Mobile Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14829/f11/files/tague_14829f11...©2011 Patrick Tague Location, Location, Location Incorporation of location information

©2011 Patrick Tague

Mobile Security14-829 – Fall 2011

Patrick Tague

Class #17 – Location Security and Privacy


Announcements• HW #3 is due today

• Exam is in-class on Nov 9


Agenda• Location security

• Location privacy


Location, Location, Location

Incorporation of location information into various

protocols and services has changed the landscape in

networked systems across domains.

Geo-spatial resource

provisioning

Location-based

applications & services

Distributed tracking

& monitoring

Geographic network

services (e.g., routing)

Navigation & mapping Social networking


Location Security

What does it mean to secure location?

• Location privacy

• Location secrecy

• Selective location

disclosure

• Untraceability

• Malicious location

estimation service

• Estimation precision

• Spoofing

• Misleading, lying, etc.


Secure Localization

Is it possible to secure the location estimation process?

• Process of localization is

based on reference data

– Is the source trustworthy?

– Can the data be verified?

– Is the data reliable?

• Reference data may be

noisy or imprecise

– How to incorporate

redundancy for reliable

location estimation?

• Location estimation

services can be attacked

– Vulnerabilities?

– How to mitigate them?

• System or devices may be

tightly constrained

– How efficient is the

estimation algorithm?

– What are the trade-offs?


Location in Different Domains• Secure location estimation:

– GPS

– MANET and WSN

– WLAN

– Smartphones


GPS Localization• GPS satellites serve as mobile reference points

for Earth-based receivers

– All satellites have high-precision, tightly synchronized

clocks and precisely known locations

– Receivers use timing information to measure distance

from multiple satellites (3 is enough, more is better)

– Location is estimated using 3-D multi-lateration

Dist d3 from (x3,y3,z3)Dist d2 from (x2,y2,z2)

Dist d1 from (x1,y1,z1)


GPS Location Security• GPS satellite network is well guarded

– Physical security: so you want to tamper with a

satellite...?

– Reliability: clocks are closely monitored

• GPS Spoofing

– “Rogue” GPS devices can look like satellites

– Interfere with time-sync process

Spoofing signal


Localization• Many different types of localization using

infrastructure-based or distributed approaches

– Many techniques mimic GPS in one way or another

– Trusted devices can serve as reference points

– Physical characteristics provide distance estimates or

bounds from reference points

• Resource constraints are limiting factor

– Algorithms must be fast and efficient

– GPS is not cost-effective for continual use in batter-

powered devices


Relative Localization

Each localizing device collects geometric relationships

relative to several reference points (xi,yi)

Local presence I can hear

you, so I must

be near (x,y)

Connectivity

Rx signal strength RSS = R →

distance d

Time of flight Time t →

distance d

Time-difference Time t2-t1 →

distance d

Angle of arrivalq1

q2


Securing Relative

Measurements• Measurements taken with respect to reference

points should be:

– Authentic

• Measurements from authorized reference points only

– Verifiable

• Integrity of measurement should be guaranteed

• If possible, physical measurement should be unforgeable

– Highly available

• Location information should be ready when needed

– Protected from various forms of attack


Example: SeRLoc[Lazos & Poovendran, 2004]

• SeRLoc = Secure Range-independent Localization

L1

L4

L2

L3

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

…

1 1 1 2 3 3 3 3 4 4 4 3 3 3 3 3 3

1 1 2 2 2 3 4 4 4 4 4 4 4 3 3 2 2

1 1 2 2 4 4 4 4 4 4 4 4 4 4 3 3 2

2 2 2 2 3 4 4 4 4 4 4 4 4 3 2 2 2

2 2 3 3 3 3 4 4 4 4 4 4 3 3 2 2 2

2 2 2 3 3 3 3 4 4 4 4 3 3 2 2 2 2

1 2 2 2 3 3 3 3 4 4 3 2 2 2 3 4 3

2 2 2 3 3 3 3 3 2 2 2 2 1 1 1 1 1

…

0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0

Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j, IDLi } K0


Example: Verifiable

Multilateration [Čapkun & Hubaux, 2005]

• Basic idea of VM:

– Using distance bounding, an

attacker can only increase the

measured distance

Time of flight

N1

N1*N2

Time t →

distance d

• VM benefit:

– Increasing distance

measurements will

either have negligible

effect on location or

be large enough to

detect misbehavior


Compass

Mobility Helps Localization

1

M

2

4

3

M

i

Mobile Node

Reference

Estimated

position is

centroid of

intersection

Distance

M

New

estimated

position


WLAN Localization• WiFi localization is typically based on received

signal strength mappings within buildings

– This is currently deployed in Bldg 23

• With additional assistance from Bluetooth beacons

– Requires building surveys for training data


Smartphone Localization• Hybrid devices can use hybrid localization

– A-GPS + WiFi localization + cell triangulation

• A-GPS (assisted GPS) allows a receiver to get additional

information from an assistance server to lock on to satellites

more quickly to solve time-to-first-fix problems

– Mobile mesh nodes will be able to use any

combination of selective (A-)GPS, mobility

information, and relative location


Location Privacy• What about location privacy?

