DoubleEcho: Mitigating Context-Manipulation Attacks in Copresence Verification

Copresence verification based on context can improve usability and strengthen security of many authentication and access control systems. By sensing and comparing their surroundings, two or more devices can tell whether they are copresent and use this information to make access control decisions. To the best of our knowledge, all context-based copresence verification mechanisms to date are susceptible to context-manipulation attacks. In such attacks, a distributed adversary replicates the same context at the (different) locations of the victim devices, and induces them to believe that they are copresent. In this paper we propose DoubleEcho, a context-based copresence verification technique that leverages acoustic Room Impulse Response (RIR) to mitigate context-manipulation attacks. In DoubleEcho, one device emits a wide-band audible chirp and all participating devices record reflections of the chirp from the surrounding environment. Since RIR is, by its very nature, dependent on the physical surroundings, it constitutes a unique location signature that is hard for an adversary to replicate. We evaluate DoubleEcho by collecting RIR data with various mobile devices and in a range of different locations. We show that DoubleEcho mitigates context-manipulation attacks whereas all other approaches to date are entirely vulnerable to such attacks. DoubleEcho detects copresence (or lack thereof) in roughly 2 seconds and works on commodity devices

Impact of Positioning Technology on Human Navigation

In navigation from one place to another, spatial knowledge helps us establish a destination and route while travelling. Therefore, sufficient spatial knowledge is a vital element in successful navigation. To build adequate spatial knowledge, various forms of spatial tools have been introduced to deliver spatial information without direct experience (maps, descriptions, pictures, etc.). An innovation developed in the 1970s and available on many handheld platforms from the early 2000s is the Global Position System (GPS) and related map and text-based navigation support systems. Contemporary technical achievements, such as GPS, have made navigation more effective, efficient, and comfortable in most outdoor environments. Because GPS delivers such accurate information, human navigation can be supported without specific spatial knowledge. Unfortunately, there is no universal and accurate navigation system for indoor environments. Since smartphones have become increasingly popular, we can more frequently and easily access various positioning services that appear to work both indoors and outdoors. The expansion of positioning services and related navigation technology have changed the nature of navigation. For example, routes to destination are progressively determined by a “system,” not the individual. Unfortunately we only have a partial and nascent notion of how such an intervention affects spatial behaviour. The practical purpose of this research is to develop a trustworthy positioning system that functions in indoor environments and identify those aspects those should be considered before deploying Indoor Positioning System (IPS), all towards the goal of maintaining affordable positioning accuracy, quality, and consistency. In the same way that GPS provides worry free directions and navigation support, an IPS would extend such opportunities to many of our built environments. Unfortunately, just as we know little about how GPS, or any real time navigation system, affects human navigation, there is little evidence suggesting how such a system (indoors or outdoors) changes how we find our way. For this reason, in addition to specifying an indoor position system, this research examines the difference in human’s spatial behaviour based on the availability of a navigation system and evaluates the impact of varying the levels of availability of such tools (not available, partially available, or full availability). This research relies on outdoor GPS, but when such systems are available indoors and meet the accuracy and reliability or GPS, the results will be generalizable to such situations

Security of GPS/INS based On-road Location Tracking Systems

Location information is critical to a wide-variety of navigation and tracking applications. Today, GPS is the de-facto outdoor localization system but has been shown to be vulnerable to signal spoofing attacks. Inertial Navigation Systems (INS) are emerging as a popular complementary system, especially in road transportation systems as they enable improved navigation and tracking as well as offer resilience to wireless signals spoofing, and jamming attacks. In this paper, we evaluate the security guarantees of INS-aided GPS tracking and navigation for road transportation systems. We consider an adversary required to travel from a source location to a destination, and monitored by a INS-aided GPS system. The goal of the adversary is to travel to alternate locations without being detected. We developed and evaluated algorithms that achieve such goal, providing the adversary significant latitude. Our algorithms build a graph model for a given road network and enable us to derive potential destinations an attacker can reach without raising alarms even with the INS-aided GPS tracking and navigation system. The algorithms render the gyroscope and accelerometer sensors useless as they generate road trajectories indistinguishable from plausible paths (both in terms of turn angles and roads curvature). We also designed, built, and demonstrated that the magnetometer can be actively spoofed using a combination of carefully controlled coils. We implemented and evaluated the impact of the attack using both real-world and simulated driving traces in more than 10 cities located around the world. Our evaluations show that it is possible for an attacker to reach destinations that are as far as 30 km away from the true destination without being detected. We also show that it is possible for the adversary to reach almost 60-80% of possible points within the target region in some cities

I know your MAC address: targeted tracking of individual using Wi-Fi

International audienceThis work is about wireless communications technologies embedded in portable devices, namely Wi-Fi, Bluetooth and GSM. Focusing on Wi-Fi, we study the privacy issues and potential missuses that can affect the owners of wireless-enabled portable devices. Wi-Fi enable-devices periodically broadcast in plain-text their unique identifier along with other sensitive information. As a consequence, their owners are vulnerable to a range of privacy breaches such as the tracking of their movement and inference of private information (Cunche et al. in Pervasive Mobile Comput, 2013; Greenstein in Proceedings of the 11th USENIX workshop on hot topics in operating systems, pp 10:1-10:6. USENIX Association, Berkeley, 2007). As serious as those information leakage can be, linking a device with an individual and its real world identity is not a straightforward task. Focusing on this problem, we present a set of attacks that allow an attacker to link a Wi-Fi device to its owner identity. We present two methods that, given an individual of interest, allow identifying the MAC address of its Wi-Fi enabled portable device. Those methods do not require a physical access to the device and can be performed remotely, reducing the risks of being noticed. Finally we present scenarios in which the knowledge of an individual MAC address could be used for mischief

Third party positioning services: novel challenges for location privacy in LBS

Acommon assumption in the research community working on location privacy in locationbased services (LBS) is that the location sources are trusted. In this paper we present a different perspective. We argue that, because of the deployment of wifi-based/hybrid positioning techniques and web-based LBSs, the user\u2019s location is increasingly computed by third-party location providers which may be not fully trusted. This change of perspective challenges the effectiveness of current location privacy-preserving techniques. To support this thesis we present an empirical investigation of the privacy issues raised by web-based LBSs. Moreover, following a holistic approach, we present the problem from three different and complementary angles, i.e., technical, user-based, and legal. The overall picture suggests a novel direction of research

Taming the Golden Goose: Private Companies, Consumer Geolocation Data, and the Need for a Class Action Regime for Privacy Protection

With the implementation of new geolocation technologies, the boundaries between private versus commercial and secret versus easily ascertainable have vanished. Consumer information that was once very difficult and prohibitively expensive to ascertain, catalogue, and recall is available to companies at the click of a button. Not only that, but the collecting company can share consumer information with other companies even more easily than it can initially collect the information. Today, with the widespread use of smartphone and location-enabled tablet devices, it is possible for location services to determine and plot the location and travel of the device and thereby the travel and habits of the owner. Companies can use the collected customer information to sell products, and they can sell the information to third parties for a variety of both benign and malicious purposes. Meanwhile, skilled hackers can steal consumer information. After analyzing the current legal landscape of consumer privacy law as it relates to geolocation services, this Note argues that US and global consumers need the United States to act. In order to foster trust in corporations and the market, Congress should enact a framework that assures consumers of sufficient protection of those details that consumers hold intrinsically private, such as their personal locations. This Note concludes by examining the bills currently under consideration by Congress and their respective deficiencies