Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks最新文献

{"title":"Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs","authors":"M. Khodaei, Panos Papadimitratos","doi":"10.1145/3212480.3212481","DOIUrl":"https://doi.org/10.1145/3212480.3212481","url":null,"abstract":"In spite of progress in securing Vehicular Communication (VC) systems, there is no consensus on how to distribute Certificate Revocation Lists (CRLs). The main challenges lie exactly in (i) crafting an efficient and timely distribution of CRLs for numerous anonymous credentials, pseudonyms, (ii) maintaining strong privacy for vehicles prior to revocation events, even with honest-but-curious system entities, (iii) and catering to computation and communication constraints of on-board units with intermittent connectivity to the infrastructure. Relying on peers to distribute the CRLs is a double-edged sword: abusive peers could \"pollute\" the process, thus degrading the timely CRLs distribution. In this paper, we propose a vehicle-centric solution that addresses all these challenges and thus closes a gap in the literature. Our scheme radically reduces CRL distribution overhead: each vehicle receives CRLs corresponding only to its region of operation and its actual trip duration. Moreover, a \"fingerprint\" of CRL 'pieces' is attached to a subset of (verifiable) pseudonyms for fast CRL 'piece' validation (while mitigating resource depletion attacks abusing the CRL distribution). Our experimental evaluation shows that our scheme is efficient, scalable, dependable, and practical: with no more than 25 KB/s of traffic load, the latest CRL can be delivered to 95% of the vehicles in a region (50x50 KM) within 15s, i.e., more than 40 times faster than the state-of-the-art. Overall, our scheme is a comprehensive solution that complements standards and can catalyze the deployment of secure and privacy-protecting VC systems.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"99 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124091493","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Detecting smartphone state changes through a Bluetooth based timing attack","authors":"Guillaume Celosia, M. Cunche","doi":"10.1145/3212480.3212494","DOIUrl":"https://doi.org/10.1145/3212480.3212494","url":null,"abstract":"Bluetooth is a popular wireless communication technology that is available on most mobile devices. Although Bluetooth includes security and privacy preserving mechanisms, we show that a Bluetooth harmless inherent request-response mechanism can taint users privacy. More specifically, we introduce a timing attack that can be triggered by a remote attacker in order to infer information about a Bluetooth device state. By observing the L2CAP layer ping mechanism timing variations, it is possible to detect device state changes, for instance when the device goes in or out of the locked state. Our experimental results show that change point detection analysis of the timing allows to detect device state changes with a high accuracy. Finally, we discuss applications and countermeasures.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121415098","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Questioning the security and efficiency of the ESIoT approach","authors":"Aïda Diop, S. Gharout, M. Laurent-Maknavicius, J. Leneutre, Jacques Traoré","doi":"10.1145/3212480.3212491","DOIUrl":"https://doi.org/10.1145/3212480.3212491","url":null,"abstract":"ESIoT is a secure access control and authentication protocol introduced for Internet of Things (IoT) applications. The core primitive of ESIoT is an identity-based broadcast encryption scheme called Secure Identity-Based Broadcast Encryption (SIBBE). SIBBE is designed to provide secure key distribution among a group of devices in IoT networks, and enable devices in each group to perform mutual authentication. The scheme is also designed to hide the structure of the group from nodes outside of the group. We identify multiple efficiency and security issues in this primitive that prove SIBBE unsuitable for IoT applications. First, we show that contrary to what was claimed, the size of the ciphertexts generated by the encryption function is not constant but in fact linear in the number of devices in the group. Additionally, we demonstrate that the encryption and decryption costs are also linear in the number of nodes in the group, implying scalability issues thus inefficiency for IoT applications. In terms of security, we prove that SIBBE does not achieve the desired property of anonymity and allows an attacker to gain information on the structure of any given group. Finally, we demonstrate how SIBBE does not achieve the claimed chosen-ciphertext security. We however prove its security for a weaker security notion (namely selective-ID indistinguishability against chosen-plaintext attacks) under a variant of the GDDHE assumption.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131495285","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Android Escalation Paths: Building Attack-Graphs from SEAndroid Policies","authors":"Grant Hernandez, Kevin R. B. Butler","doi":"10.1145/3212480.3226106","DOIUrl":"https://doi.org/10.1145/3212480.3226106","url":null,"abstract":"Smartphones are a critical device in modern society. With the amount of personal data present on many smartphones, protecting their integrity is crucial. The Android operating system employs multiple layers of security to ensure that the system is resistant to local and remote threats. To achieve this it uses a combination of discretionary and mandatory access control policies. Attackers when attempting to escalate to a higher privilege level must operate within these policies and potentially exploit their flaws. The flow an attacker (and conversely a defender) follows can be modeled as attack graph. In this paper, we explore how attack graphs could be automatically generated from SEAndroid policy files to aid defenders and attackers with auditing system security posture.