270 likes | 380 Vues
Devices That Tell On You: Privacy Trends in Consumer Ubiquitous Computing. 컴퓨터면역 및 정보보안 담당교수님 : 박용수 교수님. 2008. 5. 19 이재준. Paper Information. Title : Devices That Tell On You: Privacy Trends in Consumer Ubiquitous Computing Authors :
E N D
Devices That Tell On You: Privacy Trends in Consumer Ubiquitous Computing 컴퓨터면역 및 정보보안 담당교수님 : 박용수 교수님 2008. 5. 19 이재준
Paper Information Title : Devices That Tell On You: Privacy Trends in Consumer Ubiquitous Computing Authors : T. Scott Saponas , Jonathan Lester, Carl Hartung, Sameer Agarwal , Tadayoshi Kohno Publish : 16th USENIX Security Symposium
Contents of Table Wireless multimedia environments Commercial product ( Sling box pro ) Information leakage Devices that we have on our persons all the time Commercial product ( Nike+iPod Sports kit ) Lack of location privacy Privacy-perserving mechanisms Devices promoting social activity Commercial product ( Microsoft Zune ) Circumventing Zune’s blocking mechanism Conclusion
Wireless multimedia environments • The Slingbox Pro The Slingbox Pro is a networked video streaming device built by Sling Media, Inc. It allows users to remotely view (sling) the contents of their TV over the Internet. devices that permeate our environment and that stream or exchange information Vehicle to study the issues and challenges affecting next-generation wireless multime-dia environments
Wireless multimedia environments • Information leakage Re-encodes Encryption For data stream Private information Eavesdropper Re-encodes the video stream using a variable bitrate encoder. Provides encryption for its data stream regardless of any transport encryption like WPA. Private information could be potentially sensitive if the content is illegal, embarrassing, or is otherwise associated with some social stigma.
Wireless multimedia environments • Eavesdropping algorithms Wireshark protocol analyzer Encryption For data stream 100-millisecond throughput traces Using Wireshark protocol analyzer to capture all of the Slingbox encrypted packets to file. We use these 100-millisecond throughput traces as the basis for our eavesdrop- ping analysis.
Wireless multimedia environments • Eavesdropping algorithms Building Database Matching 1) Building a Database of Reference Traces. we construct a database of reference traces. Each movie was represented by exactly one reference trace. 2) Matching a Query Trace to the Database. uses this database of reference traces to match against a previously unseen trace.
Wireless multimedia environments • Eavesdropping algorithms 1) Building a database of movie signatures 1) The raw throughput traces corresponding to a movie are aligned and averaged to produce a single composite trace. 2) A windowed Fourier transform is performed on the single composite. 3) Database of movie signatures is constructed in this manner.
Wireless multimedia environments • Eavesdropping algorithms 2) Matching a Query Trace to the Database. 1) A query trace is transformed similarly into a signature. 2) The minimum sliding window distance between the movie signatures and the query signature is calculated. 3) The movie with the minimum distance is declared a match.
Wireless multimedia environments • Information leakage ! Slingbox results provide further evidence that encryption alone cannot fully conceal the contents of encrypted data. The implications of results that an adversary in close proximity to a users’ home might be able to infer information about what videos a user is watching.
Devices that we have on our persons all the time • Nike+iPod Sports kit It is a wireless exercise accessory for the iPod Nano The kit consists of two components a wireless sensor and a receiver. The basis for assessing the issues and challenges with devices that we have on our persons all the time Provide interactive audio feedback to the user about her workout.
Devices that we have on our persons all the time • Lack of location privacy Range transmitting receiver • When one begins to walk or run with the sensor in their shoe, the sensor • begins transmitting. • 2) While the sensor is awake and nearby we observed that it transmits • one packet every second (containing the UID) • 3) Seven sensors indicated the receiver still hears every sensor UID at least • once in a ten second window.
Devices that we have on our persons all the time • Lack of location privacy Range ! transmitting receiver location information The Nike+iPod’s use of a globally unique persistent identifier. Nike+iPod sensors we observed approximately a 10 meter range indoors and a 10–20 meter range outdoors. An adversary to exploit the Nike+iPod Sport Kit’s lack of location privacy protection An attacker might also establish patterns of presence.
