Muslum Ozgur Ozmen, Habiba Farrukh, Z. Berkay Celik
{"title":"Physical Side-Channel Attacks against Intermittent Devices","authors":"Muslum Ozgur Ozmen, Habiba Farrukh, Z. Berkay Celik","doi":"10.56553/popets-2024-0088","DOIUrl":"https://doi.org/10.56553/popets-2024-0088","url":null,"abstract":"Intermittent (batteryless) devices operate solely using energy harvested from their environment. These devices turn on when they have energy and turn off during energy scarcity. Intermittent devices have recently become increasingly popular in smart buildings, manufacturing plants, and medical implantables as they eliminate the need for battery replacement and enable green computing. Despite their growing adoption in critical applications, the privacy implications of intermittent devices remain largely unexplored. In this paper, we introduce a novel remote side-channel attack. Our observation is that the network packet frequency of an intermittent device can be exploited to learn its turn-on/off patterns. From these patterns, we can infer the energy availability of a device, which reveals privacy-sensitive information about its operating environment, e.g., the presence or absence of individuals. To realize our attack, we develop a three-stage hierarchical inference framework that leverages the timestamped network packet sequence of intermittent devices. Our framework automatically extracts a set of temporal features from inter-packet-arrival timings. It then employs a series of models to uncover (1) whether a target intermittent device is present in the environment, (2) its energy harvester type (e.g., vibration or water flow), and (3) its energy availability conditions (e.g., high-vibration or no-vibration). To validate our attack effectiveness, we conduct experiments in two environments: a smart home and a miniature manufacturing plant equipped with three intermittent devices powered by solar energy, vibration, and temperature. By analyzing their energy availability patterns, we are able to infer user activities and presence in the smart home and the robot’s movement patterns in the manufacturing plant with an average accuracy of 85%. This sensitive information enables an adversary to launch domain-specific attacks, such as burglarizing a smart home when the user is asleep or timely tampering with plant sensors to cause maximum damage.","PeriodicalId":519525,"journal":{"name":"Proceedings on Privacy Enhancing Technologies","volume":"21 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141706163","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nathan Reitinger, Bruce Wen, Michelle L. Mazurek, Blase Ur
{"title":"What Does It Mean to Be Creepy? Responses to Visualizations of Personal Browsing Activity, Online Tracking, and Targeted Ads","authors":"Nathan Reitinger, Bruce Wen, Michelle L. Mazurek, Blase Ur","doi":"10.56553/popets-2024-0101","DOIUrl":"https://doi.org/10.56553/popets-2024-0101","url":null,"abstract":"Internet companies routinely follow users around the web, building profiles for ad targeting based on inferred attributes. Prior work has shown that these practices, generally, are creepy—but what does that mean? To help answer this question, we substantially revised an open-source browser extension built to observe a user's browsing behavior and present them with a tracker's perspective of that behavior. Our updated extension models possible interest inferences far more accurately, integrates data scraped from the user's Google ad dashboard, and summarizes ads the user was shown. Most critically, it introduces ten novel visualizations that show implications of the collected data, both the mundane (e.g., total number of ads you've been served) and the provocative (e.g., your interest in reproductive health, a potentially sensitive topic). We use our extension as a design probe in a week-long field study with 200 participants. We find that users do perceive online tracking as creepy—but that the meaning of creepiness is far from universal. Participants felt differently about creepiness even when their data presented similar visualizations, and even when responding to the most potentially provocative visualizations—in no case did more than 66% of participants agree that any one visualization was creepy.","PeriodicalId":519525,"journal":{"name":"Proceedings on Privacy Enhancing Technologies","volume":"226 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141712542","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"PLASMA: Private, Lightweight Aggregated Statistics against Malicious Adversaries","authors":"Dimitris Mouris, Pratik Sarkar, N. G. Tsoutsos","doi":"10.56553/popets-2024-0064","DOIUrl":"https://doi.org/10.56553/popets-2024-0064","url":null,"abstract":"Private heavy-hitters is a data-collection task where multiple clients possess private bit strings, and data-collection servers aim to identify the most popular strings without learning anything about the clients' inputs. In this work, we introduce PLASMA: a private analytics framework in the three-server setting that protects the privacy of honest clients and the correctness of the protocol against a coalition of malicious clients and a malicious server.\u0000 Our core primitives are a verifiable incremental distributed point function (VIDPF) and a batched consistency check, which are of independent interest. Our VIDPF introduces new methods to validate client inputs based on hashing. Meanwhile, our batched consistency check uses Merkle trees to validate multiple client sessions together in a batch. This drastically reduces server communication across multiple client sessions, resulting in significantly less communication compared to related works. Finally, we compare PLASMA with the recent works of Asharov et al. (CCS'22) and Poplar (S&P'21) and compare in terms of monetary cost for different input sizes.","PeriodicalId":519525,"journal":{"name":"Proceedings on Privacy Enhancing Technologies","volume":"66 12","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141714669","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Elijah Bouma-Sims, Sanjnah Ananda Kumar, L. Cranor
{"title":"Exploring the Privacy Experiences of Closeted Users of Online Dating Services in the US","authors":"Elijah Bouma-Sims, Sanjnah Ananda Kumar, L. Cranor","doi":"10.56553/popets-2024-0046","DOIUrl":"https://doi.org/10.56553/popets-2024-0046","url":null,"abstract":"Online dating services present significant privacy risks, especially for LGBTQ+ people who are \"in the closet\" and have not shared their LGBTQ+ identity with others. We conducted a survey (n = 114) and nine follow-up interviews with US-based, closeted users of online dating services focused on their privacy experience. We found that participants in the study were strongly concerned about the risk of being seen by social relations and institutional data sharing practices like targeted advertising. Participants experienced a range of privacy and safety harms, including inadvertent outing, unauthorized saving and sharing of photos, extortion, and harassment. To protect their privacy, participants typically limited the amount of information and the photos they included in their profile. In order to improve their privacy experience, participants requested better profile visibility controls, limits on the ability of others to download or screenshot their photos, better user verification, and making premium privacy features available for free.","PeriodicalId":519525,"journal":{"name":"Proceedings on Privacy Enhancing Technologies","volume":"166 3","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140797645","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
