Preserving Location Privacy in Wireless LANs Presented by Alvin Yonggang Yun April 9, 2008 CSCI 388 - Wireless and Mobile Security

Preserving Location Privacy in Wireless LANs

Presented byPresented byAlvin Yonggang YunAlvin Yonggang Yun

April 9, 2008April 9, 2008

CSCI 388 - Wireless and Mobile Security

AuthorsAuthors

►Tao Jiang University of Maryland

►Helen J. Wang Microsoft Research►Yih-Chun Hu University of Illinois

Presented MobiSys’07, Presented MobiSys’07,

June 11–13, 2007, June 11–13, 2007,

San Juan, Puerto Rico, USASan Juan, Puerto Rico, USA

Do you care someone know where you Do you care someone know where you are?are?

Someone does care location Someone does care location privacyprivacy

220,000 Cell Towers Can Find You220,000 Cell Towers Can Find You

Location-based ServicesLocation-based ServicesLocation-based Networking(Always connected + Continuous services)

Location-based Fitness Assistant and Shopping Assistant

Location and Location Privacy► Location Information can be obtained through Location Information can be obtained through

direct communicationdirect communication with the respective entity or with the respective entity or through through indirect meansindirect means such as observation and such as observation and inference.inference.

► The claim/right of individuals, groups and The claim/right of individuals, groups and institutions to determine for themselves, when, institutions to determine for themselves, when, how and to what extent location information about how and to what extent location information about them is communicated to others.them is communicated to others.

►Location privacy is the ability to prevent Location privacy is the ability to prevent other parties from learning one’s other parties from learning one’s currentcurrent or or pastpast location location

ProblemProblem

►Broadcast nature of wireless networks Broadcast nature of wireless networks and widespread deployment of Wi-Fi and widespread deployment of Wi-Fi hotspots makes it easy to remotely hotspots makes it easy to remotely locate a user by observing wireless locate a user by observing wireless signals.signals.

►Location information can be used by Location information can be used by malicious individuals for blackmail, malicious individuals for blackmail, stalking, and other privacy violations.stalking, and other privacy violations.

What’s NEW?

Adjustable Privacy EntropyMore detail below

BalanceBalance

Location Privacy

Location-based

Services

Privacy

Paper OverviewPaper Overview

So, how to improve location privacy?So, how to improve location privacy?

ObfuscateObfuscate 3 types of privacy- 3 types of privacy-compromising information:compromising information:

►Sender identitySender identity►Time of transmissionTime of transmission►Signal strengthSignal strength

Paper OverviewPaper Overview

Why? Because of 5 types of leakage of Why? Because of 5 types of leakage of location information in the course of location information in the course of wireless communications:wireless communications:

►Sender node identitySender node identity►TimeTime►LocationLocation►Receiver node identity Receiver node identity -- resolved: MIX-net or -- resolved: MIX-net or

CrowdCrowd

►ContentContent -- resolved: encryption-- resolved: encryption

FOCUSFOCUS

►Anonymize the user or node identity Anonymize the user or node identity with frequently with frequently changing pseudonymschanging pseudonyms: : MACMAC address in this paper address in this paper

►Unlink different pseudonyms of the Unlink different pseudonyms of the same user with same user with silent periodssilent periods: : optimaloptimal modelmodel

►Reduce the transmission range Reduce the transmission range through transmit through transmit power controlpower control

Design OverviewDesign Overview

►Driven by real-system implementation Driven by real-system implementation and field experiments along with and field experiments along with analysis and simulationsanalysis and simulations

►Privacy level available to choose, for Privacy level available to choose, for both privacy-sensitive users and non- both privacy-sensitive users and non- privacy-sensitive users.privacy-sensitive users.

►Evaluate system based on real-life Evaluate system based on real-life mobility data and wireless LAN mobility data and wireless LAN coveragecoverage

Research BackgroundResearch Background

► Y.-C. Hu and H. J. Wang. Location privacy in wireless networks. In Proceedings of the ACM SIGCOMM Asia Workshop, Beijing, 2005. – extension and improvement

► M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: a quantitative analysis. In WMASH ’03

► L. Huang, K. Matsuura, H. Yamane, and K. Sezaki. Enhancing wireless location privacy using silent period.

