Mobile Security 14-829 Fall 2011 Patrick Tague Class #17 Location Security and Privacy
HW #3 is due today Announcements Exam is in-class on Nov 9
Agenda Location security Location privacy
Location, Location, Location Incorporation of location information into various protocols and services has changed the landscape in networked systems across domains. Geo-spatial resource provisioning Location-based applications & services Distributed tracking & monitoring Geographic network services (e.g., routing) Navigation & mapping Social networking
Location Security What does it mean to secure location? Location privacy Location secrecy Selective location disclosure Malicious location estimation service Estimation precision Spoofing Untraceability Misleading, lying, etc.
Secure Localization Is it possible to secure the location estimation process? Process of localization is based on reference data Is the source trustworthy? Can the data be verified? Is the data reliable? Location estimation services can be attacked Vulnerabilities? How to mitigate them? Reference data may be noisy or imprecise How to incorporate redundancy for reliable location estimation? System or devices may be tightly constrained How efficient is the estimation algorithm? What are the trade-offs?
Location in Different Domains Secure location estimation: GPS MANET and WSN WLAN Smartphones
GPS Localization GPS satellites serve as mobile reference points for Earth-based receivers All satellites have high-precision, tightly synchronized clocks and precisely known locations Receivers use timing information to measure distance from multiple satellites (3 is enough, more is better) Location is estimated using 3-D multi-lateration Dist d 2 from (x 2,y 2,z 2 ) Dist d 3 from (x 3,y 3,z 3 ) Dist d 1 from (x 1,y 1,z 1 )
GPS Location Security GPS satellite network is well guarded Physical security: so you want to tamper with a satellite...? Reliability: clocks are closely monitored GPS Spoofing Rogue GPS devices can look like satellites Interfere with time-sync process Spoofing signal
Localization Many different types of localization using infrastructure-based or distributed approaches Many techniques mimic GPS in one way or another Trusted devices can serve as reference points Physical characteristics provide distance estimates or bounds from reference points Resource constraints are limiting factor Algorithms must be fast and efficient GPS is not cost-effective for continual use in batterpowered devices
Relative Localization Each localizing device collects geometric relationships relative to several reference points (x i,y i ) Local presence I can hear you, so I must be near (x,y) Connectivity Rx signal strength RSS = R distance d Time of flight Time t distance d Time-difference Time t 2 -t 1 distance d Angle of arrival q 1 q 2
Securing Relative Measurements Measurements taken with respect to reference points should be: Authentic Measurements from authorized reference points only Verifiable Integrity of measurement should be guaranteed If possible, physical measurement should be unforgeable Highly available Location information should be ready when needed Protected from various forms of attack
Example: SeRLoc [Lazos & Poovendran, 2004] SeRLoc = Secure Range-independent Localization L 2 L 1 L 4 L 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 2 3 3 3 3 4 4 4 3 3 3 3 3 3 1 1 2 2 2 3 4 4 4 4 4 4 4 3 3 2 2 1 1 2 2 4 4 4 4 4 4 4 4 4 4 3 3 2 2 2 2 2 3 4 4 4 4 4 4 4 4 3 2 2 2 2 2 3 3 3 3 4 4 4 4 4 4 3 3 2 2 2 2 2 2 3 3 3 3 4 4 4 4 3 3 2 2 2 2 1 2 2 2 3 3 3 3 4 4 3 2 2 2 3 4 3 2 2 2 3 3 3 3 3 2 2 2 2 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 L i : { (X i, Y i ) (θ i,1, θ i,2 ) (H n-j (PW i )), j, ID Li } K0
Example: Verifiable Multilateration [Čapkun & Hubaux, 2005] Basic idea of VM: Using distance bounding, an attacker can only increase the measured distance Time of flight N 1 *N 2 N 1 Time t distance d VM benefit: Increasing distance measurements will either have negligible effect on location or be large enough to detect misbehavior
Mobility Helps Localization M i Mobile Node Reference 1 Distance M 4 M 3 2 Compass Estimated New position estimated is centroid position of intersection
WLAN Localization WiFi localization is typically based on received signal strength mappings within buildings This is currently deployed in Bldg 23 With additional assistance from Bluetooth beacons Requires building surveys for training data
Smartphone Localization Hybrid devices can use hybrid localization A-GPS + WiFi localization + cell triangulation A-GPS (assisted GPS) allows a receiver to get additional information from an assistance server to lock on to satellites more quickly to solve time-to-first-fix problems Mobile mesh nodes will be able to use any combination of selective (A-)GPS, mobility information, and relative location
Location Privacy What about location privacy? Why do we care? How to prevent location disclosure? How to prevent location inference?
