9 research outputs found
SoniControl - A Mobile Ultrasonic Firewall
The exchange of data between mobile devices in the near-ultrasonic frequency
band is a new promising technology for near field communication (NFC) but also
raises a number of privacy concerns. We present the first ultrasonic firewall
that reliably detects ultrasonic communication and provides the user with
effective means to prevent hidden data exchange. This demonstration showcases a
new media-based communication technology ("data over audio") together with its
related privacy concerns. It enables users to (i) interactively test out and
experience ultrasonic information exchange and (ii) shows how to protect
oneself against unwanted tracking.Comment: To appear in proceedings of 2018 ACM Multimedia Conference October
22--26, 2018, Seoul, Republic of Kore
POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers
It is known that attackers can exfiltrate data from air-gapped computers
through their speakers via sonic and ultrasonic waves. To eliminate the threat
of such acoustic covert channels in sensitive systems, audio hardware can be
disabled and the use of loudspeakers can be strictly forbidden. Such audio-less
systems are considered to be \textit{audio-gapped}, and hence immune to
acoustic covert channels.
In this paper, we introduce a technique that enable attackers leak data
acoustically from air-gapped and audio-gapped systems. Our developed malware
can exploit the computer power supply unit (PSU) to play sounds and use it as
an out-of-band, secondary speaker with limited capabilities. The malicious code
manipulates the internal \textit{switching frequency} of the power supply and
hence controls the sound waveforms generated from its capacitors and
transformers. Our technique enables producing audio tones in a frequency band
of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply
without the need for audio hardware or speakers. Binary data (files,
keylogging, encryption keys, etc.) can be modulated over the acoustic signals
and sent to a nearby receiver (e.g., smartphone). We show that our technique
works with various types of systems: PC workstations and servers, as well as
embedded systems and IoT devices that have no audio hardware at all. We provide
technical background and discuss implementation details such as signal
generation and data modulation. We show that the POWER-SUPPLaY code can operate
from an ordinary user-mode process and doesn't need any hardware access or
special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive
data can be exfiltrated from air-gapped and audio-gapped systems from a
distance of five meters away at a maximal bit rates of 50 bit/sec
Camouflage covert communication in air by imitating cricketâs sound
When the radio communication of an armed squad fighting in a jungle is interfered with by enemyâs radio jamming equipment and their command and intelligence cannot be transmitted and exchanged, are there any other communication methods that can be used to solve such an emergency and covert communication problem? Focusing on this problem, a camouflage covert communication method (CCCM) in air is proposed by imitating cricketâs sound. As well-known, there exist all kinds of animalsâ sounds in the jungle; however, hearing these animalsâ sounds, people generally considers them as background noise and ignores them. Based on this fact, the proposed CCCM uses the cricketâs sound as the carrier wave, imitates the features of the cricketâs call sequence to construct the camouflage communication sequence, and utilizes the time interval (TI) between two adjacent pulses to encode information. Meanwhile, other animalsâ sound is superimposed to the camouflage communication sequence to improve the camouflage ability of the generated communication sequence. Experimental results are provided to demonstrate the performance of the proposed CCCM
Survey and Systematization of Secure Device Pairing
Secure Device Pairing (SDP) schemes have been developed to facilitate secure
communications among smart devices, both personal mobile devices and Internet
of Things (IoT) devices. Comparison and assessment of SDP schemes is
troublesome, because each scheme makes different assumptions about out-of-band
channels and adversary models, and are driven by their particular use-cases. A
conceptual model that facilitates meaningful comparison among SDP schemes is
missing. We provide such a model. In this article, we survey and analyze a wide
range of SDP schemes that are described in the literature, including a number
that have been adopted as standards. A system model and consistent terminology
for SDP schemes are built on the foundation of this survey, which are then used
to classify existing SDP schemes into a taxonomy that, for the first time,
enables their meaningful comparison and analysis.The existing SDP schemes are
analyzed using this model, revealing common systemic security weaknesses among
the surveyed SDP schemes that should become priority areas for future SDP
research, such as improving the integration of privacy requirements into the
design of SDP schemes. Our results allow SDP scheme designers to create schemes
that are more easily comparable with one another, and to assist the prevention
of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications
Surveys & Tutorials 2017 (Volume: PP, Issue: 99
Applications of Context-Aware Systems in Enterprise Environments
In bring-your-own-device (BYOD) and corporate-owned, personally enabled (COPE) scenarios, employeesâ devices store both enterprise and personal data, and have the ability to remotely access a secure enterprise network. While mobile devices enable users to access such resources in a pervasive manner, it also increases the risk of breaches for sensitive enterprise data as users may access the resources under insecure circumstances. That is, access authorizations may depend on the context in which the resources are accessed. In both scenarios, it is vital that the security of accessible enterprise content is preserved. In this work, we explore the use of contextual information to influence access control decisions within context-aware systems to ensure the security of sensitive enterprise data. We propose several context-aware systems that rely on a system of sensors in order to automatically adapt access to resources based on the security of usersâ contexts. We investigate various types of mobile devices with varying embedded sensors, and leverage these technologies to extract contextual information from the environment. As a direct consequence, the technologies utilized determine the types of contextual access control policies that the context-aware systems are able to support and enforce. Specifically, the work proposes the use of devices pervaded in enterprise environments such as smartphones or WiFi access points to authenticate user positional information within indoor environments as well as user identities