► C. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 27:379–423, 623–656 – Entropy ( metric of privacy level )

Related WorkRelated Work

►Location technologies – RF-basedLocation technologies – RF-based►Application-Level Location PrivacyApplication-Level Location Privacy►Network-Level Location PrivacyNetwork-Level Location Privacy►RF FingerprintinRF Fingerprintingg


Location technologiesLocation technologies►Only consider Only consider RF-basedRF-based localization systems localization systems►Location accuracy achievement:Location accuracy achievement:

IndoorIndoor ------ < 1 meter in 50% time< 1 meter in 50% time

Outdoor ---Outdoor --- 15-30 meters as median15-30 meters as median►Two phases:Two phases:

Training phase Training phase – – “war-driving” to collect a large “war-driving” to collect a large amount of signal dataamount of signal data

Positioning phase Positioning phase – – compare to the radio mapcompare to the radio map


Application-Level Location Application-Level Location PrivacyPrivacy

► Anonymous usage of location-based Anonymous usage of location-based services through spatial and temporalservices through spatial and temporal

► Design protocols and APIs that consider the Design protocols and APIs that consider the privacy issues in the transfer of location privacy issues in the transfer of location information to external servicesinformation to external services

► Target location information provided by Target location information provided by applicationsapplications

► This paper: Privacy of location information This paper: Privacy of location information that can be inferred from the that can be inferred from the wireless wireless transmissions transmissions of network usersof network users


Network-Level Location Network-Level Location PrivacyPrivacy

►Frequently changing user Frequently changing user pseudonyms: blind signatures for pseudonyms: blind signatures for anonymous communicationanonymous communication

►Silent periodsSilent periods

►Pseudo-randomly chosen channel – Pseudo-randomly chosen channel – assume AP operator is trustedassume AP operator is trusted



►Frequently changing user Frequently changing user pseudonyms: blind signatures for pseudonyms: blind signatures for anonymous communication – vs – anonymous communication – vs – Sender identity Sender identity with MAC changingwith MAC changing

►Silent periods – vs – Silent periods – vs – Opportunistic Opportunistic Silent periodsSilent periods

►Pseudo-randomly chosen channel – vs Pseudo-randomly chosen channel – vs – – Reduce transmission power: less APs Reduce transmission power: less APs in range in range -- even AP cannot be trusted-- even AP cannot be trusted

Anonymous CommunicationAnonymous Communication

► Bob and the Server want to prevent outsiders from Bob and the Server want to prevent outsiders from knowing the fact that they are communicating - knowing the fact that they are communicating - UnlinkablilityUnlinkablility

► Bob wants to prevent the server from knowing its Bob wants to prevent the server from knowing its identity - identity - Sender (Source) anonymitySender (Source) anonymity



DefinitionDefinition►Silent periodSilent period: The time when : The time when

privacy-sensitive users intentionally privacy-sensitive users intentionally do do not transmitnot transmit, in order to reduce the , in order to reduce the effectiveness of correlation based on effectiveness of correlation based on mobility pattern of usersmobility pattern of users

►OpportunisticOpportunistic silent period silent period: : OptimalOptimal silent period calculation methodologysilent period calculation methodology



Again…Again…

ObfuscateObfuscate 3 types of privacy- 3 types of privacy-compromising information:compromising information:

►Sender identitySender identity►Time of transmissionTime of transmission►Signal strengthSignal strength


RF FingerprintingRF Fingerprinting►Requires high speed and high Requires high speed and high

resolution Analog-to-Digital Converter resolution Analog-to-Digital Converter – Expensive to deploy– Expensive to deploy

►Prevented by intentionally adding Prevented by intentionally adding strong noisestrong noise

►The paper can’t resolve this, important The paper can’t resolve this, important future work…future work…

Attacker ModelAttacker Model

►Silent attackers: sniffer, do not emit any Silent attackers: sniffer, do not emit any signals, only listen and localize mobile signals, only listen and localize mobile usersusers

►Exposed attackers: network providers, Exposed attackers: network providers, trustworthy? How about accidentally leaktrustworthy? How about accidentally leak Active attackers: adjust base station Active attackers: adjust base station

transmission powertransmission power Passive attackers: no change on base stationPassive attackers: no change on base station

Measure of PrivacyMeasure of Privacy

How good we can preserve location How good we can preserve location privacy?privacy?

We need to We need to quantifyquantify……

Privacy EntropyPrivacy Entropy

Given an attacker and the set of all mobile users U, let be the bservation of the attacker about the user at some location L. Given observation , the attacker computes a probability distribution P over users Entropy is the number of bits of additional information the attacker needs to definitively identify the user.