• Why do we care?

– How to prevent location disclosure?

– How to prevent location inference?


Location Disclosure• Benefits of disclosing

one's location

– e-911 service (gov't-

mandated location

tracking)

– Navigation & mapping

– Location-sensitive ads

– Local traffic / weather

– Finder apps

– Social networking

– Remote monitoring (e.g.,

tracking children)

– Safety (e.g., in VANET)

– …

• Risks of location

disclosure

– Tracking / linking

• Surveillance

• Inferring context:

lifestyle, medical

condition, political

views, preferences

• → Targeted malice

(e.g., stalking)

– Location-sensitive ad spam

– …


Cellular Location• Service providers are required by law to track

cell phone locations using GPS or tower-based

triangulation

– For emergency use, law enforcement use, etc.

– Disclosure of location information is tightly regulated

• Mostly “opt-in” disclosure only

• Mobile apps and services using location are not

part of this protection


Location Privacy in Apps• Third-party apps are subject to different laws

and policies regarding location

– Apps can (and do!) take advantage of unnecessary

privileges to record users' location, movement, etc.

– Location privacy is really in the hands of the mobile

developers, not the users or providers

– Significant number of selected Android apps recently

shown to incorrectly manage sensitive info [Enck et al.,

“TaintDroid”, USENIX OSDI 2010]


WLAN Location• Challenges to location privacy in WLAN

– Network operators are untrusted

– High density of APs; many may be malicious

– Precise (~1m) localization

– Broadcast IDs (MAC addresses)

• Very easy to eavesdrop on devices' MAC addresses, even if

security features are enabled

• Static MACs allow for easy tracking of devices/users

– MAC pseudonyms can be used to prevent tracking

• As long as previous/current MAC addresses are unlinkable

[Gruteser & Grunwald, WMASH 2003]


Mitigating Traceability• Preventing packet correlation for tracking

– In WiFi, RFID, Bluetooth, etc.

• Synchronization, shared secrets, and PRNG are enough to use

pseudonyms effectively (as in WiFi systems)

• Without sync + PRNGs (such as RFID tags), a trusted authority

(RFID database) can store ID-to-pseudonym look-up table [Alomair et al., DSN 2010]

– Even with ID pseudonymity, attackers can observe

and correlate traffic to trace users

• → Location privacy isn't just about the location or the user

ID


Traffic Anonymization• In multi-hop networks (MANET/WSN), packet

linking via traffic analysis can expose source and

relay locations

– Analysis of inter-packet timing reveals correlation

– Possible approach to source anonymity is to inject

dummy traffic and randomize packet timing to

reduce correlation [Alomair et al., Globecom 2010]


Leveraging Silence• Communication is typically bursty

– Short-lived sessions of activity, followed by sessions

of inactivity, or “silence”

– Silent periods can be used instead of synchronization

• Sender and receiver know to refresh pseudonyms whenever a

burst session begins

– Vehicular networks (VANET) [Sampigethaya et al., ESCAR 2005]


Location Privacy Challenges1. Understanding the privacy goals

– What needs to be protected?

– What are the rules to be enforced?

2. Understanding the threat

– What are attackers goals, capabilities, methods, …?

– Practicality of attacker assumptions?

3. Metrics

– How to measure privacy protection and enforcement?

– How to evaluate and incorporate risk?


Concerns for Developers• What can developers do to protect location?

– Protect explicit location information

• Secure storage of location data

• Don't store it at all

– Protect against location “leakage” - implicit info

• Include an anonymization mechanism to protect against

tracking, traffic analysis, etc.

– Develop according to a well-defined attacker model

– Disclose location usage to users


Concerns with Developers• Unfortunately:

– Malicious developers can scrape location information

very easily

– Users are responsible for checking permissions to see

what apps are allowed to do

– Users are responsible for reading license agreements

and disclosure statements to see what developers

claim they are doing with user data


What's Next?• 11/2: SURVEY on mobile location privacy

• 11/7: Guest speaker – Didier Serra, Inside Secure

• 11/9: Exam

Mobile Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14829/f11/files/tague_14829f11...©2011 Patrick Tague Location, Location, Location Incorporation of location information

Documents