Tag Archives: security and privacy

New THaW Patent: Proximity Detection with Single-Antenna Device

Posted on by
Reply

The THaW team is proud to announce the issuing of a patent for new methods for single-antenna devices to determine proximity between themselves and another device. Previous work in this field provides a method for secure short-range information exchange between a multi-antenna device and a target device. However, a single-antenna device cannot use a multi-antenna-based method and, therefore, has no way to verify its proximity to the target device.

In this patented work, a single-antenna devices uses the phase and/or amplitude of a preamble received from a transmitting device, particularly a repeating portion of the preamble, to determine whether the receiving device is in close proximity to the transmitting device. If the transmitting device is close to the single-antenna device, the repeating portions of the preamble will differ in phase and amplitude, while a large distance between the two will cause the repeating portions to have a substantially consistent phase and amplitude. This can be helpful in preventing a distant adversary from tricking the single-antenna-device into believing that a malformed preamble is a legitimate signal from a nearby device.

Interested in learning more? Check out the patent here!

PIERSON, Timothy J., Ronald Peterson, and David F. KOTZ. System and method for proximity detection with single-antenna device. US 11,871,233 B2, issued January 9, 2024. https://patents.google.com/patent/US11871233B2/en.

New THaW Patent: Pairing Wireless Devices

Posted on by
Reply

The THaW team is proud to announce the issuing of a patent for new methods to pair wireless devices resulting from the THaW project.

Current Internet of Things (IoT) device authentication protocols are functional, but not scalable, which is increasingly pertinent as more and more homes and health-focused establishments have multiple ‘smart’ devices. For example, a manufacturer of an Internet-connected blood oxygen monitor will not know the name or Wi-Fi password of an end-user’s wireless network and cannot program the device to immediately pair with the user’s access point (AP). As a result, end-users may have to set up the monitor on their own… along with dozens of other home devices. Traditional pairing protocols also rely on a one-way authentication scheme, which does not prevent the user from pairing a new device with a spoofed AP.

This recently patented pairing process involves two devices sending signals between each other and leverages the movement of objects near both of these devices, which similarly impacts both devices’ signal strength. The devices can confirm trust in each other if the signal-strength-pattern they receive substantially matches the signal-strength-pattern the other device receives.

Interested in learning more? Check out the patent here or below!

Pierson, Timothy J., and Jonathan F. Alter. Methods and software for pairing wireless devices using dynamic multipath signal matching, and wireless devices implementing the same. US11856408B2, issued December 26, 2023. https://patents.google.com/patent/US11856408B2/en.

New THaW Paper on Recurring Device Verification

Posted on by
Reply

An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

LightTouch – Connecting Wearables to Ambient Displays

Posted on by
Reply

Connectivity reached new extremes, when wearable technologies enabled smart device communications to appear where analogue watches, rings, and vision-enhancing glasses used to sit. Risks of sensitive data being wrongly transmitted, as a result of malicious or non-malicious intent, grow alongside these new technologies. To ensure that this continued interconnectivity of smart devices and wearables is safe and secure, the THaW team devised, published, and patented LightTouch. This technology, conceptually compatible with existing smart bracelet and display designs, uses optical sensors on the smart device and digital radio links to create a shared secret key that enables the secure and private connection between devices.

LightTouch makes it easy for a person to securely connect their wearable device to a computerized device they encounter, for the purpose of viewing information from their device and possibly sharing that information with nearby acquaintances. To learn more, check out this recent Spotlight in IEEE Computer, or click the links below to read the journal article, the patent specifics, or the conference presentation.

Xiaohui Liang, Ronald Peterson, and David Kotz. Securely Connecting Wearables to Ambient Displays with User IntentIEEE Transactions on Dependable and Secure Computing 17(4), pages 676–690, July 2020. IEEE. DOI: 10.1109/TDSC.2018.2840979

Xiaohui Liang, Tianlong Yun, Ron Peterson, and David Kotz. Secure System For Coupling Wearable Devices To Computerized Devices with Displays, March 2020. USPTO; U.S. Patent 10,581,606; USPTO. Download from https://patents.google.com/patent/US20170279612A1/en — Priority date 2014-08-18, Grant date 2020-03-03.

Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz. LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent. In IEEE International Conference on Computer Communications (INFOCOM), May 2017. IEEE. DOI: 10.1109/INFOCOM.2017.8057210

#NSFStories

Two faces of Mobile Sensing

Posted on by
Reply

A PhD dissertation from a recent ThaW graduate.

The recent popularization of mobile devices equipped with high-performance sensors has given rise to the fast development of mobile sensing technology. Mobile sensing applications, such as gesture recognition, vital sign monitoring, localization, and identification analyze the signals generated by human activities and environment changes, and thus get a better understanding of the environment and human behaviors. While benefiting people’s lives, the growing capability of Mobile Sensing would also spawn new threats to security and privacy. On one hand, while the commercialization of new mobile devices enlarges the design space, it is challenging to design effective mobile sensing systems, which use fewer or cheaper sensors and achieve better performance or more functionalities. On the other hand, attackers can utilize the sensing strategies to track victims’ activities and cause privacy leakages. Mobile sensing attacks usually use side channels and target the information hidden in non-textual data. I present the Mobile Sensing Application-Attack (MSAA) framework, a general model showing the structures of mobile sensing applications and attacks, and how the two faces — the benefits and threats — are connected. MSAA reflects our principles of designing effective mobile sensing systems and exploring information leakages. Our experiment results show that our applications can achieve satisfactory performance, and also confirm the threats of privacy leakage if they are maliciously used, which reveals the two faces of mobile sensing.

Tuo Yu. Two faces of Mobile SensingPhD thesis, May 2020. University of Illinois at Urbana-Champaign. Download from http://hdl.handle.net/2142/107938

Mobile devices based eavesdropping of handwriting

Posted on by
Reply

Recent THaW paper:

When filling out privacy-related forms in public places such as hospitals or clinics, people usually are not aware that the sound of their handwriting can leak personal information. In this paper, we explore the possibility of eavesdropping on handwriting via nearby mobile devices based on audio signal processing and machine learning. By presenting a proof-of-concept system, WritingHacker, we show the usage of mobile devices to collect the sound of victims’ handwriting, and to extract handwriting-specific features for machine learning based analysis. An attacker can keep a mobile device, such as a common smartphone, touching the desk used by the victim to record the audio signals of handwriting. Then, the system can provide a word-level estimate for the content of the handwriting. Moreover, if the relative position between the device and the handwriting is known, a hand motion tracking method can be further applied to enhance the system’s performance. Our prototype system’s experimental results show that the accuracy of word recognition reaches around 70 – 80 percent under certain conditions, which reveals the danger of privacy leakage through the sound of handwriting.

July 2020: Tuo Yu, Haiming Jin, and Klara Nahrstedt. Mobile devices based eavesdropping of handwritingIEEE Transactions on Mobile Computing 19(7), pages 1649–1663, July 2020. IEEE. DOI: 10.1109/TMC.2019.2912747