Probability (%) = 1 enough information to identify the user

Ways to go…Ways to go…

►PseudonymPseudonym for sender identity for sender identity►Opportunistic Silent Period Opportunistic Silent Period for for

transmission timetransmission time►Transmit power control Transmit power control for signal for signal

strengthstrength

PseudonymPseudonym

►Anonymity is a prerequisite for Anonymity is a prerequisite for location privacylocation privacy

►User must use frequently chahging User must use frequently chahging pseudonyms for communicationspseudonyms for communications

►Pseudonyms: MAC address, IP addressPseudonyms: MAC address, IP address

How to choose pseudonym?How to choose pseudonym?

Important! Important! Avoid address collisionsAvoid address collisions

Let AP assign Let AP assign MACMAC addresses to addresses to users/clientsusers/clients

oJoin Address(well known address) is used to avoid MAC conflictsoMAC Address is got from the MAC address pooloNonce – Cryptographic nonce, a 128-bit string used only once for multiple simultaneous requests

How to choose pseudonym?How to choose pseudonym?

Why not choose IP address?Why not choose IP address?►MAC is enough, we do not need to MAC is enough, we do not need to

extract and obfuscate application layer extract and obfuscate application layer user identitiesuser identities

►Sources cannot easily communicate Sources cannot easily communicate with AP during IP changes ( trusted with AP during IP changes ( trusted anonymous bulletin boards with anonymous bulletin boards with cryptographic mechanisms is used )cryptographic mechanisms is used )

When to change pseudonym?When to change pseudonym?

Opportunistic Silent PeriodOpportunistic Silent Period

ONLY allows address changes just ONLY allows address changes just before the start of a new association before the start of a new association ( between client and AP )( between client and AP )

H = (N) H = (N) Attacker can attempt to correlate different Attacker can attempt to correlate different

pseudonyms with the same user. Silent period can pseudonyms with the same user. Silent period can reduce such correlations.reduce such correlations.


►During silent period, a user does not send During silent period, a user does not send any wireless transmissionsany wireless transmissions

►The effectiveness of silent periods depends The effectiveness of silent periods depends heavily on user density. ( higher heavily on user density. ( higher better ) better )

►Forced silent periods can disrupt Forced silent periods can disrupt communications. Opportunistic silent communications. Opportunistic silent period period minimizes disruptionminimizes disruption, which takes , which takes place during idle time between place during idle time between communicationscommunications


Data shows opportunistic silent periods Data shows opportunistic silent periods are quite suitable for WLAN:are quite suitable for WLAN:

CDF of session duration from Dartmouth campus-wide WLAN traceCDF of Duration between Sessions from Dartmouth campus-wide WLAN trace

Methodology for choosing a Silent Methodology for choosing a Silent PeriodPeriod

►Efficacy of silent period depends on Efficacy of silent period depends on user densityuser density

►Mobility pattern data consists: < time, Mobility pattern data consists: < time, pseudonym, location >pseudonym, location >

Probability that user Probability that user ii is linked to the new pseudonym is linked to the new pseudonym among the Candidate:among the Candidate:

PPii is the probability distribution used for privacy entropy is the probability distribution used for privacy entropy

Maximize privacy entropyMaximize privacy entropy

►Previous work shows the silent periods Previous work shows the silent periods must be must be randomizedrandomized ( no detail in this paper… )( no detail in this paper… )

►Random silent period = Random silent period = TTdd + + TTrr

TTd : d : deterministic silent periods ( previous work )deterministic silent periods ( previous work )

TTr : r : between 0 and between 0 and

So, larger So, larger offers better possible privacy? offers better possible privacy?

Not necessary…Not necessary…

Case StudyCase StudyMobility data of Seattle bus systemMobility data of Seattle bus system

5-days training set and 8-hour test set5-days training set and 8-hour test set

Case StudyCase StudyMobility data of Seattle bus systemMobility data of Seattle bus system

5-days training set and 8-hour test set5-days training set and 8-hour test set

Maximize privacy entropyMaximize privacy entropy

Choose Choose

close to but not greater than close to but not greater than 12 minutes12 minutes

Optimal silent period: upper bound on the necessary silent period

BalanceBalance

Location Privacy

ServiceQuality

Privacy

Control Signal StrengthControl Signal Strength

►Reduce Location Precision: number of APs Reduce Location Precision: number of APs within the user’s communication rangewithin the user’s communication range

►Transmit power control(TPC): minimize Transmit power control(TPC): minimize the number of APs in the range while the number of APs in the range while ensuring at least one AP for connectivity ensuring at least one AP for connectivity ( assume APs do not adjust transmit power )( assume APs do not adjust transmit power )