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"150 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122181974","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"WADAC","authors":"Ragav Sridharan, R. Maiti, Nils Ole Tippenhauer","doi":"10.1145/3212480.3212495","DOIUrl":"https://doi.org/10.1145/3212480.3212495","url":null,"abstract":"In this work, we address the problem of detecting application-layer attacks on nearby wireless devices. In particular, we assume that the detection scheme is limited to link-layer traffic (either because schemes such as WPA2 are used, and the key is unknown, or to preserve user privacy). Such a setting allows us to detect attacks in nearby third party networks that we are not associated with, unlike related work that relies on wireline taps to observe traffic. We propose and implement a framework consisting of an anomaly detection module (unsupervised), and an attack classification module that identifies a known set of attacks (supervised). We evaluate our prototype with experiments including a range of attacks. For example, we demonstrate that the anomaly detector detects Mirai C&C traffic by an IoT device (without training with Mirai). In addition, we detect that the Mirai infected device is attacking other devices with 96.1% accuracy. We show that our prototype can be applied to different wireless standards (such as 802.11 (WiFi) and 802.15 (Zigbee)) and detect attacks with an accuracy of 96%-99%.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129319671","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"VPKIaaS","authors":"Hamid Noroozi, M. Khodaei, Panos Papadimitratos","doi":"10.1145/3212480.3226100","DOIUrl":"https://doi.org/10.1145/3212480.3226100","url":null,"abstract":"The central building block of secure and privacy-preserving Vehicular Communication (VC) systems is a Vehicular Public-Key Infrastructure (VPKI), which provides vehicles with multiple anonymized credentials, termed pseudonyms. These pseudonyms are used to ensure message authenticity and integrity while preserving vehicle (and thus passenger) privacy. In the light of emerging large-scale multi-domain VC environments, the efficiency of the VPKI and, more broadly, its scalability are paramount. In this extended abstract, we leverage the state-of-the-art VPKI system and enhance its functionality towards a highly-available and dynamically-scalable design; this ensures that the system remains operational in the presence of benign failures or any resource depletion attack, and that it dynamically scales out, or possibly scales in, according to the requests' arrival rate. Our full-blown implementation on the Google Cloud Platform shows that deploying a VPKI for a large-scale scenario can be cost-effective, while efficiently issuing pseudonyms for the requesters.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"77 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115225034","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards Dynamically Monitoring Android Applications on Non-rooted Devices in the Wild","authors":"Xiaoxiao Tang, Yan Lin, Daoyuan Wu, Debin Gao","doi":"10.1145/3212480.3212504","DOIUrl":"https://doi.org/10.1145/3212480.3212504","url":null,"abstract":"Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments (e.g., emulators and modified OS). The strict requirement of running environment hinders their deployment in scale and makes them vulnerable to anti-analysis techniques. Furthermore, current dynamic analysis of Android apps exploits input generators to invoke app behavior, which, however, cannot provide sufficient code coverage. We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115594329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Listening Watch: Wearable Two-Factor Authentication using Speech Signals Resilient to Near-Far Attacks","authors":"Prakash Shrestha, Nitesh Saxena","doi":"10.1145/3212480.3212501","DOIUrl":"https://doi.org/10.1145/3212480.3212501","url":null,"abstract":"Reducing the level of user effort involved in traditional two-factor authentication (TFA) constitutes an important research topic. A recent effort in this direction leverages ambient sounds to detect the proximity between the second factor device (phone) and the login terminal (browser), and eliminates the need for the user to transfer PIN codes. This approach is highly usable, but is completely vulnerable against far-near attackers, i.e., ones who are remotely located and can guess the victim's audio environment or make the phone create predictable sounds (e.g., ringers), and those who are in physical proximity of the user. In this paper, we propose Listening-Watch, a new TFA mechanism based on a wearable device (watch/bracelet) and active browser-generated random speech sounds. As the user attempts to login, the browser populates a short random code encoded into speech, and the login succeeds if the watch's