Physical Fault Injection and Side-Channel Attacks on Mobile Devices:A Comprehensive Analysis

Today's mobile devices contain densely packaged system-on-chips (SoCs) with multi-core, high-frequency CPUs and complex pipelines. In parallel, sophisticated SoC-assisted security mechanisms have become commonplace for protecting device data, such as trusted execution environments, full-disk and file-based encryption. Both advancements have dramatically complicated the use of conventional physical attacks, requiring the development of specialised attacks. In this survey, we consolidate recent developments in physical fault injections and side-channel attacks on modern mobile devices. In total, we comprehensively survey over 50 fault injection and side-channel attack papers published between 2009-2021. We evaluate the prevailing methods, compare existing attacks using a common set of criteria, identify several challenges and shortcomings, and suggest future directions of research

Hardware security, vulnerabilities, and attacks: a comprehensive taxonomy

Information Systems, increasingly present in a world that goes towards complete digitalization, can be seen as complex systems at the base of which is the hardware. When dealing with the security of these systems to stop possible intrusions and malicious uses, the analysis must necessarily include the possible vulnerabilities that can be found at the hardware level, since their exploitation can make all defenses implemented at web or software level ineffective. In this paper, we propose a meaningful and comprehensive taxonomy for the vulnerabilities affecting the hardware and the attacks that exploit them to compromise the system, also giving a definition of Hardware Security, in order to clarify a concept often confused with other domains, even in the literature

Privacy safeguards and online anonymity

In a world that is increasingly more connected, digital citizens, actively or passively accept to transmit information, part of which are “personal data”. This information is often collected and elaborated by third parties to infer further knowledge about users. The act of gathering the data is commonly called “tracking” and can be performed through several means. The act of analysing and processing those data and relate them to the individual is called “profiling”. The aim of this JRC Technical report is to be an instrument of support for the Digital Citizens to help them to protect and to manage their privacy during online activities. After a brief introduction in Chapter 1, the following chapter is dedicated to the description of two legitimate use-cases to track and profile users on-line, namely target advertising and personalisation of the user experience. Chapter 3 and 4 identify and analyse the set of techniques currently used by online digital providers to track citizens and profile them based on their online behaviour. Chapter 5 deals with some of the available tools cited in chapter 6 that could be helpful to protect the privacy while browsing online. Chapter 6 aims to raise awareness among users and provide some guidelines to address specific issues related to privacy through a multidisciplinary approach. The report concludes highlighting the importance of raising awareness among digital users and empower them through education, technical and legal tools, including the General Data Protection Regulation (GDPR) to overcome possible privacy issues.JRC.E.3-Cyber and Digital Citizens' Securit

Revisiting Security Vulnerabilities in Commercial Password Managers

In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors

Risk mitigation decisions for it security

Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM

SoK: Acoustic Side Channels

We provide a state-of-the-art analysis of acoustic side channels, cover all the significant academic research in the area, discuss their security implications and countermeasures, and identify areas for future research. We also make an attempt to bridge side channels and inverse problems, two fields that appear to be completely isolated from each other but have deep connections.Comment: 16 page

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

A Comparative Analysis of Common Threats, Vulnerabilities, Attacks and Countermeasures Within Smart Card and Wireless Sensor Network Node Technologies

O objetivo deste trabalho foi caracterizar a concentração da cadeia de serviços no município de Campos do Jordão, na formação de cadeia produtiva do turismo. A identificação do tipo de concentração permitiu posicionar essa cadeia produtiva, na contribuição do crescimento local, no desenvolvimento econômico e social, para a sugestão da implantação de um pólo de desenvolvimento em sustentabilidade. A formação da cadeia de serviço foi baseada na revisão bibliográfica, por meio dos modelos de desenvolvimento econômico e social. Os procedimentos metodológicos adotados incluem pesquisa qualitativa e quantitativa e quanto aos seus objetivos foi utilizada a metodologia exploratória, descritiva e explicativa. Com referência aos meios de investigação, utilizou-se a pesquisa documental e bibliográfica. A coleta de dados ocorreu nas entidades de classe da cidade, na associação da rede hoteleira e nos órgãos públicos locais. Com o resultado obtido, após definido os atores institucionais da concentração da cadeia de serviço e identificado o tipo da mesma na concentração da cadeia de serviço hoteleira como parte integrante da cadeia produtiva do turismo, espera-se uma mudança na maneira de pensar sobre a economia local mediante a proposta de um “Pólo de Desenvolvimento Sustentável”, destacando-se a importância da formação desta aglomeração no desenvolvimento local