1 1 © 2010-2011-2012 Daniel P. Siewiorek Mobile Computing Security and Privacy Dan Siewiorek June 2012 1

11© 2010-2011-2012 Daniel P. Siewiorek

Mobile Computing

Security and PrivacySecurity and Privacy

Dan SiewiorekDan Siewiorek

June 2012June 201211


Mobile Computing

Outline

Overview Privacy Access/Security Trust


Mobile Computing

Security and Privacy

Privacy/Location» Pseudonyms [Beresford]

» Spatial/Temporal Cloaking [Gruteser]

» Rule Based [Myles]

Access/Security» Transient Authentication [Corner]

» RFID [Kriplean]

» Photographic [Pering]

» Monitoring [Bahl]

» Keypad [Geambasu]

Trust» Public Kiosks [Gariss]

» Trust-Sniffer [Surie]


Mobile Computing

Outline



Mobile Computing

Blueroof Model Smart Cottage


Mobile Computing

Cottage Sensor Network

1

2

3 4

56

7

8910

11

1 2

13

14

15

16

17

18

DiscreteStove & oven on/offWasher and dryer on/off

Refrigerator & freezer doorKitchen cabinets & drawersShower, faucet runningCommode fillingToothbrush on/offSofa, chair occupiedBed occupiedTV on/offPhone in useInterior motionFront door, back doorCloset doors

OtherIP camerasMedication drawer


Mobile Computing

Smart Homes and Communities

McKeesport Independence Zone

(McKIZ)Move the paradigm of

an aware and assistive home to an aware and assistive

community

Blueroof Independence Module (BIM)


Mobile Computing

Privacy Attitudes: National Web Survey

Scott R. Beach Kate Seelman

Richard Schulz Bruce Barron

Julie S. Downs Laurel P. Mecca

Judith T. Matthews


Mobile Computing

Overview

National web-based survey

» Online survey panel maintained by Survey Sampling International (SSI, Inc.)

» Non-probability sample, but demographically and geographically diverse

» Targeted middle aged and older adults with and without disability– potential users of QoLT(N=1610)

Reference: Beach et al. (2009). Disability, Age, and Informational Privacy Attitudes in Quality of Life Technology Applications: Results from a National Web Survey. Transactions on Accessible Computing (TACCESS), Special Issue on Aging and Information Technologies.


Mobile Computing

Background

Privacy concerns may affect public acceptance of monitoring technology, depending on

Type of behavior» Vital signs, moving about the home, taking medication,

cognitive ability, driving, toileting

Recipient of the data» You, family, doctor, researchers, insurance company,

government

Method of data collection/recording and sharing» Video with sound, video without sound, sensor


Mobile Computing

Privacy Results: Type by Recipient

Insurance companies and government least acceptable as recipient

Driving information sensitive outside family contexts

1

2

3

4

5

6

7

8

9

10

You

Family

Docto

r

Resea

rch

Insu

ranc

eGov

t

Recipient

Acc

epta

bili

ty r

atin

g

Vital

Move about

Meds

Cog Ab

Drive

Toilet


Mobile Computing

Privacy Results: Method by Recipient

Video and video with sound less acceptable than sensors

Some types of information (e.g., toileting) may be totally out of bounds for visual access 1

2

3

4

5

6

7

8

9

10

Video withsound

Videowithoutsound

Sensor

Method

Acc

epta

bili

ty r

atin

g

Vital

Move about

Meds

Cog Ab

Drive

Toilet


Mobile Computing

4

5

6

7

8

Non-disabled IADL only ADL + IADL

Age 45-64

Age 65+

Acceptability of Sharing /Recording Health Information by Disability Level and Age

Controlling for gender, education, race, general technology attitudes, and assistive device use


Mobile Computing

4

5

6

7

8

Non-disabled Disabled

Internet user

No internet use

Acceptability of Sharing/Recording Health Information by Disability Level and Internet

Use: Web Survey Replication


Mobile Computing

Summary / Conclusions

Disabled individuals are more accepting of sharing / recording health information than non-disabled (replicated with computer users vs. not)

