Wireless Network Security Spring 2013

Transcription

1 Wireless Network Security Spring 2013 Patrick Tague Class #19 Location Privacy & Tracking

2 Agenda Location privacy and tracking Implications / risks of location information Location privacy and anonymity

3 What is location privacy? In my view, location privacy is: Half security/privacy policy Basically, preventing location disclosure Half information hiding Basically, preventing location inference

4 Location Disclosure Benefits of disclosing one's location e-911 service (gov'tmandated location tracking) Navigation & mapping Location-sensitive ads Local traffic / weather Finder apps Social networking Remote monitoring (e.g., tracking children) Safety (e.g., in VANET) Risks of location disclosure Tracking / linking Surveillance Inferring context: lifestyle, medical condition, political views, preferences Targeted malice (e.g., stalking) Location-sensitive ad spam

5 Cellular Location Service providers are required by law to track cell phone locations using GPS or tower-based triangulation For emergency use, law enforcement use, etc. Disclosure of location information is tightly regulated Mostly opt-in disclosure only Mobile apps and services using location are not part of this protection

6 Location Inference Even if locations aren't disclosed and/or pseudonyms are used... In WiFi, RFID, Bluetooth, etc. Synchronization, shared secrets, and PRNG are enough to use pseudonyms effectively (as in WiFi systems) Without sync + PRNGs (such as RFID tags), a trusted authority (RFID database) can store ID-to-pseudonym look-up table [Alomair et al., DSN 2010] Traffic correlation can be used for tracking Packet traffic implies events, ID correlation, etc.

7 Location Privacy Challenges 1. Understanding the privacy goals What needs to be protected? What are the rules to be enforced? 2. Understanding the threat What are attackers goals, capabilities, methods,? Practicality of attacker assumptions? 3. Metrics How to measure privacy protection and enforcement? How to evaluate and incorporate risk?

8 Understanding the Risks What is the context? WLAN, cellular, VANET, WSN, What is the attacker's goal? Real-time tracking, recovering past traces, What granularity is needed for attack success? Specific coordinates, places, regions, What is purpose? Robbery, personal safety, blackmail, mal-marketing, surveillance,

9 Privacy in Context Preventing location tracking in WLAN Preventing target tracking in WSN Preventing location tracking in VANET

10 WLAN Location Challenges to location privacy in WLAN Network operators are untrusted High density of APs; many may be malicious Precise (~1m) localization Broadcast IDs (MAC addresses) Very easy to eavesdrop on devices' MAC addresses, even if security features are enabled

11 WiFi Tracking WiFi devices provide various pieces of information that can enable tracking Static MAC address rogue AP or eavesdropper can record MAC-location pairs Location can be computed coarsely by AP/SSID or finely using coordination among Aps WiFi probe messages SSID lists and MAC address pairs suggest favorite locations This not only allows you to track the device, but also to learn something about the user

12 Potential Solutions What if we don't allow the AP to determine the location of a client? Policy is easily bypassed by a malicious AP What if we don't give the AP enough information to identify clients (i.e., anonymize)? What other services does this interfere with?

13 MAC Randomization MAC addresses are 48 bits with some addresses reserved, so there's a good amount of entropy The client can randomize its MAC address every time without affecting end-to-end performance As long as other ID information is hidden from the AP, the AP cannot identify clients in its network Trade-offs: Privacy can be achieved, monitoring and IDS are lost MAC collisions

14 Collisions

15 Implementation Issues Seq# in headers must be removed, otherwise subsequent messages are correlated Connection reestablishment often Signal analysis can still expose correlation All other uses of MAC addresses lost (e.g., whitelist, blacklist, IDS) Key management needed if MACs need to be matched by another user

16 What about location privacy issues in multi-hop wireless networks?

17 Traffic Anonymization In multi-hop networks (MANET/WSN), transmission linking can expose what path is used for a session Traffic analysis: Analyzing the flow of packets through a network (with global knowledge) allows decomposition into individual flows Local traffic analysis: Without global knowledge, timing information can expose flow decomposition in a neighborhood

18 WSN Location Privacy In sensor networks, we're usually not concerned with the locations of the sensors, but what they're sensing may be more interesting Truck passed (x 1,y 1 1:34pm Truck passed (x 2,y 2 1:37pm Truck passed (x 3,y 3 1:35pm

