #3 is due today
• Exam is in-class on Nov 9
©2011 Patrick Tague
Agenda• Location security
• Location privacy
©2011 Patrick Tague
Location, Location, Location
Incorporation of location information into various
protocols and services has changed the landscape in
networked systems across domains.
Geo-spatial resource
provisioning
Location-based
applications & services
Distributed tracking
& monitoring
Geographic network
services (e.g., routing)
Navigation & mapping Social networking
©2011 Patrick Tague
Location Security
What does it mean to secure location?
• Location privacy
• Location secrecy
• Selective location
disclosure
• Untraceability
• Malicious location
estimation service
• Estimation precision
• Spoofing
• Misleading, lying, etc.
©2011 Patrick Tague
Secure Localization
Is it possible to secure the location estimation process?
• Process of localization is
based on reference data
– Is the source trustworthy?
– Can the data be verified?
– Is the data reliable?
• Reference data may be
noisy or imprecise
– How to incorporate
redundancy for reliable
location estimation?
• Location estimation
services can be attacked
– Vulnerabilities?
– How to mitigate them?
• System or devices may be
tightly constrained
– How efficient is the
estimation algorithm?
– What are the trade-offs?
©2011 Patrick Tague
Location in Different Domains• Secure location estimation:
– GPS
– MANET and WSN
– WLAN
– Smartphones
©2011 Patrick Tague
GPS Localization• GPS satellites serve as mobile reference points
for Earth-based receivers
– All satellites have high-precision, tightly synchronized
clocks and precisely known locations
– Receivers use timing information to measure distance
from multiple satellites (3 is enough, more is better)
– Location is estimated using 3-D multi-lateration
Dist d3 from (x3,y3,z3)Dist d2 from (x2,y2,z2)
Dist d1 from (x1,y1,z1)
©2011 Patrick Tague
GPS Location Security• GPS satellite network is well guarded
– Physical security: so you want to tamper with a
satellite...?
– Reliability: clocks are closely monitored
• GPS Spoofing
– “Rogue” GPS devices can look like satellites
– Interfere with time-sync process
Spoofing signal
©2011 Patrick Tague
Localization• Many different types of localization using
infrastructure-based or distributed approaches
– Many techniques mimic GPS in one way or another
– Trusted devices can serve as reference points
– Physical characteristics provide distance estimates or
bounds from reference points
• Resource constraints are limiting factor
– Algorithms must be fast and efficient
– GPS is not cost-effective for continual use in batter-
powered devices
©2011 Patrick Tague
Relative Localization
Each localizing device collects geometric relationships
relative to several reference points (xi,yi)
Local presence I can hear
you, so I must
be near (x,y)
Connectivity
Rx signal strength RSS = R →
distance d
Time of flight Time t →
distance d
Time-difference Time t2-t1 →
distance d
Angle of arrivalq1
q2
©2011 Patrick Tague
Securing Relative
Measurements• Measurements taken with respect to reference
points should be:
– Authentic
• Measurements from authorized reference points only
– Verifiable
• Integrity of measurement should be guaranteed
• If possible, physical measurement should be unforgeable
– Highly available
• Location information should be ready when needed
– Protected from various forms of attack
©2011 Patrick Tague
Example: SeRLoc[Lazos & Poovendran, 2004]
• SeRLoc = Secure Range-independent Localization
L1
L4
L2
L3
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
…
1 1 1 2 3 3 3 3 4 4 4 3 3 3 3 3 3
1 1 2 2 2 3 4 4 4 4 4 4 4 3 3 2 2
1 1 2 2 4 4 4 4 4 4 4 4 4 4 3 3 2
2 2 2 2 3 4 4 4 4 4 4 4 4 3 2 2 2
2 2 3 3 3 3 4 4 4 4 4 4 3 3 2 2 2
2 2 2 3 3 3 3 4 4 4 4 3 3 2 2 2 2
1 2 2 2 3 3 3 3 4 4 3 2 2 2 3 4 3
2 2 2 3 3 3 3 3 2 2 2 2 1 1 1 1 1
…
0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0
Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j, IDLi } K0
©2011 Patrick Tague
Example: Verifiable
Multilateration [Čapkun & Hubaux, 2005]
• Basic idea of VM:
– Using distance bounding, an
attacker can only increase the
measured distance
Time of flight
N1
N1*N2
Time t →
distance d
• VM benefit:
– Increasing distance
measurements will
either have negligible
effect on location or
be large enough to
detect misbehavior
©2011 Patrick Tague
Compass
Mobility Helps Localization
1
M
2
4
3
M
i
Mobile Node
Reference
Estimated
position is
centroid of
intersection
Distance
M
New
estimated
position
©2011 Patrick Tague
WLAN Localization• WiFi localization is typically based on received
signal strength mappings within buildings
– This is currently deployed in Bldg 23
• With additional assistance from Bluetooth beacons
– Requires building surveys for training data
©2011 Patrick Tague
Smartphone Localization• Hybrid devices can use hybrid localization
– A-GPS + WiFi localization + cell triangulation
• A-GPS (assisted GPS) allows a receiver to get additional
information from an assistance server to lock on to satellites
more quickly to solve time-to-first-fix problems
– Mobile mesh nodes will be able to use any
combination of selective (A-)GPS, mobility
information, and relative location
©2011 Patrick Tague
Location Privacy• What about location privacy?