Dose response effect: ADL > IADL > Non-disabled Found among both boomers (45-64) and older adults

(65+) Suggests trade-offs of privacy for enhanced function


Mobile Computing

Background

Explored trade-offs between: Reduced Privacy vs. Independence Reduced Privacy vs. Functional Benefits System Demands vs. Functional Benefits Loss of Social Interaction vs. Functional Benefits


Mobile Computing

Overview

Mail survey of local gerontology research registry members

Includes primarily older adults with and without disability – potential users of QoLT (N=350)

40% response rate (350/882)

64% female 95% age 60 or older 23% high school or less; 42% college grads 64% internet users; 36% non-users 40% report activity limitations


Mobile Computing

Acceptance of Differing Levels of Home Monitoring and Target Recipients to PREVENT GOING TO A

NURSING HOME


Mobile Computing

Acceptance of Varying LEVELS OF HOME MONITORING with Technology Providing Varying

Types of Assistance


Mobile Computing

Acceptance of REDUCED EFFICIENCY RELATIVE TO HUMAN with Technology Providing Varying Levels of

Assistance


Mobile Computing

Acceptance of Varying TRAINING REQUIREMENTS with Technology Providing Varying Levels of

Assistance


Mobile Computing

Acceptance of Varying DAILY MAINTENANCE REQUIREMENTS with Technology Providing

Varying Levels of Assistance


Mobile Computing


Respondents less accepting of video monitoring – especially when done in the bedroom and bathroom – than sensors; and of sharing information with insurance companies, even if they would prevent loss of independence

Respondents generally rejected technology that limited social interaction and required intense training to learn how to use, regardless of the type of assistance provided by the technology


Mobile Computing


Tipping point for acceptance of time to perform task: twice as long as human attendant (30 % drop in acceptability)

Tipping point for acceptance of time for daily maintenance: 1 hour (40 % drop in acceptability)

Results provide initial evidence for the implicit trade-offs that users make when deciding whether to adopt QoLT, which have important implications for design


Mobile Computing

Privacy

Centralized Service» Policy Based Contracts

» Spatial/Temporal Cloaking - resolution of location information in space/time (k-anonymous)

» Pseudonyms - mixing zone

Distributed Service» Abstractions


Mobile Computing

Location Service Architecture Alternatives


Mobile Computing

“Sometimes Less is More”: Multi-Perspective Exploration of

Disclosure Abstractions in Location-Aware Social Apps

Karen P. Tang


Mobile Computing

Privacy Risks = Adoption Barrier

location is now easier to sense, share & access privacy risks leads to adoption barrier [hong, ‘03]

day-to-day risks extreme risks

within your social network

over-protection, over-monitoring

embarrassment, reputation loss

government

civil liberties

stalkers

well-beingsafety

businesses

spamdata mining


Mobile Computing

Problem: Privacy vs. Utility Tradeoff


Mobile Computing

Problem: Privacy vs. Utility Tradeoff

share nothing & no social

benefits

share precise location (GPS) &

max social benefits


Mobile Computing

Solution: Privacy vs. Utility Scaffolding

share nothing &no social benefits

share precise location (GPS) &

max social benefits

use location abstractions to scaffold privacy

concerns

use location abstractions to scaffold privacy

concerns


Mobile Computing

Types of Location Abstractions

location information abstraction type

(40.444507, -79.948530)(specific) geographic417 S. Craig St, Pittsburgh, PA

15213

Starbucks(specific) semantic

My favorite coffee shop

Coffee shop (general) semantic

Oakland, Pittsburgh, PA

(general) geographicPittsburgh, PA

Pennsylvania

USA

[no information]

spec

ifici

ty


Mobile Computing

Why Use Location Abstractions?