19 Source Location Privacy One of the common goals in WSN is to hide the location of the sensed event from an observer But, the traffic generated will immediately expose any singular event Commonly called the Panda Hunter Problem Sensors in a wildlife area are used to track/study pandas Whenever a panda walks by a sensor, it generates traffic A poacher can track the traffic to find the panda

20 Panda Hunter Problem Objective of the WSN / defender: Properly / quickly collect panda mobility info Hide the location information from the panda hunters that can eavesdrop on WSN traffic but not decrypt Objective of the panda hunters: Learn the location of the data source (and thus the panda) by analyzing traffic flow statistics

21 Panda Hunter Strategies Two approaches: Choose one location in the network to monitor traffic Wait for the panda to walk somewhere that creates traffic flows through the chosen location, then find the panda] Probably takes a long time depending on the area Find the base station and monitor all network traffic More work to find the base station, more traffic to analyze all at once, but any panda-related traffic goes here

22 Anti-Analysis Methods In the Panda Hunter context, there are two ways to mitigate the attack: Prevent the hunter from finding the base station (i.e., destination location privacy) Prevent the hunter from finding the panda (i.e., source location privacy) These problems are very similar, so we look only at the second one

23 Flooding One common approach is to hide the actual event data in dummy ( chaff ) traffic Flooding the network with dummy traffic prevents the attacker from figuring out what is real If it looks like the panda is everywhere, where is it? Of course, flooding dummy traffic is a lot of work for very little reward

24 Probabilistic Flooding Trade-offs can be made between the overhead of flooding and the resulting location privacy by instructing each node to forward dummy traffic only with probability p Less dummy traffic slightly degrades privacy Less dummy traffic means lower overhead Nodes need to be able to distinguish dummy from real traffic, or also drop real traffic w.p. (1-p)

25 Random Routing Another technique to mitigate traffic analysis is random routing Next hop rand({neighbors}) Non-deterministic packet flow makes the analysis harder, but increases delay Can combine random routing with prob flooding Phantom Routing:

26 Two-Way Random Walk Two-way Greedy Random Walk (GROW) Short path from base station created to serve as receptors, who listen for packets and unicast them Makes the random walk faster, since the path just needs to get close to the base station

27 Transmission Correlation To make things harder, attackers can analyze timing at a node to further decompose flows at a point Sequence of transmissions by two neighboring nodes can indicate re-transmissions data on same path Q: how to make re-transmissions statistically uncorrelated with original transmissions? (e.g., [Alomair et al., Globecom 2010])

28 Simple Approach

29 Better Approach

30 More Issues Perfectly fitting the dummy distribution introduces delay in the data In certain scenarios, delay kills the application, especially if time synchronization is done by the BS Instead of waiting, inject data after some amount of time that fits the distribution Leads to a short-long problem: short interval times followed by longer interval times tend to contain real data packets

31 Beating Correlation Tests Instead of creating dummy messages according to a schedule, create dummy intervals Allows the node to find a better fit when real data shows up, allowing the system to defeat correlation tests that expose real traffic

32 What about location privacy issues in mobile networks (e.g., VANETs)?

33 LBS in VANET

34 How to prevent the untrusted LBS from tracking vehicles?

35 AMOEBA Pseudonyms + group identify location privacy among vehicles on the highway Groups increase anonymity and reduce linkability Pseudonym updates and silence at opportune times further reduce linkability Power control allows group communication without infrastructure eavesdropping

36 V2I G2I Protect anonymity by grouping network traffic Allow vehicles to form ad hoc groups Group leader communicates to RSU Rotate group leader randomly

37 Road structure Leveraging Silence pseudonyms not enough Random silent period with pseudonym update reduces linkability, but causes safety problems Rely on silent periods during times of high driver attentiveness, e.g., while changing lanes or merging

38 Privacy and LBS

39 Trusted group leader? Some Issues Compromised group leader no privacy Rotation helps, but doesn't solve Trusted group? Malicious group members can expose info to LBS, spoof LBS requests, etc. Lack of end-to-end control in V2I/LBS Pay services? No control over vehicles in data flow Malicious leader could interfere

40 Summary We saw some unique location privacy issues in very different wireless systems Additional location privacy issues exist in other domains / contexts, but no time to cover them all As systems continue to emerge / evolve, new privacy issues will arise

41 Next Time Discussion of remaining deliverables Exam on Apr 9 Final project presentations on Apr 30 May 2 Final project report due May 9 Individual system audit due May 9 Open Q&A about deliverables, expectations, etc.