7 research outputs found
A Cloud-based Healthcare Framework for Security and Patients’ Data Privacy Using Wireless Body Area Networks
AbstractThe recent developments in remote healthcare systems have witnessed significant interests from IT industry (Microsoft, Google, VMware etc) that provide ubiquitous and easily deployable healthcare systems. These systems provide a platform to share medical information, applications, and infrastructure in a ubiquitous and fully automated manner. Communication security and patients’ data privacy are the aspects that would increase the confidence of users in such remote healthcare systems. This paper presents a secure cloud-based mobile healthcare framework using wireless body area networks (WBANs). The research work presented here is twofold: first, it attempts to secure the inter-sensor communication by multi-biometric based key generation scheme in WBANs; and secondly, the electronic medical records (EMRs) are securely stored in the hospital community cloud and privacy of the patients’ data is preserved. The evaluation and analysis shows that the proposed multi-biometric based mechanism provides significant security measures due to its highly efficient key generation mechanism
The candidate key protocol for generating secret shared keys from similar sensor data streams
Abstract. Secure communication over wireless channels necessitates authentication of communication partners to prevent man-in-the-middle attacks. For spontaneous interaction between independent, mobile devices, no a priori information is available for authentication purposes. However,traditionalapproachesbasedonmanualpasswordinputorverificationofkeyfingerprintsdonotscaletotenstohundredsofinteractions a day, as envisioned by future ubiquitous computing environments. One possibility to solve this problem is authentication based on similar sensor data: when two (or multiple) devices are in the same situation, and thus experience the same sensor readings, this constitutes shared, (weakly) secret information. This paper introduces the Candidate Key Protocol (CKP) to interactively generate secret shared keys from similar sensor data streams. It is suitable for two-party and multi-party authentication, and supports opportunistic authentication.
Usable Security for Wireless Body-Area Networks
We expect wireless body-area networks of pervasive wearable devices will enable in situ health monitoring, personal assistance, entertainment personalization, and home automation. As these devices become ubiquitous, we also expect them to interoperate. That is, instead of closed, end-to-end body-worn sensing systems, we envision standardized sensors that wirelessly communicate their data to a device many people already carry today, the smart phone. However, this ubiquity of wireless sensors combined with the characteristics they sense present many security and privacy problems. In this thesis we describe solutions to two of these problems. First, we evaluate the use of bioimpedance for recognizing who is wearing these wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them just work. These methods solve interesting problems in their own right, but it is the combination of these methods that shows their true power. Combined together they allow a network of wireless sensors to cooperate and determine whom they are sensing even though only one of the wireless sensors might be able to determine this fact. If all the wireless sensors know they are on the same body as each other and one of them knows which person it is on, then they can each exploit the transitive relationship to know that they must all be on that person’s body. We show how these methods can work together in a prototype system. This ability to operate unobtrusively, collecting in situ data and labeling it properly without interrupting the wearer’s activities of daily life, will be vital to the success of these wireless sensors
On the security of mobile sensors
PhD ThesisThe age of sensor technology is upon us. Sensor-rich mobile devices
are ubiquitous. Smart-phones, tablets, and wearables are increasingly
equipped with sensors such as GPS, accelerometer, Near Field Communication
(NFC), and ambient sensors. Data provided by such sensors, combined
with the fast-growing computational capabilities on mobile platforms,
offer richer and more personalised apps. However, these sensors
introduce new security challenges to the users, and make sensor management
more complicated.
In this PhD thesis, we contribute to the field of mobile sensor security by
investigating a wide spectrum of open problems in this field covering attacks
and defences, standardisation and industrial approaches, and human
dimensions. We study the problems in detail and propose solutions.
First, we propose “Tap-Tap and Pay” (TTP), a sensor-based protocol to
prevent the Mafia attack in NFC payment. The Mafia attack is a special
type of Man-In-The-Middle attack which charges the user for something
more expensive than what she intends to pay by relaying transactions
to a remote payment terminal. In TTP, a user initiates the payment by
physically tapping her mobile phone against the reader. We observe that
this tapping causes transient vibrations at both devices which are measurable
by the embedded accelerometers. Our observations indicate that
these sensor measurements are closely correlated within the same tapping,
and different if obtained from different tapping events. By comparing the
similarity between the two measurements, the bank can distinguish the
Mafia fraud apart from a legitimate NFC transaction. The experimental
results and the user feedback suggest the practical feasibility of TTP. As
compared with previous sensor-based solutions, ours is the only one that
works even when the attacker and the user are in nearby locations or share
similar ambient environments. Second, we demonstrate an in-app attack based on a real world problem
in contactless payment known as the card collision or card clash. A card
collision happens when more than one card (or NFC-enabled device) are
presented to the payment terminal’s field, and the terminal does not know
which card to choose. By performing experiments, we observe that the
implementation of contactless terminals in practice matches neither EMV
nor ISO standards (the two primary standards for smart card payment)
on card collision. Based on this inconsistency, we propose “NFC Payment
Spy”, a malicious app that tracks the user’s contactless payment transactions.
This app, running on a smart phone, simulates a card which
requests the payment information (amount, time, etc.) from the terminal.
When the phone and the card are both presented to a contactless
terminal (given that many people use mobile case wallets to travel light
and keep wallet essentials close to hand), our app can effectively win the
race condition over the card. This attack is the first privacy attack on
contactless payments based on the problem of card collision. By showing
the feasibility of this attack, we raise awareness of privacy and security
issues in contactless payment protocols and implementation, specifically
in the presence of new technologies for payment such as mobile platforms.
Third, we show that, apart from attacking mobile devices by having access
to the sensors through native apps, we can also perform sensor-based
attacks via mobile browsers. We examine multiple browsers on Android
and iOS platforms and study their policies in granting permissions to
JavaScript code with respect to access to motion and orientation sensor
data. Based on our observations, we identify multiple vulnerabilities,
and propose “TouchSignatures” and “PINLogger.js”, two novel attacks in
which malicious JavaScript code listens to such sensor data measurements.
We demonstrate that, despite the much lower sampling rate (comparing to
a native app), a remote attacker is able to learn sensitive user information
such as physical activities, phone call timing, touch actions (tap, scroll,
hold, zoom), and PINs based on these sensor data. This is the first report
of such a JavaScript-based attack. We disclosed the above vulnerability to
the community and major mobile browser vendors classified the problem
as high-risk and fixed it accordingly.
Finally, we investigate human dimensions in the problem of sensor management.
Although different types of attacks via sensors have been known for many years, the problem of data leakage caused by sensors has remained
unsolved. While working with W3C and browser vendors to fix
the identified problem, we came to appreciate the complexity of this problem
in practice and the challenge of balancing security, usability, and functionality.
We believe a major reason for this is that users are not fully
aware of these sensors and the associated risks to their privacy and security.
Therefore, we study user understanding of mobile sensors, specifically
their risk perceptions. This is the only research to date that studies risk
perceptions for a comprehensive list of mobile sensors (25 in total). We
interview multiple participants from a range of backgrounds by providing
them with multiple self-declared questionnaires. The results indicate that
people in general do not have a good understanding of the complexities
of these sensors; hence making security judgements about these sensors
is not easy for them. We discuss how this observation, along with other
factors, renders many academic and industry solutions ineffective. This
makes the security and privacy issues of mobile sensors and other sensorenabled
technologies an important topic to be investigated further