• Why do we care?
– How to prevent location disclosure?
– How to prevent location inference?
©2011 Patrick Tague
Location Disclosure• Benefits of disclosing
one's location
– e-911 service (gov't-
mandated location
tracking)
– Navigation & mapping
– Location-sensitive ads
– Local traffic / weather
– Finder apps
– Social networking
– Remote monitoring (e.g.,
tracking children)
– Safety (e.g., in VANET)
– …
• Risks of location
disclosure
– Tracking / linking
• Surveillance
• Inferring context:
lifestyle, medical
condition, political
views, preferences
• → Targeted malice
(e.g., stalking)
– Location-sensitive ad spam
– …
©2011 Patrick Tague
Cellular Location• Service providers are required by law to track
cell phone locations using GPS or tower-based
triangulation
– For emergency use, law enforcement use, etc.
– Disclosure of location information is tightly regulated
• Mostly “opt-in” disclosure only
• Mobile apps and services using location are not
part of this protection
©2011 Patrick Tague
Location Privacy in Apps• Third-party apps are subject to different laws
and policies regarding location
– Apps can (and do!) take advantage of unnecessary
privileges to record users' location, movement, etc.
– Location privacy is really in the hands of the mobile
developers, not the users or providers
– Significant number of selected Android apps recently
shown to incorrectly manage sensitive info [Enck et al.,
“TaintDroid”, USENIX OSDI 2010]
©2011 Patrick Tague
WLAN Location• Challenges to location privacy in WLAN
– Network operators are untrusted
– High density of APs; many may be malicious
– Precise (~1m) localization
– Broadcast IDs (MAC addresses)
• Very easy to eavesdrop on devices' MAC addresses, even if
security features are enabled
• Static MACs allow for easy tracking of devices/users
– MAC pseudonyms can be used to prevent tracking
• As long as previous/current MAC addresses are unlinkable
[Gruteser & Grunwald, WMASH 2003]
©2011 Patrick Tague
Mitigating Traceability• Preventing packet correlation for tracking
– In WiFi, RFID, Bluetooth, etc.
• Synchronization, shared secrets, and PRNG are enough to use
pseudonyms effectively (as in WiFi systems)
• Without sync + PRNGs (such as RFID tags), a trusted authority
(RFID database) can store ID-to-pseudonym look-up table [Alomair et al., DSN 2010]
– Even with ID pseudonymity, attackers can observe
and correlate traffic to trace users
• → Location privacy isn't just about the location or the user
ID
©2011 Patrick Tague
Traffic Anonymization• In multi-hop networks (MANET/WSN), packet
linking via traffic analysis can expose source and
relay locations
– Analysis of inter-packet timing reveals correlation
– Possible approach to source anonymity is to inject
dummy traffic and randomize packet timing to
reduce correlation [Alomair et al., Globecom 2010]
©2011 Patrick Tague
Leveraging Silence• Communication is typically bursty
– Short-lived sessions of activity, followed by sessions
of inactivity, or “silence”
– Silent periods can be used instead of synchronization
• Sender and receiver know to refresh pseudonyms whenever a
burst session begins
– Vehicular networks (VANET) [Sampigethaya et al., ESCAR 2005]
©2011 Patrick Tague
Location Privacy Challenges1. Understanding the privacy goals
– What needs to be protected?
– What are the rules to be enforced?
2. Understanding the threat
– What are attackers goals, capabilities, methods, …?
– Practicality of attacker assumptions?
3. Metrics
– How to measure privacy protection and enforcement?
– How to evaluate and incorporate risk?
©2011 Patrick Tague
Concerns for Developers• What can developers do to protect location?
– Protect explicit location information
• Secure storage of location data
• Don't store it at all
– Protect against location “leakage” - implicit info
• Include an anonymization mechanism to protect against
tracking, traffic analysis, etc.
– Develop according to a well-defined attacker model
– Disclose location usage to users
©2011 Patrick Tague
Concerns with Developers• Unfortunately:
– Malicious developers can scrape location information
very easily
– Users are responsible for checking permissions to see
what apps are allowed to do
– Users are responsible for reading license agreements
and disclosure statements to see what developers
claim they are doing with user data
©2011 Patrick Tague
What's Next?• 11/2: SURVEY on mobile location privacy
• 11/7: Guest speaker – Didier Serra, Inside Secure
• 11/9: Exam