►TPC scheme: hold transmit power to the TPC scheme: hold transmit power to the lowest possible productive level to lowest possible productive level to minimize imposed interferenceminimize imposed interference

RSS-based Silent TPCRSS-based Silent TPC

►Mobile station must perform TPC Mobile station must perform TPC silentlysilently

►The only information available to The only information available to mobile station is the received signal mobile station is the received signal strength(RSS) from APs within rangestrength(RSS) from APs within range

►Challenging: due to reflection, Challenging: due to reflection, scattering, multipath fading and scattering, multipath fading and absorption of radio wavesabsorption of radio waves

Asymmetry and Variations of Asymmetry and Variations of ChannelsChannels

►Goal: determine the relationship Goal: determine the relationship between the two directions of a between the two directions of a channel and use the channel and use the path loss path loss in one in one direction to infer the loss in the other direction to infer the loss in the other directiondirection

►Two scenarios: Two scenarios:

corner of an officecorner of an office

open outdoor spaceopen outdoor space

Asymmetry of 802.11 Asymmetry of 802.11 channelschannels

RSSI reading for both directions are RSSI reading for both directions are strongly correlatedstrongly correlated

Path loss margin (PLM)Path loss margin (PLM)

Definition: PLM is the magnitude of the Definition: PLM is the magnitude of the maximum difference between path maximum difference between path losses in opposite directions that result losses in opposite directions that result from environmental influences and from environmental influences and wireless channel asymmetrywireless channel asymmetry

PLM calculationPLM calculation



From the experimental results on path From the experimental results on path asymmetry and variation above, we asymmetry and variation above, we choose PLM:choose PLM:

11.3dB for indoor11.3dB for indoor

10.5dB for outdoor10.5dB for outdoor

So, PLM = 10 dBSo, PLM = 10 dB

Silent TPC DesignSilent TPC Design

► Design Goal: adjust transmit power of Design Goal: adjust transmit power of mobile station(no AP), to reduce the mobile station(no AP), to reduce the numbers of Aps in range by only using the numbers of Aps in range by only using the path loss observed from the opposite path loss observed from the opposite direction of the path, from the in-range Aps direction of the path, from the in-range Aps to the mobile stationto the mobile station

► The minimum signal strength reaches AP The minimum signal strength reaches AP must be greater than RSmust be greater than RS

TPC vs RSSITPC vs RSSI

Transmission power is controlled by configuration parameters provided by Atheros drivers

Silent TPC SchemeSilent TPC Scheme

TPC scheme can work only when TPC scheme can work only when receive signal receive signal strength of two APs differs by at least 20 dBstrength of two APs differs by at least 20 dB

Effectiveness of Silent TPCEffectiveness of Silent TPC

► More than 73% of the sports(356) have RSS More than 73% of the sports(356) have RSS difference more than 20dB, and can use TPC to difference more than 20dB, and can use TPC to improve privacyimprove privacy

APs in range between TPCAPs in range between TPC

Operational ModelOperational Model

User Interface: Privacy Mode

Alert Message

Operational ModelOperational Model

ContributionsContributions

►Solution to preserve better location Solution to preserve better location privacyprivacy

►Solution can be applied to cellular Solution can be applied to cellular networksnetworks

►Frequently change pseudonyms (MAC)Frequently change pseudonyms (MAC)►Pause opportunistically for silent periodPause opportunistically for silent period►Perform silent TPC to reduce the Perform silent TPC to reduce the

location precisionlocation precision

Future workFuture work

►The system sacrifice service quality, The system sacrifice service quality, not good for real-time applicationnot good for real-time application

►Silent TPC scheme reduces the signal-Silent TPC scheme reduces the signal-to-noise ratio received at AP, and to-noise ratio received at AP, and reduces the transmission data ratereduces the transmission data rate

►Wireless card rate controlWireless card rate control

My thoughtsMy thoughts

►MAC address selection model is MAC address selection model is vulnerable to Man-in-the-middle attack vulnerable to Man-in-the-middle attack and DoS attackand DoS attack

►TTrr(max) should be different from various (max) should be different from various scenarios/conditions, hard to implement scenarios/conditions, hard to implement TPC in realityTPC in reality

►TPC scheme has 20dB limit, big concern TPC scheme has 20dB limit, big concern for better AP deploymentfor better AP deployment

►Not all wireless drivers support TPCNot all wireless drivers support TPC

Documents

Preserving Location Privacy in Wireless LANs Presented by Alvin Yonggang Yun April 9, 2008 CSCI 388 - Wireless and Mobile Security