Understanding and Countermeasures against IoT Physical Side Channel Leakage

With the proliferation of cheap bulk SSD storage and better batteries in the last few years we are experiencing an explosion in the number of Internet of Things (IoT) devices flooding the market, smartphone connected point-of-sale devices (e.g. Square), home monitoring devices (e.g. NEST), fitness monitoring devices (e.g. Fitbit), and smart-watches. With new IoT devices come new security threats that have yet to be adequately evaluated. We propose uLeech, a new embedded trusted platform module for next-generation power scavenging devices. Such power scavenging devices are already widely deployed. For instance, the Square point-of-sale reader uses the microphone/speaker interface of a smartphone for communications and as a power supply. Such devices are being used as trusted devices in security-critical applications, without having been adequately evaluated. uLeech can securely store keys and provide cryptographic services to any connected smartphone. Our design also facilitates physical side-channel security analysis by providing interfaces to facilitate the acquisition of power traces and clock manipulation attacks. Thus uLeech empowers security researchers to analyze leakage in next- generation embedded and IoT devices and to evaluate countermeasures before deployment. Even the most secure systems reveal their secrets through secret-dependent computation. Secret- dependent computation is detectable by monitoring a system’s time, power, or outputs. Common defenses to side-channel emanations include adding noise to the channel or making algorithmic changes to mitigate specific side-channels. Unfortunately, existing solutions are not automatic, not comprehensive, or not practical. We propose an isolation-based approach for eliminating power and timing side-channels that is automatic, comprehensive, and practical. Our approach eliminates side-channels by leveraging integrated decoupling capacitors to electrically isolate trusted computation from the adversary. Software has the ability to request a fixed- power/time quantum of isolated computation. By discretizing power and time, our approach controls the granularity of side-channel leakage; the only burden on programmers is to ensure that all secret-dependent execution differences converge within a power/time quantum. We design and implement three approaches to power/time-based quantization and isolation: a wholly-digital version, a hybrid version that uses capacitors for time tracking, and a full- custom version. We evaluate the overheads of our proposed controllers with respect to software implementations of AES and RSA running on an ARM- based microcontroller and hardware implementations AES and RSA using a 22nm process technology. We also validate the effectiveness and real-world efficiency of our approach by building a prototype consisting of an ARM microcontroller, an FPGA, and discrete circuit components. Lastly, we examine the root cause of Electromagnetic (EM) side-channel attacks on Integrated Circuits (ICs) to augment the Quantized Computing design to mitigate EM leakage. By leveraging the isolation nature of our Quantized Computing design, we can effectively reduce the length and power of the unintended EM antennas created by the wire layers in an IC

Mobile Privacy and Business-to-Platform Dependencies: An Analysis of SEC Disclosures

This Article systematically examines the dependence of mobile apps on mobile platforms for the collection and use of personal information through an analysis of Securities and Exchange Commission (SEC) filings of mobile app companies. The Article uses these disclosures to find systematic evidence of how app business models are shaped by the governance of user data by mobile platforms, in order to reflect on the role of platforms in privacy regulation more generally. The analysis of SEC filings documented in the Article produces new and unique insights into the data practices and data-related aspects of the business models of popular mobile apps and shows the value of SEC filings for privacy law and policy research more generally. The discussion of SEC filings and privacy builds on regulatory developments in SEC disclosures and cybersecurity of the last decade. The Article also connects to recent regulatory developments in the U.S. and Europe, including the General Data Protection Regulation, the proposals for a new ePrivacy Regulation and a Regulation of fairness in business-to-platform relations

Point-of-Sale Marketing in Recreational Marijuana Dispensaries Around California Schools.

PurposeAfter marijuana commercialization, the presence of recreational marijuana dispensaries (RMDs) was rapidly increasing. The point-of-sale marketing poses concerns about children's exposure. This study examined advertising and promotions that potentially appeal to children and access restrictions in RMDs around California schools.MethodsThis was a cross-sectional and observational study conducted from June to September 2018. Trained fieldworkers audited retail environments in 163 RMDs in closest proximity to 333 randomly sampled public schools in California.ResultsAbout 44% of schools had RMDs located within 3 miles. Regarding interior marketing, 74% of RMDs had at least one instance of child-appealing products, packages, paraphernalia, or advertisements. RMDs closer to a school had a higher proportion with interior child-appealing marketing. More than three fourths of RMDs had generic promotional activities; particularly, 28% violated the free-sample ban. Regarding exterior marketing, only 2% of RMDs had those appealing to children. More than 60% of RMDs had exterior signs indicative of marijuana. Approximately, one-third had generic advertisements, and 13% had advertisements bigger than 1,600 square inches. Regarding access restrictions, almost all RMDs complied with age verification, but 84% had no age limit signs, and only 40% had security personnel.ConclusionsDespite minimal point-of-sale marketing practices appealing to children on the exterior of RMDs around California schools, such practices were abundant on the interior. Marketing practices not specifically appealing to children were also common on both the interior and exterior of RMDs. Dispensaries' violation of age verification law, lack of security personnel, and presence of child-appealing marketing should be continuously monitored and prevented

Feasibility of expanding traffic monitoring systems with floating car data technology

Trajectory information reported by certain vehicles (Floating Car Data or FCD) can be applied to monitor the road network. Policy makers face difficulties when deciding to invest in the expansion of their infrastructure based on inductive loops and cameras, or to invest in a FCD system. This paper targets this decision. The provided FCD functionality is investigated, minimum requirements are determined and reliability issues are researched. The communication cost is derived and combined with other elements to assess the total costs for different scenarios. The outcome is to target a penetration rate of 1%, a sample interval of 10 seconds and a transmission interval of 30 seconds. Such a deployment can accurately determine the locations of incidents and traffic jams. It can also estimate travel times accurately for highways, for urban roads this is limited to a binary categorization into normal or congested traffic. No reliability issues are expected. The most cost efficient scenario when deploying a new FCD system is to launch a smartphone application. For Belgium, this costs 13 million EUR for 10 years. However, it is estimated that purchasing data from companies already acquiring FCD data through their own product could reduce costs with a factor 10