Wireless Network Security 14-814 Spring 2014 Patrick Tague Class #16 Network Privacy & Anonymity 2014 Patrick Tague 1
Network Privacy Issues Network layer interactions in wireless networks often expose information about identity, context, content, relationships, etc. In certain cases, cryptographic protections can help, but not always In certain cases, pseudonyms help, but not always 2014 Patrick Tague 2
ID Matching Network IDs/addresses can facilitate tracking, profiling, inference, etc. Ex: a network service provider sees device A connect to a network in Pgh, then to another network in DC, then to another network in SF the service provider can create a profile of the device owner Ex: an eavesdropper sees device A show up and connects to a network at the same time every day the eavesdropper can temporally profile the user to learn when they will be away from home 2014 Patrick Tague 3
Traffic Analysis A curious or malicious party can observe network traffic and analyze flow patterns to infer relationships Plaintext IDs can make this pretty easy Something like conservation of flow can allow traffic flow decoupling Inference capability depends on several factors: Network visibility global or local view? Traffic density dense or sparse traffic distributions?... 2014 Patrick Tague 4
Timing Analysis Since network operations are typically at least somewhat delay sensitive, there are end-to-end correlations between transmission events Ex: node A transmit 10 packets, then neighboring node B transmits 10 packets of similar size maybe B is relaying A's traffic Depending on visibility and density, very little other information is needed (e.g., strong hop-by-hop packet re-encryption doesn't prevent timing analysis) 2014 Patrick Tague 5
Understanding the Risks What type of network? Services? Etc.? WLAN, cellular, VANET, WSN, What is the attacker's goal / purpose? Real-time tracking, recovering past traces, Robbery, personal safety, blackmail, mal-marketing, surveillance, What granularity is needed for attack success? Relational, location-specific, region-specific, 2014 Patrick Tague 6
Privacy Challenges 1. Understanding the privacy goals What needs to be protected? What are the rules to be enforced? 2. Understanding the threat What are attackers goals, capabilities, methods,? Practicality of attacker assumptions? 3. Metrics How to measure privacy protection and enforcement? How to evaluate and incorporate risk? 2014 Patrick Tague 7
Different Privacy Concerns Profiling and tracking WiFi users Event/object inference in WSN Unauthorized user/car tracking in VANET 2014 Patrick Tague 8
WLAN Location Challenges to location privacy in WLAN Network operators are untrusted High density of APs; many may be malicious Precise (~1m) localization Broadcast IDs (MAC addresses) Very easy to eavesdrop on devices' MAC addresses, even if security features are enabled 2014 Patrick Tague 9
WiFi Tracking WiFi devices provide various pieces of information that can enable tracking Static MAC address rogue AP or eavesdropper can record MAC-location pairs Location can be computed coarsely by AP/SSID or finely using coordination among APs WiFi probe messages SSID lists and MAC address pairs suggest favorite locations This not only allows you to track the device, but also to learn something about the user 2014 Patrick Tague 10
Ex: WiFi Probe Messages 2014 Patrick Tague 11
Potential Solutions What if we don't allow the AP to determine the location of a client? Policy is easily bypassed by a malicious AP What if we don't give the AP enough information to identify clients (i.e., anonymize)? What other services does this interfere with? 2014 Patrick Tague 12
MAC Randomization MAC addresses are 48 bits with some addresses reserved, so there's a good amount of entropy The client can randomize its MAC address every time without affecting end-to-end performance As long as other ID information is hidden from the AP, the AP cannot identify clients in its network Trade-offs: Privacy can be achieved, monitoring and IDS are lost MAC collisions 2014 Patrick Tague 13
Collisions 2014 Patrick Tague 14
Implementation Issues Seq# in headers must be removed, otherwise subsequent messages are correlated Connection reestablishment often Signal analysis can still expose correlation All other uses of MAC addresses lost (e.g., whitelist, blacklist, IDS) Key management needed if MACs need to be matched by another user 2014 Patrick Tague 15
What about location privacy issues in multi-hop wireless networks? 2014 Patrick Tague 16
Traffic Anonymization In multi-hop networks (MANET/WSN), transmission linking can expose what path is used for a session Traffic analysis: Analyzing the flow of packets through a network (with global knowledge) allows decomposition into individual flows Local traffic analysis: Without global knowledge, timing information can expose flow decomposition in a neighborhood 2014 Patrick Tague 17
WSN Location Privacy In sensor networks, we're usually not concerned with protecting sensor locations, but what they're sensing may be more sensitive Truck at (x 1,y 1 ) @ 1:34pm Truck at (x 2,y 2 ) @ 1:37pm Truck at (x 3,y 3 ) @ 1:35pm 2014 Patrick Tague 18
Source Location Privacy One of the common goals in WSN is to hide the location of the sensed event from an observer But, the traffic generated will immediately expose any singular event Commonly called the Panda Hunter Problem Sensors in a wildlife area are used to track/study pandas Whenever a panda walks by a sensor, it generates traffic A hunter can track the traffic to find the panda 2014 Patrick Tague 19
