Continuous Authentication for Voice Assistants

Voice has become an increasingly popular User Interaction (UI) channel, mainly contributing to the ongoing trend of wearables, smart vehicles, and home automation systems. Voice assistants such as Siri, Google Now and Cortana, have become our everyday fixtures, especially in scenarios where touch interfaces are inconvenient or even dangerous to use, such as driving or exercising. Nevertheless, the open nature of the voice channel makes voice assistants difficult to secure and exposed to various attacks as demonstrated by security researchers. In this paper, we present VAuth, the first system that provides continuous and usable authentication for voice assistants. We design VAuth to fit in various widely-adopted wearable devices, such as eyeglasses, earphones/buds and necklaces, where it collects the body-surface vibrations of the user and matches it with the speech signal received by the voice assistant's microphone. VAuth guarantees that the voice assistant executes only the commands that originate from the voice of the owner. We have evaluated VAuth with 18 users and 30 voice commands and find it to achieve an almost perfect matching accuracy with less than 0.1% false positive rate, regardless of VAuth's position on the body and the user's language, accent or mobility. VAuth successfully thwarts different practical attacks, such as replayed attacks, mangled voice attacks, or impersonation attacks. It also has low energy and latency overheads and is compatible with most existing voice assistants

Usability, Efficiency and Security of Personal Computing Technologies

New personal computing technologies such as smartphones and personal fitness trackers are widely integrated into user lifestyles. Users possess a wide range of skills, attributes and backgrounds. It is important to understand user technology practices to ensure that new designs are usable and productive. Conversely, it is important to leverage our understanding of user characteristics to optimize new technology efficiency and effectiveness. Our work initially focused on studying older users, and personal fitness tracker users. We applied the insights from these investigations to develop new techniques improving user security protections, computational efficiency, and also enhancing the user experience. We offer that by increasing the usability, efficiency and security of personal computing technology, users will enjoy greater privacy protections along with experiencing greater enjoyment of their personal computing devices. Our first project resulted in an improved authentication system for older users based on familiar facial images. Our investigation revealed that older users are often challenged by traditional text passwords, resulting in decreased technology use or less than optimal password practices. Our graphical password-based system relies on memorable images from the user\u27s personal past history. Our usability study demonstrated that this system was easy to use, enjoyable, and fast. We show that this technique is extendable to smartphones. Personal fitness trackers are very popular devices, often worn by users all day. Our personal fitness tracker investigation provides the first quantitative baseline of usage patterns with this device. By exploring public data, real-world user motivations, reliability concerns, activity levels, and fitness-related socialization patterns were discerned. This knowledge lends insight to active user practices. Personal user movement data is captured by sensors, then analyzed to provide benefits to the user. The dynamic time warping technique enables comparison of unequal data sequences, and sequences containing events at offset times. Existing techniques target short data sequences. Our Phase-aware Dynamic Time Warping algorithm focuses on a class of sinusoidal user movement patterns, resulting in improved efficiency over existing methods. Lastly, we address user data privacy concerns in an environment where user data is increasingly flowing to manufacturer remote cloud servers for analysis. Our secure computation technique protects the user\u27s privacy while data is in transit and while resident on cloud computing resources. Our technique also protects important data on cloud servers from exposure to individual users

Lógica de swipe em smartphones no consumo de conteúdos por parte dos jovens

Numa sociedade de rápido desenvolvimento tecnológico, associado ao crescente uso do smartphone, surgem novos hábitos específicos de interação e consumo de conteúdos, nomeadamente, através de gestos baseados no toque. Um destes novos hábitos de interação é o swipe - movimento rápido efetuado com o polegar. Este gesto permite aos seus utilizadores tomar decisões de forma rápida, espontânea e decisiva, o que pode não remeter a lógica de swipe somente para uma vertente técnica de interação, mas também associar a mesma a possíveis mudanças comportamentais na interação com os conteúdos. Este estudo tem como propósito perceber se esta lógica de interação está implícita nos jovens, se fazem uso dela regularmente, e se terá implicações no consumo de conteúdos por parte dos mesmos. De forma a atingir este objetivo, foi solicitado a 34 estudantes do Departamento de Comunicação e Arte da Universidade de Aveiro que efetuassem um teste, com recurso a eye tracker, onde tiveram que completar as tarefas propostas, sendo que as mesmas podiam ser efetuadas com, ou sem recurso à lógica de swipe. Os resultados obtidos levam a concluir que os participantes com sistema operativo android não estão familiarizados com a lógica de swipe. Por outro lado, os participantes com sistema operativo iOS estão familiarizados e utilizaram esta lógica para completar as tarefas que lhes foram propostas. Por fim, os resultados também mostram que os participantes conseguiram efetuar as tarefas de forma mais eficiente recorrendo a esta lógica de interação.In a society of quick technological development, coupled with the growing use of smartphones, new habits of interaction and consumption of contents arise, namely, through gestures based on touch. One of these new habits of interaction is the swipe - quick movement done with the thumb. This gesture allows users to make decisions quickly, spontaneously and decisively, which may not only refer to the swipe logic as a technical aspect of interaction, but also to associate it with possible behavioral changes in the interaction with contents. The aim of this study was to understand if this interaction logic is implicit in the young, if they use it regularly, and if it has implications in the way they interact with them. In order to reach this goal, 34 students from the Department of Communication and Art of the University of Aveiro were asked to take a test using the eye tracker, where they had to complete the proposed tasks, which could be solved with or without the swipe logic. The results obtained lead to the conclusion that participants with android operating system are not familiar with the swipe logic. On the other hand, the participants with the iOS operating system showed to be familiar with this logic and have used it to complete the tasks that have been proposed. Finally, the results also showed that participants were able to perform tasks more efficiently using this interaction logic.Mestrado em Comunicação Multimédi