Devices that we have on our persons all the time • Privacy preserving mechanism 1) Exploiting (Largely) Static Associations. + cryptographic key the cryptographic key could be written on the backs of the sensors, and a user could manually enter that key into their iPods before using that new sensor + special button special button on it that, when pressed, causes the sensor to actually broadcasts a cryptographic key for some short duration of time
Devices that we have on our persons all the time • Privacy preserving mechanism 2) Un-Sniffable Unique Identifiers. K (shared key) K (shared key) sensor receiver K′(non-shared key) X (pseudorandom value) Assume now that both the sensor and the receiver are preprogrammed with the same shared 128-bit cryptographic keyK. Generating X by using AES in CTR mode with a second, non-shared 128-bit AES key K′ during the one-second idle time between broadcasts.
Devices that we have on our persons all the time • Privacy preserving mechanism 2) Un-Sniffable Unique Identifiers. K (shared key) K (shared key) sensor receiver K′(non-shared key) X (pseudorandom value) S (keystream) Also during this one-second idle time between broadcast, the sensor could pre-generate a keystreamS using AES in CTR mode, this time with the initial counter Xand the shared key K.
Devices that we have on our persons all the time • Privacy preserving mechanism 2) Un-Sniffable Unique Identifiers. K (shared key) K (shared key) sensor receiver (X,M⊕S)=(X,Y) K′(non-shared key) X (pseudorandom value) S (keystream) M (Message) when the sensor wishes to send a message M to the corresponding receiver, send the pair (X,M⊕S), where “⊕” denotes the exclusive-or operation. Upon receiving a message (X,Y)
Devices that we have on our persons all the time • Privacy preserving mechanism 2) Un-Sniffable Unique Identifiers. K (shared key) K (shared key) sensor receiver (X,M⊕S)=(X,Y) K′(non-shared key) (X,Y) X (pseudorandom value) S (key stream) S (key stream) M (Recovered message) M (Message) receiver would re-generate S from X and the shared key K recover M as Y ⊕ S, and then accept M as coming from the paired sensor if M contains the desired UID
Devices promoting social activity • Microsoft Zune It is a portable digital media player with one wireless capabilities. The intended goal is to let users share pictures and songs with other nearby Zunes. A foothold into understanding the issues and challenges with devices promoting social activity
Devices promoting social activity • Circumventing Zune’s blocking mechanism share a song or picture send AliceZune BobZune Consider a scenario consisting of two users, Alice and Bob, and assume that Alice and Bob respectively name their Zunes AliceZune and BobZune; If Bob wishes to share a song or picture with his neighbors, he must first select the song or picture and then select the “send” option.
Devices promoting social activity • Circumventing Zune’s blocking mechanism share a song or picture send • Accept • Not accept • Block (after Accept) AliceZune BobZune Alice has two choices: to accept the content or to not accept the content. If Aliceaccepts the song and later decides that she would like to prevent Bob from ever sending her a song in the future, she can navigate to her Zune’s menu, select BobZune, and then select the “block” option.
Devices promoting social activity • Circumventing Zune’s blocking mechanism 1) Disappearing attack Zune The crux of the problem is that Alice will not be able to blockBob’s Zune if BobZune is no longer nearby or discoverable inappropriate image send AliceZune BobZune Alice may remember the name of Bob’s Zune, and thereby simply deny messages from BobZune in the future
Devices promoting social activity • Circumventing Zune’s blocking mechanism 1) Disappearing attack Zune scan CharlieZune inappropriate image send AliceZune BobZune → CharlieZune Bob can change the name of his Zune before trying to beam Alice additional content. Bob could scan his nearby community, find a nearby Zune named CharlieZune and then name his Zune CharlieZune.
Devices promoting social activity • Circumventing Zune’s blocking mechanism 1) Disappearing attack Zune blocking scan CharlieZune inappropriate image send AliceZune BobZune → CharlieZune If Bob sends inappropriate content to Alice and then turns off his wireless, he might trick Alice into blocking the real CharlieZune.
Devices promoting social activity • Circumventing Zune’s blocking mechanism 2) Fake MAC addresses The Zune neighbor discovery process and blocking mechanism is based on Zune’s MAC addresses. Bob could therefore use a Linux laptop to fool Alice into thinking that she has blocked BobZune when in fact she has not.
Conclusion We technically explore privacy and security properties of several commercial UbiComp products. Need to provide strong levels of privacy protection.
Thank you Question and Answer