Nathaniel Husted, Steven Myers Indiana University Presented By: Adel Rajab.

A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android

Mobile Location Tracking in Metro Areas: Malnets andOthersNathaniel Husted, Steven MyersIndiana UniversityPresented By: Adel Rajab1AgendaMalnetsIntroductionScenario OverviewMethodologyResultsThe UDelModels SimulatorPhysical Realization Of A Tracking NetworkMitigating Privacy AttacksRelated WorkConclusion2MalnetsWhat is Malnets?

Malnets are distributed network infrastructures within the Internet that are built, managed and maintained by attacker for the purpose to geolocate specific individuals.

MalnetsNetworks of adversary that control wireless routers or AP to target the physical geography.

Malnets exploit routers that are within the ransmission range.(1) Under a complete control of the adversary(2) triangulate your physical locationMalnetsMalnets are botnets created from router, cellphone, and other non-traditional computational Wifi devices.Botnets hijack users PCs to pump out spam and malware.Malnets use servers. such as the exploit servers.Servers that are owned and operated by the criminal themselves.Supplemented by other servers which they may have infected.Compromised routers control the flow of traffic between clients and the Internet,Therefore, Malnets can also implement many of the attacks which is common to traditional botnets.Such as: Denial of service attacks

IntroductionLocation privacy has become a topic of specific concern.Due to increase of GPS users.Web location services.Geolocation of network addresses.Locate a wireless devices for beneficial reasons has been looked at by computer scientists.Such as Amber Alert service To locate missing children by having electronic toys with embedded WiFi such as ZunesA theft recovery network search for stolen goods with WiFi devices incorporated. IntroductionWireless routers provide an easy way to introduce small networks into home, offices, and public area.Change the relationship between users and the InternetAlways connectedDangers of such devices often lie in their simplicity.Lack of training, knowledge, or motivation to properly secure those networksAlso the devices and protocols they run are in many cases poorly designed and vulnerable.

IntroductionWiFi radios broadcast identification numbers that uniquely identify it.

Smartphone embedded with WiFi radios powered on, comes the ability to track individuals movements.

Specifically quantify the degree to which WiFi Identifier leakage presents a potential threat due to malnets.

IntroductionTracking of individuals in dense metropolitan areas is conceivable by a small and mobile sub-population working in collusion to monitor others locations.

Small percentage of detectors can track majority of users in a significant fraction of time.

Different variables can affect trackingsuch as: population density, detection rate and broadcast radius

Small changes in the broadcast radius of wireless signals have a significant effect on the ability to track individuals

9IntroductionMost of the entire population now carries Smartphone

Smartphone and router have access to a number of sensors that traditional PCs do not, it permits the use of these sensors for new types of attacks with such malnets.

Scenario Overview

EveAlice!!!

11 Scenario OverviewEve can determine Alice's position by the behaviors of smartphones and their users.

The coverage of infected devices with respect to the route Alice is taking over time.The broadcast diameter of Alices wireless radios.The frequency with which Alices device broadcasts its identity.

OverviewNote that WiFi radios constantly send out probe frames even when not connected to a network.

The Malnet devices works as triangulators. When connect to APAnyWiFi enabled devices positionBy using online database reporting schmesSuch as: Skyhook which it can geolocate a WiFi router using its BSSID address. Detecting and knowing the location of device Simple algorithms can be sufficient to position the device to different degree of confidence. To know who will use the BSSID to confirmDisguised as a point or a goal hotspot often connected AP

13OverviewDetermining a Users BSSID(MAC)Ask any nearby detector nodes and do data-filteringIf a tracker controlled a diverse number of APs, they could attempt to trick a user into connecting to one.Example: AP firmwares which can create multiple wireless interfacePurchase BSSID that had been associated with individuals.Ad networks can team up with hot spot provider such as T-Mobile and request the information of customers who connect to the hotspot.

Methodology1. Simulate an appropriate number of traces, 2. Choose a set S of locators (S is infected individuals)3. Choose a set T \ S of tracked individuals4.Simulate the traces over a given time period, transition times of one second5. At each time period, for each x T record each y S that is within transmission diameter d.6. For each maximal set {y} S that observes x in a given time period, use a trilateration to minimize the area within which x is expected to be.7. Determine the frequency with which each tracked individual x T is observed and to what area of accuracy (in m2) his or her position is learnt.

S is infected individuals

Because H.264/AVC SVC factors interfere, would have no way to know exactly where the signal sent by tracker15MethodologyIt is hard to determine the exact trace phone wireless beacons.Due to absorption, refraction, diffraction and reflection of radio-waive .Use Approximate a sphere of a given radius.Considering the number of radii from 15m to 45m to represent lower and upper-bounds on 802.11g wireless transmissions.To speed up the calculation of proximity detection, since the sphere is already an approximation.