Panda Hunter Problem Objective of the WSN / defender: Properly / quickly collect panda mobility info Hide the location information from the panda hunters that can eavesdrop on WSN traffic but not decrypt Objective of the panda hunters: Learn the location of the data source (and thus the panda) by analyzing traffic flow statistics 2014 Patrick Tague 20
Panda Hunter Strategies Two approaches: Choose one location in the network to monitor traffic Wait for the panda to walk somewhere that creates traffic flows through the chosen location, then find the panda Probably takes a long time depending on the area, and no better than naïve hunting Find the base station and monitor all network traffic More work to find the base station, more traffic to analyze all at once, but any panda-related traffic goes here 2014 Patrick Tague 21
Anti-Analysis Methods In the Panda Hunter context, there are two ways to mitigate the attack: Prevent the hunter from finding the base station (i.e., destination location privacy) Prevent the hunter from finding the panda (i.e., source location privacy) These problems are sort of duals of each other, so we look only at the second one Image from [Deng et al., PMC 2006] 2014 Patrick Tague 22
Flooding One common approach is to hide the actual event data in dummy ( chaff ) traffic Flooding the network with dummy traffic prevents the attacker from figuring out what is real If it looks like the panda is everywhere, where is it? Of course, flooding dummy traffic is a lot of work for very little reward 2014 Patrick Tague 23
Probabilistic Flooding Trade-offs can be made between the overhead of flooding and the resulting location privacy by instructing each node to forward dummy traffic only with probability p Less dummy traffic slightly degrades privacy Less dummy traffic means lower overhead Nodes need to be able to distinguish dummy from real traffic, or also drop real traffic w.p. (1-p) 2014 Patrick Tague 24
Random Routing Another technique to mitigate traffic analysis is random routing Next hop rand({neighbors}) Non-deterministic packet flow makes the analysis harder, but increases delay Can combine random routing with prob flooding Phantom Routing: 2014 Patrick Tague 25
Two-Way Random Walk Two-way Greedy Random Walk (GROW) Short path from base station created to serve as receptors, who listen for packets and unicast them Makes the random walk faster, since the path just needs to get close to the base station 2014 Patrick Tague 26
Transmission Correlation To make things harder, attackers can analyze timing at a node to further decompose flows at a point Sequence of transmissions by two neighboring nodes can indicate re-transmissions data on same path Q: how to make re-transmissions statistically uncorrelated with original transmissions? (e.g., [Alomair et al., Globecom 2010]) 2014 Patrick Tague 27
Simple Approach 2014 Patrick Tague 28
Better Approach 2014 Patrick Tague 29
More Issues Perfectly fitting the dummy distribution introduces delay in the data In certain scenarios, delay kills the application, especially if time synchronization is done by the BS Instead of waiting, inject data after some amount of time that fits the distribution Leads to a short-long problem: short interval times followed by longer interval times tend to contain real data packets 2014 Patrick Tague 30
Beating Correlation Tests Instead of creating dummy messages according to a schedule, create dummy intervals Allows the node to find a better fit when real data shows up, allowing the system to defeat correlation tests that expose real traffic 2014 Patrick Tague 31
What about location privacy issues in mobile networks (e.g., VANETs)? 2014 Patrick Tague 32
LBS in VANET 2014 Patrick Tague 33
How to prevent the untrusted LBS from tracking vehicles? 2014 Patrick Tague 34
AMOEBA Pseudonyms + group identify location privacy among vehicles on the highway Groups increase anonymity and reduce linkability Pseudonym updates and silence at opportune times further reduce linkability Power control allows group communication without infrastructure eavesdropping 2014 Patrick Tague 35
V2I G2I Protect anonymity by grouping network traffic Allow vehicles to form ad hoc groups Group leader communicates to RSU Rotate group leader randomly 2014 Patrick Tague 36
Road structure Leveraging Silence pseudonyms not enough Random silent period with pseudonym update reduces linkability, but causes safety problems Rely on silent periods during times of high driver attentiveness, e.g., while changing lanes or merging 2014 Patrick Tague 37
Privacy and LBS 2014 Patrick Tague 38
Trusted group leader? Some Issues Compromised group leader no privacy Rotation helps, but doesn't solve Trusted group? Malicious group members can expose info to LBS, spoof LBS requests, etc. Lack of end-to-end control in V2I/LBS Pay services? No control over vehicles in data flow Malicious leader could interfere 2014 Patrick Tague 39
Summary We saw some unique location privacy issues in very different wireless systems Additional location privacy issues exist in other domains / contexts, but no time to cover them all As systems continue to emerge / evolve, new privacy issues will arise 2014 Patrick Tague 40
Happy Spring Break! March 18: OMNET++ Tutorial III March 20: Trust & Reputation 2014 Patrick Tague 41