On the security of mobile sensors

PhD ThesisThe age of sensor technology is upon us. Sensor-rich mobile devices are ubiquitous. Smart-phones, tablets, and wearables are increasingly equipped with sensors such as GPS, accelerometer, Near Field Communication (NFC), and ambient sensors. Data provided by such sensors, combined with the fast-growing computational capabilities on mobile platforms, offer richer and more personalised apps. However, these sensors introduce new security challenges to the users, and make sensor management more complicated. In this PhD thesis, we contribute to the field of mobile sensor security by investigating a wide spectrum of open problems in this field covering attacks and defences, standardisation and industrial approaches, and human dimensions. We study the problems in detail and propose solutions. First, we propose “Tap-Tap and Pay” (TTP), a sensor-based protocol to prevent the Mafia attack in NFC payment. The Mafia attack is a special type of Man-In-The-Middle attack which charges the user for something more expensive than what she intends to pay by relaying transactions to a remote payment terminal. In TTP, a user initiates the payment by physically tapping her mobile phone against the reader. We observe that this tapping causes transient vibrations at both devices which are measurable by the embedded accelerometers. Our observations indicate that these sensor measurements are closely correlated within the same tapping, and different if obtained from different tapping events. By comparing the similarity between the two measurements, the bank can distinguish the Mafia fraud apart from a legitimate NFC transaction. The experimental results and the user feedback suggest the practical feasibility of TTP. As compared with previous sensor-based solutions, ours is the only one that works even when the attacker and the user are in nearby locations or share similar ambient environments. Second, we demonstrate an in-app attack based on a real world problem in contactless payment known as the card collision or card clash. A card collision happens when more than one card (or NFC-enabled device) are presented to the payment terminal’s field, and the terminal does not know which card to choose. By performing experiments, we observe that the implementation of contactless terminals in practice matches neither EMV nor ISO standards (the two primary standards for smart card payment) on card collision. Based on this inconsistency, we propose “NFC Payment Spy”, a malicious app that tracks the user’s contactless payment transactions. This app, running on a smart phone, simulates a card which requests the payment information (amount, time, etc.) from the terminal. When the phone and the card are both presented to a contactless terminal (given that many people use mobile case wallets to travel light and keep wallet essentials close to hand), our app can effectively win the race condition over the card. This attack is the first privacy attack on contactless payments based on the problem of card collision. By showing the feasibility of this attack, we raise awareness of privacy and security issues in contactless payment protocols and implementation, specifically in the presence of new technologies for payment such as mobile platforms. Third, we show that, apart from attacking mobile devices by having access to the sensors through native apps, we can also perform sensor-based attacks via mobile browsers. We examine multiple browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose “TouchSignatures” and “PINLogger.js”, two novel attacks in which malicious JavaScript code listens to such sensor data measurements. We demonstrate that, despite the much lower sampling rate (comparing to a native app), a remote attacker is able to learn sensitive user information such as physical activities, phone call timing, touch actions (tap, scroll, hold, zoom), and PINs based on these sensor data. This is the first report of such a JavaScript-based attack. We disclosed the above vulnerability to the community and major mobile browser vendors classified the problem as high-risk and fixed it accordingly. Finally, we investigate human dimensions in the problem of sensor management. Although different types of attacks via sensors have been known for many years, the problem of data leakage caused by sensors has remained unsolved. While working with W3C and browser vendors to fix the identified problem, we came to appreciate the complexity of this problem in practice and the challenge of balancing security, usability, and functionality. We believe a major reason for this is that users are not fully aware of these sensors and the associated risks to their privacy and security. Therefore, we study user understanding of mobile sensors, specifically their risk perceptions. This is the only research to date that studies risk perceptions for a comprehensive list of mobile sensors (25 in total). We interview multiple participants from a range of backgrounds by providing them with multiple self-declared questionnaires. The results indicate that people in general do not have a good understanding of the complexities of these sensors; hence making security judgements about these sensors is not easy for them. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective. This makes the security and privacy issues of mobile sensors and other sensorenabled technologies an important topic to be investigated further

