WearSys papers, MobiSys posters

THaW researchers are showing off some cool research at this week’s MobiSys conference in Niagara Falls, with three papers at MobiSys workshops and a poster in the poster session.

  • Aarathi Prasad and David Kotz. ENACT: Encounter-based Architecture for Contact Tracing. In ACM Workshop on Physical Analytics (WPA), pages 37-42, June 2017. ACM Press. DOI 10.1145/3092305.3092310.
  • Rui Liu, Reza Rawassizadeh, and David Kotz. Toward Accurate and Efficient Feature Selection for Speaker Recognition on Wearables. InProceedings of the ACM Workshop on Wearable Systems and Applications (WearSys), pages 41-46, 2017. ACM Press. DOI 10.1145/3089351.3089352.
  • Rui Liu, Cory Cornelius, Reza Rawassizadeh, Ron Peterson, and David Kotz. Poster: Vocal Resonance as a Passive Biometric. In Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), pages 160, 2017. ACM Press. DOI 10.1145/3081333.3089304.
  • Xiaohui Liang and David Kotz. AuthoRing: Wearable User-presence Authentication. In Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys), pages 5-10, 2017. ACM Press. DOI 10.1145/3089351.3089357.

THaW Project LightTouch Selected For INFOCOM

THaW Researchers Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz have been researching new methods for connecting wearables to external screens. Their paper, LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent, has been accepted to INFOCOM 2017. In it, they explore a security system that uses a screen’s brightness level to ensure secure connection between screen and device. Moreover, they also address additional screen-based counter measures that can be taken to further secure the protocol. For more information and to read the paper, click the link below.


New York Times Features THaW Research Into Acoustic Device Hacking


THaW researcher Kevin Fu’s work on acoustic device hacking has recently been featured in the New York Times. The article discusses the team’s work on using acoustic signals to fool sensors in mobile device, and create the potential for security violations. For more information beyond the article, click here for a quick video, or read the complete paper below.

WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks

CENTURION Explores New Methods In Crowd-Sourced Data Collection

THaW researchers Haiming Jin and Klara Nahrstedt of UIUIC, in collaboration with Lu Su of SUNY Buffalo, recently had a paper accepted to IEEE INFOCOM 2017. Entitled CENTURION, the research explores the incentivization of participants in crowd sourced data collection. Notably, CENTURION rethinks the existing model of crowd sourced data collection (one consumer, one set of incentives), and instead takes the novel approach of applying a double auction model with multiple consumers and multiple incentives. The result is a system that can guarantee non-negative social welfare impact, among other benefits. To explore CENTURION further, click below.


Wanda: Securely Introducing Mobile Devices (Magically)

Wanda concept in actionTHaW PhD student, Tim Pierson, along with the Wanda team have built a ‘magic wand’ that simplifies the integration of new medical devices into existing wireless networks. A detailed description of their work is found below in the abstract to their recently accepted IEEE INFOCOM paper.

Abstract: Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.

A prepublication version is available here.

mAuditor: A mobile Auditing Framework for mHealth Applications

Enormous numbers of mobile health applications (mHealth apps) developed recently on mobile devices (e.g. smart-phones, tablets, etc.) have enabled health status (e.g. sleep quality, heart rate, etc.) monitoring that is readily accessible to average mobile device users. Typically, such mHealth apps involve active usage of mobile device resources, such as on-board sensors, network bandwidth, etc. The rapid increase of these applications prompted the US FDA agency to put in place regulations on mHealth app risk assessment. But these existing and upcoming regulations have not yet been accompanied by a mobile auditing framework, which provides real-time monitoring of mHealth apps’ resource usage and triggers alerts to users if abnormal resource usage patterns are detected.

Haiming mAuditor graphic

In this project, we develop a mobile auditing framework shown in the figure to the left (mAuditor Framework). The mAuditor runs as a separate process along with mHealth apps and other general purpose apps (e.g. Facebook, Gmail, etc.). The mAuditor consists of the profiler and the analyzer. The profiler collects the system trace and parse the trace if needed. The parsed trace is utilized by the analyzer, which analyzes the resource usage patterns and compare them with predefined configurations. mAuditor with its low-overhead and non-obtrusive design, monitors mHealth apps’ resource usage patterns in real-time and triggers alerts to users if abnormal resource usage patterns are detected.

This work is being spearheaded by Haiming Jin and supported by his colleagues at UIUC, Ting-yu Wang and Klara Nahrstedt.



