Embed Size (px)
Citation preview
Snooping based privacy attacks based on transmission timing and
wireless fingerprinting
Master’s project presentation
Vijay Srinivasan
University of Virginia
Indoor Wireless Sensor Systems
• Indoor wireless sensor systems are becoming prevalent and will be more so in the future
• Assisted living facilities– UVa, Harvard, Johns Hopkins
• Home Security/Automation– 5 million X10 deployments
• Industrial automation/monitoring– 20 million Zigbee devices by
2007
• People often assume Encryption = Privacy
FATS Attack• FATS – Finger-print And Timing-based Snoop attack
• Observed Information – “T”– Radio message Timing– “F” – Radio fingerprint
• Inferred Information– # bathroom visits– # kitchen visits– Sleep time– Out time
Related Work• Conventional data privacy ensured through encryption – Culler 2001,
Gligor 2002– Adversary infers desired private data in spite of data encryption (side-channel
attack)
• Lots of work tries to infer activities based on sensors in the home – Tapia 2004
– We are assuming the adversary does not know anything: type, distribution, etc of the sensors
• Multi-hop traffic analysis attacks to infer sender-recipient matching or source location – Chaum 1981, Shi 2006, Deng 2005
– Our traffic analysis uses a snoop device one-hop away from the radio sources and is used to infer resident activity, not sender-recipient matching or source location
• Wireless Fingerprinting demonstrated for 802.11 wi-fi devices and mica motes– Detection Accuracies as high as 93% - Hall 2004, Hall 2006, Capkun 2006– Primarily used to enhance privacy by providing hardware-based authentication– Wireless fingerprinting is used to break privacy, not enhance it
Presentation Outline
• Inference Procedure• Counter attacks• Conclusions & Future Work
Inference Algorithm EvaluationExperimental Setup to obtain algorithm input
• Wireless X-10 deployments in 4 homes with around 15 sensors and one base station receiver per home– Seven day deployments in each home
Inference Procedure
Tier – I
• Assumption 1: – Sensors in the same
room fire at similar times
• Assumption 2:– Sensors in different
rooms fire at different times
– This implies a single person in the building
Sensor Clustering
For each sensor i and j:- = Vector of minimum time distances
between i and j, for all firings of i- = min(median( ),median( ))- = Shortest-Path( )F = Multi-Dimensional-Scaling( )C = cluster(F)
ijT
ijD ijTjiT'ijD ijD
'D
Tier – I: Sensor and Temporal Clustering
Sensor Clustering – Performance
Temporal Clustering
• Separate sensor streams by room
• Use db-scan to identify temporal clusters for each room stream– automatically removes outliers unlike k-means
Tier – II
• Assumption 1: – Different houses have
similar rooms
• Assumption 2: – Similar rooms have
similar usage patterns
Tier – II Cluster to Room Mapping
• Constraints used:– Identify entrance room as the cluster whose sensors fire after
long silence periods during the day– Identify bedroom cluster as the one that fires after long silence
periods during the night or has maximal time length in the night– Identify living room cluster as the one that fires maximally during
the day– Both bathroom and kitchen clusters fire when the resident wakes
up with the bathroom clusters being usually smaller in width
• Classification results: All clusters assigned the correct room labels across the four homes in the best case
Tier – III
• Assumption 1: – Long silence periods
imply sleep or that the person is not home
• Assumption 2:– Tier-II returns correct
temporal clusters for the bathroom and kitchen
Tier-III Inferring Private Variables
• Four private variables Inferred
• Number and timing of bathroom and kitchen visits– Inferred from Tier-II clusters
• Number and timing of sleep and away from home hours– Inferred from long silence periods during the day or
night
Tier III Output – Evaluation Metrics
• Ground truth variables obtained by manual inspection
• We first compute a min cost bipartite matching between ground truth clusters and computed clusters based on – cluster timing and – interval width
• Based on this mapping, we define 3 metrics– Number of false positives – Number of false negatives– Total Interval Error
Inference Algorithm – Performance across 4 homes
Presentation Outline
• Inference Procedure• Counter attacks• Conclusions & Future Work
Counter Attacks 1. Increasing Packet loss ratio
• Obvious solution – prevent adversary from listening to packets by– Reducing transmission power– Introducing Faraday cages
• We evaluate how high the packet loss ratio must be to affect evaluation metrics for private variables shown previously
Counter Attacks 1. Increasing Packet loss ratio
Counter Attacks2. Periodic transmissions
• Assumes tolerable latency bound L• Does not work with real-time or high bandwidth
requirements
Complete privacy
Counter Attacks2. Periodic transmissions
• Energy cost of periodic transmission is negligble for binary sensors with periods of a few seconds
• Telos mote– Wakes up and
transmits every L seconds
– 2*L bits of data over latency period L
• For L=8 seconds, 8.75% reduction in lifetime
Counter Attacks3. Random delay
• Add a random delay to each transmission bounded by tolerable bound
• Leverage tolerable latency bound at lower energy cost
• Same real-time drawback as periodic transmissions
Counter Attacks3. Random delay
Counter Attacks4. Fingerprint masking
• Mask fingerprints in hardware by varying features for each transmission
• Drawbacks– Arms race scenario, unable to predict features
used by an adversary– Not supportable by current hardware– Does not affect inference of sleep and home
occupancy variables
Counter Attacks4. Fingerprint masking
Counter Attacks5. Introducing fake data
• Introduce fake events to hide high level information– Eg) Introduce fake bathroom events if we
need to hide number of bathroom visits
• Arms race problem – Can the adversary filter fake events?
Presentation Outline
• Inference Procedure• Counter attacks• Conclusions & Future Work
Conclusions and Future work• Demonstrated a novel side-channel privacy
attack based on transmission timing and wireless fingerprinting
• Designed a tiered inference algorithm• Proposed a suite of privacy solutions with
different tradeoffs to address the FATS attack• Current and Future work
– Infer more detailed activity information– Implications of FATS attacks for large scale
mobile systems composed of mobile phone users
