Upload
millicent-johnson
View
213
Download
1
Tags:
Embed Size (px)
Citation preview
1
““When I am on Wi-Fi, When I am on Wi-Fi, I am Fearless:”I am Fearless:”
Privacy Concerns & Practices in Everyday Wi-Fi Use
Predrag Klasnja, Sunny Consolvo, Jaeyeon Jung, Benjamin M. Greenstein,
Louis LeGrand, Pauline Powledge, & David Wetherall
Information School & DUB Group, Intel Research Seattle
Presented by PierreElie Fauché
KAIST, CS540 May 14, 2009
2
OutlineOutline
Introduction
Exploratory study
Results
Discussion
3
IntroductionIntroduction
4
Use of Internet todayUse of Internet today
Hundreds of millions of people
Work, look for information, shopping, communicate with friends & family, romance
Standalone applications have their online counterparts
Social networks
5
Access to the Internet Access to the Internet todaytoday
Proliferation of 802.11 wireless networks
- offices, cafés, hotels, airports, homes, streets
- Wigle.net: about 17 million hot-spots
Proliferation of Wi-Fi capable devices
- notebooks, netbooks, UMPCs, smartphones, game consoles...
6
Wi-Fi has a cost: Wi-Fi has a cost: privacyprivacy
Many services transmit personal data without encryption
Broadcast nature of Wi-Fi technology: information is visible to everyone
Solutions to secure Wi-Fi (WEP, WPA) are not widely used and not 100% reliable
Hot-spot spoofing
Tracking user, information aggregation, identity theft
7
Purpose of the studyPurpose of the study
Understand...
- how aware people are of possible risks
- measures they take to protect themselves
8
OutlineOutline
Introduction
Exploratory study
Results
Discussion
9
Exploratory studyExploratory study
10
ProceduresProcedures
Three components:
- initial in-person session
- 4 weeks of Wi-Fi use
- final in-person session
11
Initial in-person Initial in-person sessionsession
Background questionnaire about basic Internet uses- where? when? what activities? wireless at
home?
Diagrams: how well they understand Wi-Fi- 2 diagrams to point out differences between
two common internet tasks: Google search and bank account checking
- 1 diagram about Wi-Fi network boundaries
Installation of study software- Requires personal information
Procedures
12
4 weeks of Wi-Fi use4 weeks of Wi-Fi useParticipants use their laptops as they were used to
While on the Internet, they fill in experience sampling questionnaires- where are you? what are you doing? is it
important?
Study software...- logged details about used applications,
online activities and wireless networks used- inspect wether any personal data is
transmitted in the clear
Procedures
13
Final in-person sessionFinal in-person sessionLast interview covered topics avoided in the initial session- risks associated to Wi-Fi use (network
snooping, malicious APs...)- concerns about using Wi-Fi- how they chose which network to connect to
Confrontation with security leaks- personal data sent unencrypted; on which
sites, how frequently- were participants aware of such possible leaks?
How do they feel?
Procedures
14
ParticipantsParticipants
11 frequent Wi-Fi users, from 19 to 63 years-old
Must not have special technology knowledge
Represented various professions, with various levels of education
All used Wi-Fi at home and most used it at work
15
AnalysisAnalysis
This study focuses on interviews and diagrams to analyse:- participants’ privacy and security concerns- understanding of privacy and security risks
associated with Wi-Fi- strategies employed to protect themselves
Logging data was analyzed for first order statistics
16
OutlineOutline
Introduction
Exploratory study
Results
Discussion
17
ResultsResults
18
Overview of Wi-Fi useOverview of Wi-Fi use
Participants engaged in various online activities using a wide range of online applications
Connected to multiple, often unencrypted networks
All participants went to their most frequently visited web sites from nearly all networks
19
Application TypesApplication TypesOverview of Wi-Fi use
20
Encryption of Encryption of networksnetworks
Overview of Wi-Fi use
21
Participants connected to networks sometimes already used many other users
Open Wi-Fi networksOpen Wi-Fi networksOverview of Wi-Fi use
22
Understanding of Wi-FiUnderstanding of Wi-Fi
Participants’ understanding of Wi-Fi analyzed with interviews and diagrams
Good understanding of how to use Wi-Fi,
But very limited comprehension of how it works and its inherent threats
23
How to use?How to use?
Participants are frequent Wi-Fi users, therefore they have a quite good practical knowledge
They are aware of factors affecting Wi-Fi such as netword’s range, signal strength and signal propagation
Understanding of Wi-Fi
24
How to use?How to use?
Participants drew the boundary of the café’s network on diagram 3
All participants drew a network that extended beyond the café itself
They understand that Wi-Fi networks often extend beyond the physical boundary of the location that is providing it
Understanding of Wi-Fi
Network’s range
25
How to use?How to use?
With diagram 3, participants were asked about the ability to access the café’s network from other places, inside and outside the shopping center
Responses showed a good understanding of elements perturbating the signal
- distance
- obstacles
Understanding of Wi-Fi
Signal strength and propagation
26
How to use?How to use?