They detect the locations within the tightest bounding cubes of the corresponding sphere.If multiple locator are able to locate a device then use step 6 S is infected individuals

Because H.264/AVC SVC factors interfere, would have no way to know exactly where the signal sent by tracker16Methodology

17MethodologyPopulation Density and Simulations.Chicago, Dallas using Landscan9 block with 9056 16 block with 29883D vs. 2D.People going uppeople going downPeople working in officesMobile vs. stationary devicesConsider only mobile device detectors

find the number of 2D to compare

Mobile information that contain a high degree, but also in the simulated region, AP WiFi devices with relatively few fixed

18MethodologyMetropolis vs. Other EnvironmentsDetection requires a certain amount of density, as targets need to in proximity to detectors .UDel simulator for analog and match statistics only metropolitan area.Pedestrians vs. VehiclesCan not find the vehicle of some parameters used in the simulator inside UDelThe Usage of PhonesHow frequently people are actively using their devices, and thus the WiFi radio is sending out probes?ResultsFrequency of DetectionComparison of Dallas to ChicagoDensity of PopulationsThe Effect of Network Prevalence on DetectionThe Effect of Broadcast Diameter20The Effect of Broadcast Diameter

26The UDelModels SimulatorThe reason to use the UDelModels simulator is to produce a reasonable simulations of people moving through several city blocks of downtown cities.

This simulator attempts to recreate accurate human mobility, both micro and macro, by producing traces that match a number of key observed statistics from a number of data sources27Physical Realization Of A Tracking NetworkA lot of BSSIDs with tracking software.A control mechanism for smartphones to monitor BSSIDs.A central system to accumulate data.Malnet will monitor wireless traffic and look for probe request frames

malnet28Physical Realization Of A Tracking NetworkReceived Signal Strength Indication (RSSI) measures the strength of the radio signal detected and has historically been used as a proxy for distance in wireless positioning.Send the record to the central database and then triangulate the location29Mitigating Privacy AttacksHow to defenseEnsure that the radios do not broadcastJiang .et al. :BSSID pseudonym that changes every time a client connects to a mobile access pointAn opportunistic silent periodDecreasing the transmit power of the wireless device dynamicallyGreenstein et al : SlyFi is an 802.11-like wireless link layer protocol that obfuscates all transmitted bits to increase privacy opportunistic silent period: There was a time not to send any information, as long as there client ask the access point for a different fake BSSID

30Related WorkA number of other novel positioning schemes have been developed. Delaunay-triangulation based complete coverage in wireless sensor networksSensor network is a special kind of ad-hoc networksWatch over the environment and collect environment parameters This work deals with the area coverage problem for variable sensing radii in WSNWith variable sensing range, continuous space in the area coverage is harder than covering discrete points in the target coverage problem.

Related WorkDue to the boundary effect which is caused by the fact that the coverage status in the bordering region is different from the center region. Their proposed algorithms cannot always provide complete surveillance for the whole networkThey proposed a new algorithms provides complete coverage for all the casesFor an adjustable-sensing-range WSN S = {si. sn}, they assume that each sensor si is able to smoothly adjust its sensing range under some upper cut-off range.

Related WorkLocation in distributed ad-hoc wireless sensor networks The problem:Finding the position of networking nodesRelative positioning vs. Absolute positioning

Reference Positions, Map DatabaseOther Networking Nodes, Distance and Geometric ConstellationRelated WorkThis work deals with the triangulation problem of wireless networks.The sensor nodes communication range is limited to their immediate neighborhood.The accuracy derived through triangulation depends heavily on The geometry of the position references, The configuration of network nodes, The accuracy of the range measurements.

They propose an algorithm called Triangulation via Extended Range and Redundant Association of Intermediate Nodes (TERRAIN)Improve dilution of precision by incorporating redundancy into triangulation solution and exploit high connectivity

It use information from neighboring nodes in an ad-hoc network to triangulate the node positions.Related WorkTriangulation via Extended Range and Redundant Association of Intermediate NodesABC algorithm creates mapsTarget node waits to be included in 3 mapsExtended ranges calculated from respective mapsTriangulation by target node based on extended rangesIterate network-wide triangulation123radio rangeextended rangeintermediate node35Related WorkGeolocation in Ad Hoc Networks Using DS-CDMA and Generalized Successive Interference Cancellation

The goal of this paper is to present a comprehensive suite of algorithms that can address the entire radiolocation problem.

Channel estimation and distributed positioning algorithms are presented for geolocation in a wireless ad hoc network.

The network uses a direct-sequence code-division multiple-access-based handshaking protocol, in which nodes receive multiple acknowledgment packets in response to a request-to-send waveform.

Related WorkRound-trip travel time (RTT) and angle-of-arrival (AOA) measurements are obtained using the generalized successive interference cancellation/matching pursuits (GSIC/MP) algorithm.

The method is generalized for distributed estimation in sparsely connected networks:

Where each node, the position estimates from the connected nodes are incorporated via a fusion algorithm and updated using locally processed RTT/AOA measurements.

As a result, GSIC/MP offers reliable channel estimation.

Also, using successive interference cancellation, GSIC/MP effectively combats the nearfar effect and even when power control is not available.

ConclusionPrevious works had provide countermeasures to ensure privacy.

Quantify the potential for pervasive monitoring.

Different variables have significant effects on tracking capabilitySuch as: Changing the radiuspopulation density

38ConclusionAll that is required is a way of gathering up mobile nodes in a sensor network via legitimate software or malware, and a system to process the sensor data

The potential outcomes are disturbing, therefore, there is a need to strongly consider the current implementation and apply a new methods to mitigate wireless detection.THANK YOU

40