Analysing and Improving the Security of Contactless Payment Cards

Europay, MasterCard, and Visa (EMV) is the most used payment protocol around the world with 85.9% of the payment cards in the EU and the UK being EMV based cards in 2019. The EMV payment protocol has made contactless transactions faster and more convenient for cardholders as they only need to place the card next to the Point of Sale (POS) to make a payment. According to the latest report of the UK Finance, the total value of contactless card transactions in 2019 was higher than the cash ones for the first time ever. On the other hand, the introduction of the wireless interface in the EMV contactless transactions opens the door for several attacks to be launched on contactless cards such as skimming, eavesdropping, replay, and relay attacks. Since April 2020, the limit of contactless transactions has increased to £45 as a response to the Covid-19 crisis. This might create an extra motivation for launching more attackers on contactless cards. This thesis is primarily concerned with investigating and analysing the security of contactless card’s payments and uncovering the impact of key vulnerabilities in the EMV contactless card specifications. The two main vulnerable are the one-way authentication methods and the lack of cardholder verification in such transactions. The thesis also proposes the following four practical protocols to improve the security and the privacy of the EMV contactless cards. 1- A new tokenization protocol to replace the actual Primary Account Number (PAN) with a token to prevent the EMV contactless cards from revealing the actual PAN. 2- A mutual authentication protocol to address the vulnerabilities related to the EMV one-way card authentication methods in the EMV payment protocol. 3- A novel gyroscope sensor into EMV contactless cards to be used for activating the cards by perfuming a simple move by the cardholder. 4- A protocol to use cardholders’ NFC enabled smartphones to activate contactless cards. The two main aims of these four proposed protocols are to prevent such cards from being read by unauthorised NFC enabled readers/smartphones and to give cardholders more control of their contactless cards in order to prevent several attacks. Moreover, the thesis also describes a Java framework to mimic a genuine EMV contactless card and validate the four proposed solutions. The thesis argues that the first two proposed solutions require minimal changes to the existing EMV infrastructures and do not have any impact on the user’s experience while the last two proposed solutions require some changes the users’ experience when making contactless card transactions

Survey and Systematization of Secure Device Pairing

Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis.The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications Surveys & Tutorials 2017 (Volume: PP, Issue: 99

User perceptions on security and usability of mobile “tap-and-pay”

Apple launched their first “tap-and-pay” mobile payment solution called “ApplePay” in October 2014 in the United States. Quickly catching up with the popularity of Apple Pay, Google launched their own mobile “tap-and-pay” paymentsolution called “Android Pay”. Both the companies claim that their tap-and-paysolutions are more convenient and more secure than swipe-and-pay with traditional debit or credit cards. In this work, we investigated security, privacy andusability aspects of why people use and do not use mobile tap-and-pay in stores.We used both qualitative and quantitative approaches for cross validation andmethodological triangulation.The results of our online survey with 860 participants (349 for Apple Pay and511 for Android Pay) suggest that the top reason for not using mobile tap-and-payis security. However, Apple Pay users did not feel insecure using it in stores. Acommon security misconception we found among the non-users was that they feltstoring card information on their phones is less secure than physically carryingcards inside their wallets. Our security knowledge questions revealed that suchparticipants lack knowledge about the security mechanisms being used to protectcard information. This suggests the possibility that technology adoption rates mayimprove with increased awareness of security protections, given that our studyresults show usability was the most important reason for using tap-and-pay overtraditional swipe-and-pay.We also found a positive correlation between the participants gender and adoption rate, suggesting that males are more likely to prefer and use tap-and-pay thanfemales.Keywords: tap-and-pay, mobile, perception, usability, securit

Tap-tap and pay (TTP) : preventing the Mafia attack in NFC payment

Mobile NFC payment is an emerging industry, estimated to reach $670 billion by 2015. The Mafia attack presents a realistic threat to payment systems including mobile NFC payment. In this attack, a user consciously initiates an NFC payment against a legitimate-looking NFC reader (controlled by the Mafia), not knowing that the reader actually relays the data to a remote legitimate NFC reader to pay for something more expensive. In this paper, we present “Tap-Tap and Pay” (TTP), to effectively prevent the Mafia attack in mobile NFC payment. In TTP, a user initiates an NFC payment by physically tapping her mobile phone against the reader twice in succession. The physical tapping causes transient vibrations at both devices, which can be measured by the embedded accelerometers. Our experiments indicate that the two measurements are closely correlated if they are from the same tapping, and are different if obtained from different tapping events. By comparing the similarity between the two measurements, we can effectively tell apart the Mafia fraud from a legitimate NFC transaction. To evaluate the practical feasibility of this solution, we present a prototype of the TTP system based on a pair of NFC-enabled mobile phones and also conduct a user study. The results suggest that our solution is reliable, fast, easy-to-use and has good potential for practical deployment