44 research outputs found
Continuous Authentication for Voice Assistants
Voice has become an increasingly popular User Interaction (UI) channel,
mainly contributing to the ongoing trend of wearables, smart vehicles, and home
automation systems. Voice assistants such as Siri, Google Now and Cortana, have
become our everyday fixtures, especially in scenarios where touch interfaces
are inconvenient or even dangerous to use, such as driving or exercising.
Nevertheless, the open nature of the voice channel makes voice assistants
difficult to secure and exposed to various attacks as demonstrated by security
researchers. In this paper, we present VAuth, the first system that provides
continuous and usable authentication for voice assistants. We design VAuth to
fit in various widely-adopted wearable devices, such as eyeglasses,
earphones/buds and necklaces, where it collects the body-surface vibrations of
the user and matches it with the speech signal received by the voice
assistant's microphone. VAuth guarantees that the voice assistant executes only
the commands that originate from the voice of the owner. We have evaluated
VAuth with 18 users and 30 voice commands and find it to achieve an almost
perfect matching accuracy with less than 0.1% false positive rate, regardless
of VAuth's position on the body and the user's language, accent or mobility.
VAuth successfully thwarts different practical attacks, such as replayed
attacks, mangled voice attacks, or impersonation attacks. It also has low
energy and latency overheads and is compatible with most existing voice
assistants
Location Privacy Protection in the Mobile Era and Beyond
As interconnected devices become embedded in every aspect of our lives, they accompany
many privacy risks. Location privacy is one notable case, consistently recording an individual’s
location might lead to his/her tracking, fingerprinting and profiling. An individual’s
location privacy can be compromised when tracked by smartphone apps, in indoor spaces,
and/or through Internet of Things (IoT) devices. Recent surveys have indicated that users
genuinely value their location privacy and would like to exercise control over who collects
and processes their location data. They, however, lack the effective and practical tools to
protect their location privacy. An effective location privacy protection mechanism requires
real understanding of the underlying threats, and a practical one requires as little changes to
the existing ecosystems as possible while ensuring psychological acceptability to the users.
This thesis addresses this problem by proposing a suite of effective and practical privacy
preserving mechanisms that address different aspects of real-world location privacy threats.
First, we present LP-Guardian, a comprehensive framework for location privacy protection
for Android smartphone users. LP-Guardian overcomes the shortcomings of existing
approaches by addressing the tracking, profiling, and fingerprinting threats posed by
different mobile apps while maintaining their functionality. LP-Guardian requires modifying
the underlying platform of the mobile operating system, but no changes in either the apps
or service provider. We then propose LP-Doctor, a light-weight user-level tool which allows
Android users to effectively utilize the OS’s location access controls. As opposed to
LP-Guardian, LP-Doctor requires no platform changes. It builds on a two year data collection
campaign in which we analyzed the location privacy threats posed by 1160 apps for
100 users. For the case of indoor location tracking, we present PR-LBS (Privacy vs. Reward
for Location-Based Service), a system that balances the users’ privacy concerns and
the benefits of sharing location data in indoor location tracking environments. PR-LBS
fits within the existing indoor localization ecosystem whether it is infrastructure-based
or device-based. Finally, we target the privacy threats originating from the IoT devices
that employ the emerging Bluetooth Low Energy (BLE) protocol through BLE-Guardian.
BLE-Guardian is a device agnostic system that prevents user tracking and profiling while
securing access to his/her BLE-powered devices. We evaluate BLE-Guardian in real-world
scenarios and demonstrate its effectiveness in protecting the user along with its low overhead
on the user’s devices.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/138563/1/kmfawaz_1.pd
Fairness Properties of Face Recognition and Obfuscation Systems
The proliferation of automated face recognition in the commercial and
government sectors has caused significant privacy concerns for individuals. One
approach to address these privacy concerns is to employ evasion attacks against
the metric embedding networks powering face recognition systems: Face
obfuscation systems generate imperceptibly perturbed images that cause face
recognition systems to misidentify the user. Perturbed faces are generated on
metric embedding networks, which are known to be unfair in the context of face
recognition. A question of demographic fairness naturally follows: are there
demographic disparities in face obfuscation system performance? We answer this
question with an analytical and empirical exploration of recent face
obfuscation systems. Metric embedding networks are found to be demographically
aware: face embeddings are clustered by demographic. We show how this
clustering behavior leads to reduced face obfuscation utility for faces in
minority groups. An intuitive analytical model yields insight into these
phenomena
DEMO: Venom: a Visual and Experimental Bluetooth Low Energy Tracking System
International audienceThe Bluetooth Low Energy (BLE) protocol is being included in mobile devices such as smartphones, headphones and smartwatches. As part of the BLE service discovery mechanism, devices announce their presences by broadcasting radio signals called advertisement packets that can be collected with off-the-shelf hardware and software. To avoid the risk of tracking based on those messages, BLE features an address randomization mechanism substituting the device MAC address with random temporary pseudonyms. However, the payload of advertisement packets still contains fields that can negate the randomization mechanism by exposing static identifiers. In this paper, we present Venom (Visual and ExperimeNtal BluetOoth Low Energy tracking systeM), an experimental tracking platform aiming to raise public awareness about physical tracking technologies and experiment privacy-preserving mechanisms. Venom tracks users by collecting advertisement packets broadcasted by their BLE-enabled devices, and displays related information