Location Disclosure Benefits of disclosing one's location e-911 service (gov'tmandated location tracking) Navigation & mapping Location-sensitive ads Local traffic / weather Finder apps Social networking Remote monitoring (e.g., tracking children) Safety (e.g., in VANET) Risks of location disclosure Tracking / linking Surveillance Inferring context: lifestyle, medical condition, political views, preferences Targeted malice (e.g., stalking) Location-sensitive ad spam
Cellular Location Service providers are required by law to track cell phone locations using GPS or tower-based triangulation For emergency use, law enforcement use, etc. Disclosure of location information is tightly regulated Mostly opt-in disclosure only Mobile apps and services using location are not part of this protection
Location Privacy in Apps Third-party apps are subject to different laws and policies regarding location Apps can (and do!) take advantage of unnecessary privileges to record users' location, movement, etc. Location privacy is really in the hands of the mobile developers, not the users or providers Significant number of selected Android apps recently shown to incorrectly manage sensitive info [Enck et al., TaintDroid, USENIX OSDI 2010]
WLAN Location Challenges to location privacy in WLAN Network operators are untrusted High density of APs; many may be malicious Precise (~1m) localization Broadcast IDs (MAC addresses) Very easy to eavesdrop on devices' MAC addresses, even if security features are enabled Static MACs allow for easy tracking of devices/users MAC pseudonyms can be used to prevent tracking As long as previous/current MAC addresses are unlinkable [Gruteser & Grunwald, WMASH 2003]
Mitigating Traceability Preventing packet correlation for tracking In WiFi, RFID, Bluetooth, etc. Synchronization, shared secrets, and PRNG are enough to use pseudonyms effectively (as in WiFi systems) Without sync + PRNGs (such as RFID tags), a trusted authority (RFID database) can store ID-to-pseudonym look-up table [Alomair et al., DSN 2010] Even with ID pseudonymity, attackers can observe and correlate traffic to trace users Location privacy isn't just about the location or the user ID
Traffic Anonymization In multi-hop networks (MANET/WSN), packet linking via traffic analysis can expose source and relay locations Analysis of inter-packet timing reveals correlation Possible approach to source anonymity is to inject dummy traffic and randomize packet timing to reduce correlation [Alomair et al., Globecom 2010]
Leveraging Silence Communication is typically bursty Short-lived sessions of activity, followed by sessions of inactivity, or silence Silent periods can be used instead of synchronization Sender and receiver know to refresh pseudonyms whenever a burst session begins Vehicular networks (VANET) [Sampigethaya et al., ESCAR 2005]
Location Privacy Challenges 1. Understanding the privacy goals What needs to be protected? What are the rules to be enforced? 2. Understanding the threat What are attackers goals, capabilities, methods,? Practicality of attacker assumptions? 3. Metrics How to measure privacy protection and enforcement? How to evaluate and incorporate risk?
Concerns for Developers What can developers do to protect location? Protect explicit location information Secure storage of location data Don't store it at all Protect against location leakage - implicit info Include an anonymization mechanism to protect against tracking, traffic analysis, etc. Develop according to a well-defined attacker model Disclose location usage to users
Concerns with Developers Unfortunately: Malicious developers can scrape location information very easily Users are responsible for checking permissions to see what apps are allowed to do Users are responsible for reading license agreements and disclosure statements to see what developers claim they are doing with user data
What's Next? 11/2: SURVEY on mobile location privacy 11/7: Guest speaker Didier Serra, Inside Secure 11/9: Exam