Signal strength is the main criterion to choose which network to connect to
Majority preferred free networks
Some were willing to pay for “a good signal”
Understanding of Wi-Fi
Network selection
27
How it works?How it works?
Participants had little Wi-Fi and networking knowledge
- 3 knew that WEP and WPA are encryption types
- 5 knew partly what an IP address is
- almost every participant knew what is a router
Diagrams 1 and 2: search on http://www.google.com and account checking on https://bankofamerica.com
Participants are asked to highlight any people/computer/device they thought may be able to see their search terms or account balance
Understanding of Wi-Fi
28
How it works?How it works?Understanding of Wi-Fi
Diagrams 1 from 2 participants
29
How it works?How it works?Understanding of Wi-Fi
Results:
Broadcast nature of Wi-Fi is only understood by a few participants
The role of SSL encryption is poorly understood
30
Threat modelsThreat modelsThe previously seen poor understanding of how Wi-Fi works have consequences on threats perceived by the participants
Main threat: hackers breaking into their computers
- Considered as the main risk by 10 participants
- But probability of such an attack was seen very low as it was supposed to require very high computing skills
Privacy threat: someone looking over the shoulder
- shared by 9 participants
Understanding of Wi-Fi
31
Privacy & security Privacy & security concernsconcerns
Financial and personally identifiable information
- Most prevalent concern about using Wi-Fi - often the only concern
- Fear of identity theft or financial damage was everyone’s main source of preoccupation
32
Privacy & security Privacy & security concernsconcerns
Impression management
- Maintain an image for others and not being misunderstood also dictates Wi-Fi behavior
- Participants did not connect to networks with strange SSIDs not fearing the network itself, but the impression it would give
- Applications used when on Wi-Fi are restricted not to be too personal
33
Privacy & security Privacy & security concernsconcerns
Consideration for others
- Participants showed concern in not offending others or not putting them at risk by exposure: courtesy
- They restrained their applications in order not to expose confidential information about their relatives
- Concerns linked to physical intrusions, not from the network itself
34
Privacy & security Privacy & security concernsconcerns
Practices to handle these concerns
No online purchases or banking from public places
Trust in the web sites
- Some participants think these web sites as being 100% secure
- Look for indications on webpages, rely upon the “secured questions”
Hiding the screen from others
- by either tilting the screen or taking a seat against the wall
Security software
- Firewalls and antivirus alleviate their primary concerns
False sense of safety
35
RisksRisks
Participants were not aware of major risks implied by using Wi-Fi because of their limited understanding of how it works
Two major source of concern:
- malicious access points
- visibility of unencrypted information
36
Malicious access Malicious access pointspoints
Such possible access points never came to mind for most participants
They trust that the names accurately reflect the network provider
Only one participant was aware that malicious AP could exist after having doubts about one
Majority of participants connect to network with the best signal strength
Risks
37
Unencrypted Unencrypted informationinformation
Only 4 participants knew that information transmitted over Wi-Fi could be potentially visible to others (diagrams)
After knowing which data was transmitted in the clear:
- 4 participants were not surprised
- other 7 had no idea that their web pages could have been seen
- They “just don’t think about that”
Understanding of this risk generally does not translate into sharp awareness
Risks
38
In-the-moment In-the-moment awarenessawareness
Practices giving a sense of security + lack of understanding
majority of participants absolutely don’t think about privacy and security when using Wi-Fi
When using Wi-Fi:- security and privacy risks are not found
acceptable;- they are simply not considered
Risks
39
Personal exposurePersonal exposureFor some pieces of information, the number of times the information was transmitted during the study was quite high (over 1000 times)
Confronted to this list, new concerns emerged
Information aggregation
information considered as harmless was seen differently
participants thought about usual activities becoming sources of information leaks
Exposing other people’s information
participants realized that beyond exposing themselves, they were exposing others’ information by simply reading an email
that concern became more problematic than personal exposure
40
OutlineOutline
Introduction
Exploratory study
Results
Discussion
41
DiscussionDiscussion
42
DiscussionDiscussionThreats implied by using Wi-Fi are important
Consequences range from minor distress to serious problems
Users generally don’t think about these issues
they adopt practices for threats they are aware of and feel safe
Once threats are explained to users, they are willing to be more careful and to change their habits
Technology has a role to play in two ways:
help users improve their awareness
develop infrastructural solutions that improve Wi-Fi protocols
43
Future workFuture work
End-User awareness tool
Show users how their own data is being broadcasted using Wi-Fi
Effective strategy for motivating privacy and security conscious behavior
Important design challenge:
- make risk visible
- without creating paranoia or inundating user with information
44
Future workFuture workInfrastuctural solutions
Improve security of 802.11 protocols
Some work intend to eliminate all unencrypted communication
- such system needs to be incorporated into wireless standards and to be widely deployed
- could take years before becoming common
Meanwhile, solutions like the previously mentioned one can help users dealing with security and privacy threats.
45
ThanksThanks