Useful properties of abstractions » supports plausible deniability [lederer, ‘03; hong, ‘04]

» provides degrees of privacy [hong, ‘05; solove, ‘08]

» mimics conversational dialogue [weilenmann, ‘03]


Mobile Computing

Spectrum of Location Sharing Applications

push-based sharinguser or event driven

(“I’m here now”)

pull-based sharingrequest-driven

(“where is Alice now?”)

synchronous

asynchronous

sharingcurrent location

sharingpast locations


Mobile Computing

activecampus[griswold ’03]

lemming[hong ’04]

Past Research Examples of LSAs

2003 2004 2005 20082007 2009

esm study[consolvo ’05]

reno[smith ’05]

whereabouts[brown ’07]

watchme[marmasse ’04]

contextcontacts[raento ’05]

connecto[barkhuus ’08]

locaccino[sadeh ’09]

1992

active badge[want,’92]

2001

connexus[tang ’01]


Mobile Computing


lemming[hong, ’04]


2003 2004 2005 20082007 2009


reno[smith ’05]


watchme[marmasse ’04]

contextcontacts[raento, ’05]

connecto[barkhuus, ’08]


1992 2001

connexus[tang ’01]

active badge[want ’92]

Groups of people who regularly wanted to hold meetings could find each other easily with very little notice.Groups of people who regularly wanted to hold meetings could find each other easily with very little notice.“


Mobile Computing




2003 2004 2005 20082007 2009


reno[smith ’05]


watchme[marmasse, ’04]

contextcontacts[raento ’05]

connecto[barkhuus ’08]


1992


2001

connexus[tang, ’01]

Given mobile users’ fragmented attention, the time it takes to make a phone call must remain extremely short…These [context] cues [which include location] should facilitate decisions about whether to call, and if so, which communication channel to use.

Given mobile users’ fragmented attention, the time it takes to make a phone call must remain extremely short…These [context] cues [which include location] should facilitate decisions about whether to call, and if so, which communication channel to use.

“


Mobile Computing




2003 2004 2005 20082007 2009


reno[smith ’05]


watchme[marmasse, ’04]

contextcontacts[raento, ’05]

connecto[barkhuus, ’08]


1992


2001

connexus[tang, ’01]

Phoebe wonders what she and her husband, Ross, will do for the evening, so she sends a location query to Ross. While he is waiting at the bus stop near his office, Ross sends a location update to Phoebe. Phoebe receives the message at home, eagerly anticipating Ross’ arrival home. When Ross gets off the bus, a location update is sent to Phoebe and she knows that he’s only 10 minutes away. She sets out dinner just in time for her husband’s arrival.

Phoebe wonders what she and her husband, Ross, will do for the evening, so she sends a location query to Ross. While he is waiting at the bus stop near his office, Ross sends a location update to Phoebe. Phoebe receives the message at home, eagerly anticipating Ross’ arrival home. When Ross gets off the bus, a location update is sent to Phoebe and she knows that he’s only 10 minutes away. She sets out dinner just in time for her husband’s arrival.

“


Mobile Computing

Common Themes for Location Sharing

often driven by functional purposes» coordination

» collaboration

» interruptibility

» event planning


Mobile Computing

Industry Trends for Information Sharing

Online social networks (OSNs)

» diverse networks, lots of weak links [wellman ‘01]

» very large networks [donath ‘04]

Sharing is often not because one needs to share, but because one wants to share

Driven by a social reason for sharing


Mobile Computing

Commercial Examples of LSAs

Mostly aimed at social-driven sharing

2005 2006 2009 20102007 2008


Mobile Computing

Commercial Examples of LSAs

Mostly aimed at social-driven sharing

2005 2006 2009 20102007 2008

“I'm just down the street!” Never miss another chance to connect when you happen to be at the same place at the same time. [facebook places]

Find out who’s around, what to do, and where to go. Introducing…the new Loopt so you can always stay connected… [loopt]

Share your location and stay connected with your friends. [plazes]

“I'm just down the street!” Never miss another chance to connect when you happen to be at the same place at the same time. [facebook places]

Find out who’s around, what to do, and where to go. Introducing…the new Loopt so you can always stay connected… [loopt]