Improving digital object handoff using the space above the table

Object handoff – that is, passing an object or tool to another person – is an extremely common activity in collaborative tabletop work. On digital tables, object handoff is typically accomplished by sliding the object on the table surface – but surface-only interactions can be slow and error-prone, particularly when there are multiple people carrying out multiple handoffs. An alternative approach is to use the space above the table for object handoff; this provides more room to move, but requires above-surface tracking. I developed two above-the-surface handoff techniques that use simple and inexpensive tracking: a force-field technique that uses a depth camera to determine hand proximity, and an electromagnetic-field technique called ElectroTouch that provides positive indication when people touch hands over the table. These new techniques were compared to three kinds of existing surface-only handoff (sliding, flicking, and surface-only Force-Fields). The study showed that the above-surface techniques significantly improved both speed and accuracy, and that ElectroTouch was the best technique overall. Also, as object interactions are moved above-the-surface of the table the representation of off-table objects becomes crucial. To address the issue of off-table digital object representation several object designs were created an evaluated. The result of the present research provides designers with practical new techniques for substantially increasing performance and interaction richness on digital tables

Usable Security for Wireless Body-Area Networks

We expect wireless body-area networks of pervasive wearable devices will enable in situ health monitoring, personal assistance, entertainment personalization, and home automation. As these devices become ubiquitous, we also expect them to interoperate. That is, instead of closed, end-to-end body-worn sensing systems, we envision standardized sensors that wirelessly communicate their data to a device many people already carry today, the smart phone. However, this ubiquity of wireless sensors combined with the characteristics they sense present many security and privacy problems. In this thesis we describe solutions to two of these problems. First, we evaluate the use of bioimpedance for recognizing who is wearing these wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them just work. These methods solve interesting problems in their own right, but it is the combination of these methods that shows their true power. Combined together they allow a network of wireless sensors to cooperate and determine whom they are sensing even though only one of the wireless sensors might be able to determine this fact. If all the wireless sensors know they are on the same body as each other and one of them knows which person it is on, then they can each exploit the transitive relationship to know that they must all be on that person’s body. We show how these methods can work together in a prototype system. This ability to operate unobtrusively, collecting in situ data and labeling it properly without interrupting the wearer’s activities of daily life, will be vital to the success of these wireless sensors

Regulating and Securing the Interfaces Across Mobile Apps, OS and Users

Over the past decade, we have seen a swift move towards a mobile-centered world. This thriving mobile ecosystem builds upon the interplay of three important parties: the mobile user, OS, and app. These parties interact via designated interfaces many of which are newly invented for, or introduced to the mobile platform. Nevertheless, as these new ways of interactions arise in the mobile ecosystem, what is enabled by these communication interfaces often violates the expectations of the communicating parties. This makes the foundation of the mobile ecosystem untrustworthy, causing significant security and privacy hazards. This dissertation aims to fill this gap by: 1) securing the conversations between trusted parties, 2) regulating the interactions between partially trusted parties, and 3) protecting the communications between untrusted parties. We first deal with the case of mobile OS and app, and analyze the Inter-Process Communication (IPC) protocol (Android Binder in particular) between these two untrusted parties. We found that the Android OS is frequently making unrealistic assumptions on the validity (sanity) of transactions from apps, thus creating significant security hazards. We analyzed the root cause of this emerging attack surface and protected this interface by developing an effective, precautionary testing framework and a runtime diagnostic tool. Then, we study the deficiency of how a mobile user interacts with an app that he can only partially trust. In the current mobile ecosystem, information about the same user in different apps can be easily shared and aggregated, which clearly violates the conditional trust mobile user has on each app. This issue is addressed by providing two complementary options: an OS-level extension that allows the user to track and control, during runtime, the potential flow of his information across apps; and a user-level solution that allows the users to maintain multiple isolated profiles for each app. Finally, we elaborate on how to secure the voice interaction channel between two trusted parties, mobile user and OS. The open nature of the voice channel makes applications that depend on voice interactions, such as voice assistants, difficult to secure and exposed to various attacks. We solve this problem by proposing the first system, called VAuth, that provides continuous and usable authentication for voice commands, designed as a wearable security token. It collects the body-surface vibrations of a user via an accelerometer and continuously matches them to the voice commands received by the voice assistant. This way, VAuth guarantees that the voice assistant executes only the commands that originate from the voice of the owner. Overall, this thesis examined the privacy and security issues across various interfaces in the mobile ecosystem, analyzed the trust relationship between different parties and proposed practical solutions. It also documented the experience learned from tackling these problems, and can serve as a reference in dealing with similar issues in other domains.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/137033/1/huanfeng_1.pd