audio recording contains this code (decoded using speech recognition), and is similar enough to the browser's audio recording. The remote attacker, who has guessed the user's environment or created predictable phone/watch sounds, will be defeated since authentication success relies upon the presence of the random code in watch's recordings. The proximity attacker will also be defeated unless it is extremely close to the watch, since the wearable microphones are usually designed to be only capable of picking up nearby sounds (e.g., voice commands). Furthermore, due to the use of a wearable second factor device, Listening-Watch naturally enables two-factor security even when logging in from a mobile phone. Our contributions are three-fold. First, we introduce the idea of strong and low-effort TFA based on wearable devices, active speech sounds and speech recognition, giving rise to the Listening-Watch system that is secure against both remote and proximity attackers. Second, we design and implement Listening-Watch for an Android smartwatch (and companion smartphone) and the Chrome browser, without the need for any browser plugins. Third, we evaluate Listening-Watch for authentication errors in both benign and adversarial settings. Our results show that Listening-Watch can result in minimal errors in both settings based on appropriate thresholdization and speaker volume levels.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128187044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks","authors":"Altaf Shaik, Ravishankar Borgaonkar, Shinjo Park, Jean-Pierre Seifert","doi":"10.1145/3212480.3212497","DOIUrl":"https://doi.org/10.1145/3212480.3212497","url":null,"abstract":"Mobile network operators choose Self Organizing Network (SON) concept as a cost-effective method to deploy LTE/4G networks and meet user expectations for high quality of service and bandwidth. The main objective of SON is to introduce automation into network management activities and reduce human intervention. SON enabled LTE networks heavily rely on the information acquired from mobile phones to provide self-configuration, self-optimization, and self-healing features. However, mobile phones can be attacked over-the-air using rogue base stations. In this paper, we carefully study SON related LTE/4G security specifications and reveal several vulnerabilities. Our key idea is to introduce a rogue eNodeB that uses legitimate mobile devices as a covert channel to launch attacks against SON enabled LTE networks. We demonstrate low-cost, practical, silent and persistent Denial of Service attacks against the network and end-users by injecting fake measurement and configuration information into the SON system. An active attacker can shut down network services in 2 km2 area of a city for a certain period of time and also block network services to a selective set of mobile phones in a targeted area of 200 m to 2 km in radius. With the help of low cost tools, we design an experimental setup and evaluate these attacks on commercial networks. We present strategies to mitigate our attacks and outline possible reasons that may explain why these vulnerabilities exist in the system.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"144 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116092838","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Tracking Private Browsing Sessions using CPU-based Covert Channels","authors":"Nikolay Matyunin, N. Anagnostopoulos, Spyros Boukoros, Markus Heinrich, André Schaller, Maksim Kolinichenko, S. Katzenbeisser","doi":"10.1145/3212480.3212489","DOIUrl":"https://doi.org/10.1145/3212480.3212489","url":null,"abstract":"In this paper we examine the use of covert channels based on CPU load in order to achieve persistent user identification through browser sessions. In particular, we demonstrate that an HTML5 video, a GIF image, or CSS animations on a webpage can be used to force the CPU to produce a sequence of distinct load levels, even without JavaScript or any client-side code. These load levels can be then captured either by another browsing session, running on the same or a different browser in parallel to the browsing session we want to identify, or by a malicious app installed on the device. To get a good estimation of the CPU load caused by the target session, the receiver can observe system statistics about CPU activity (app), or constantly measure time it takes to execute a known code segment (app and browser). Furthermore, for mobile devices we propose a sensor-based approach to estimate the CPU load, based on exploiting disturbances of the magnetometer sensor data caused by the high CPU activity. Captured loads can be decoded and translated into an identifying bit string, which is transmitted back to the attacker. Due to the way loads are produced, these methods are applicable even in highly restrictive browsers, such as the Tor Browser, and run unnoticeably to the end user. Therefore, unlike existing ways of web tracking, our methods circumvent most of the existing countermeasures, as they store the identifying information outside the browsing session being targeted. Finally, we also thoroughly evaluate and assess each presented method of generating and receiving the signal, and provide an overview of potential countermeasures.","PeriodicalId":267134,"journal":{"name":"Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121779767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}