Share your location and stay connected with your friends. [plazes]“

““


Mobile Computing

Framework for Location Sharing


Mobile Computing

Pseudonyms [Beresford]

Register for a location specific call back but the application is untrusted

» Anonymity Set – set of all possible subjects who might cause an action

» Application Zone – where user has registered for a call back

» Mix Zone – spatial region where none of the users has registered any application call back

User changes pseudonym in mixing zone» Application seeing user emerge from mixing zone

cannot distinguish from other users in mixing zone


Mobile Computing

Spatial and Temporal Cloaking [Gruteser]

Anonymous use of location based services Adjusts resolution of location information in

space/time to anonymity constraints of location service users within an area

K-anonymous – indistinguishable from at least k-1 others

Adaptive Interval Cloaking » Sub-divide area around subject until number of

subjects in area falls below Kmin


Mobile Computing

Location-Based Applications [Myles]

Machine readable privacy policies and user preferences to automate privacy management

Rule Based» Organization

» Service

» Time

» Location

» Request Type

» Context


Mobile Computing

Policy rule base for a general-purpose validator describing Sally’s

preferences [Myles]

employer employer restaur, fun time taxi fun time find friend


Mobile Computing

Outline



Mobile Computing






» RFID [Kriplean]



» Keypad [Geambasu]




Mobile Computing

Security Attacks

Attack Type Description Defense

Eavesdropping Passively Listen Encryption

Replay Capture and Rebroadcast Detection, Isolation

Denial of Service Overload service with repeated requests

Detection, Isolation

Phishing Lure unsuspecting clients to reveal personal information

Education

Malicious Software Keystroke logger, rogue virtual machine


Rogue Wireless Access Point

Plug unauthorized access point into network



Mobile Computing

Dense Arrays of Inexpensive Radios [Bahl]

Add wireless to desktop machines Look for Rogue Access Points bridging

to wired network Detect variations of Denial of Service

Attacks» Disassociation/Deauthentication messages

» Messages with large duration values in header


Mobile Computing

Dense Arrays of Inexpensive Radios [Bahl]

Passive – listen for beacons Active – probe, wait for responses Tests

» Association – AirMonitor associates, pings, wired network

» Source/Destination address – check if suspect address on corporate network

» Replay frames from suspect, look for duplication

» DHCP Signature format of known models on network


Mobile Computing

Transient Authentication [Corner]

Continuously authenticate user’s presence over short range wireless

» When user departs, user processes suspended and in-memory pages encrypted

» When user returns – pages decrypted and process restarted

RSA Encryption » Public and private keys. Data encrypted with

public key. Only private key can decrypt

» Private key can be used to sign messages – anyone can verify using public key


Mobile Computing

RFID [Kriplean]

RFID Ecosystem collects data and stores on centralized server

Physical Access Control (PAC) protects privacy by constraining the data a user can obtain to those events that occurred when and where they were physically present


Mobile Computing

Photographic Authentication [Pering]

Authentication through untrusted public internet to withstand replay attacks

User identifies their own photos» Works with home server that has user’s

photographs, account information


Mobile Computing

Keypad: Auditing File System [Geambasu]

Encryption plus remote key storage Audit server involved with protected file

access Alert audit server after theft to refuse to

return a particular file’s key Audit server logs so knows which files

attempted to access


Mobile Computing

Outline



Mobile Computing






» RFID [Kriplean]



» Keypad[Geambasu]




Mobile Computing

Public Kiosks [Garriss]

Personal device to establish trust in a public computing Kiosk

Determines identity and integrity of all software on the Kiosk


Mobile Computing

Rapid Trust Establishment [Surie]

Use with ISR Fetches execution environment from a

trusted server over an encrypted channel Only have to verify integrity of small core of

local ISR and Linux software Trust initiator device - examines local disk to

verify safe for a normal boot Trust extender – kernal module Trust alerter – user space notifier application

Documents

1 1 © 2010-2011-2012 Daniel P. Siewiorek Mobile Computing Security and Privacy Dan Siewiorek June 2012 1