Security for Mobile and Cloud Frontiers in Healthcare

In an article in the most recent issue of the Communications of the ACM, the authors (Kotz, Fu, Gunter and Rubin) state:

The benefits of healthcare IT will be elusive if its security challenges are not adequately addressed. Security remains one of the most important concerns in a recent survey of the health and mHealth sectors, and research has illustrated the risks incurred by cyber-attacks on medical devices such as pace-makers. More than two-thirds (69%) of respondents say their organization’s IT security does not meet expectations for FDA-approved medical devices.

Privacy protection is also critical for healthcare IT; although this column focuses on security, it should be noted that many security breaches lead to disclosure of personal information and thus an impact on patient privacy.

The authors identify three critical research challenges:

  • Usable authentication tools
  • Trustworthy control of medical devices
  • Trust through accountability

For more information on the challenges facing securing healthcare IT please see Communications of the ACM.

THaW Researchers Highlight Emerging Issues Related to Mobility and Security in Healthcare

Bring Your Own Device (BYOD) Practices in Healthcare– A.J. Burns and M. Eric Johnson, Vanderbilt University

Despite the many impressive technology-enabled advances in modern medicine over the past several decades, concerns over costs, reliability, and security have hindered the adoption of IT in the health sector. However, as in other industries, healthcare has seen dramatic increases in the use of personally-owned devices. In fact, 88.6 percent of those working in healthcare report using their smartphone for work. All the while, 54 percent of US organizations report that they’re unable to determine if off-site employees are using technology and informational resources in a way that addresses corporate and regulatory requirements. This lack of oversight is especially problematic for the health sector where research reveals that healthcare workers often fail to maintain basic security hygiene on their devices (e.g., 41 percent report having no password protection).

The trend toward mobile computing is radically transforming how individuals interact with IT. For example, in 2014, comScore reported that for the first time, more than half of all digital media in the US was consumed in a mobile app. In the health sector, enabled by low entry barriers and lax (often non-existent) regulation, the number of mobile health (mHealth) apps available to consumers now exceeds 100,000, with millions of total yearly downloads. Yet when it comes to these available apps, the industry provides little transparency about either the mHealth data’s security and privacy or the usage patterns among physicians and patients that have downloaded these apps. In a recent special issue on IT security in IEEE IT Professional, THaW researchers highlight emerging issues related to mobility and security in healthcare: BYOD and the mHealth application ecosystem.

Link to IEEE IT Professional publication (see pages 23-29).

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources

Soteris Demetriou, Xiaoyong Zhou, Muhammad Naveed, Yeonjoon Lee, Kan Yuan, XiaoFeng Wang, and Carl A Gunter

The pervasiveness of security-critical external re- sources (e.g accessories, online services) poses new challenges to Android security. In prior research we revealed that given the BLUETOOTH and BLUETOOTH_ADMIN permissions, a malicious app on an authorized phone gains unfettered access to any Bluetooth device (e.g., Blood Glucose meter, etc.). Here we further show that sensitive text messages from online banking services and social networks (account balance, password reset links, etc.) are completely exposed to any app with either the RECEIVE_SMS or the READ_SMS permission. Similar security risks are present in other channels (Internet, Audio and NFC) extensively used to connect the phone to assorted external devices or services. Fun- damentally, the current permission-based Discretionary Access Control (DAC) and SEAndroid-based Mandatory Access Control (MAC) are too coarse-grained to protect those resources: whoever gets the permission to use a channel is automatically allowed to access all resources attached to it.

To address this challenge, we present in this paper SEACAT, a new security system for fine-grained, flexible protection on external resources. SEACAT supports both MAC and DAC, and integrates their enforcement mechanisms across the Android middleware and the Linux kernel. It extends SEAndroid for specifying policies on external resources, and also hosts a DAC policy base. Both sets of policies are managed under the same policy engine and Access Vector Cache that support policy checks within the security hooks distributed across the framework and the Linux kernel layers, over different channels. This integrated security model was carefully designed to ensure that misconfig- ured DAC policies will not affect the enforcement of MAC policies, which manufacturers and system administrators can leverage to define their security rules. In the meantime, a policy management service is offered to the ordinary Android users for setting policies that protect the resources provided by the third party. This service translates simple user selections into SELinux-compatible policies in the background. Our implementation is capable of thwarting all known attacks on external resources at a negligible performance cost.

Link to NDSS paper