11/46/46

SPIES: Security and Privacy In Emerging computing and

networking Systems

Nitesh SaxenaPolytechnic Institute of NYU

nsaxena@poly.eduhttp://spies.poly.edu/~nsaxena

Research areas: computer and network security, applied cryptography

22/46/46

Research Overview

33/46/46

Secure Device Association

44/46/46

Secure Association of Wireless Devices

How to bootstrap secure communication between Alice’s and Bob’s devices when they have no prior context no common trusted CA or TTP

55/46/46

Secure Association of Wireless Devices

Common pairing examples:

Cell-phone headset (bluetooth) Laptop access point (WiFi) Cell-phone cell-phone (bluetooth)

66/46/46

Secure Association of Wireless Devices

Solution idea: use auxiliary or out-of-band (OOB) channel with minimal involvement from Alice and Bob

Audio, Visual, Tactile

77/46/46

Research Challenges OOB channels are low-bandwidth Devices may be constrained in terms of

interfaces User is constrained - Usability Multiple devices/users

Sensor network initialization Group formation

Ohh! I cannot even pair my socks!

Selected contributions: TIFS’11, TMC’11, CHI’10, CCS’10, Ubicomp’10, SCN’10, PMC’09, Percom’09, SOUPS’08, Oakland’06

88/46/46

RFID Security and Privacy

99/46/46

The Privacy Problem Good tags, Bad readers

500 Eurosin wallet

Serial numbers:597387,389473

…

Wigmodel #4456

(cheap polyester)

30 items of lingerie

Das Kapital and Communist-

party handbook

Viagramedical drug #459382

1010/46/46

The Authentication Problem Good readers, Bad tags

500 Eurosin wallet

Serial numbers:597387,389473

…

Wigmodel #4456

(cheap polyester)

30 items of lingerie

Das Kapital and Communist-

party handbook

Viagramedical drug #459382

Counterfeit!!

1111/46/46

Relay (Ghost-and-Leech) Attacks

query

query

quer

y

resp

onse

response

response

1212/46/46

Research Challenges Very limited resources

a $0.03 tag can’t do much computationally only and-or-xor operations might be feasible

has only ~2,000 gates for security operations

few bits to few bytes of memory No user interfaces Atypical usage model

Selected contributions: Percom’11, JCS’10, CCS’10, RFIDSec’10, RFIDSec’09, RFIDSec’09

1313/46/46

Other Projects Strong Password Authentication Password-Protected Secret Sharing and

Distributed Function Computation Privacy of Web and Location-based Search Security and Privacy of P2P Systems Inference of Private Attributes in Online Social

Networks Playful Security Security and Privacy of Medical Devices

Selected contributions: Percom’11, AsiaCCS’11, TIFS’10, TIFS’09, TPDS’09, P2P’10, PETS’10, FC’10, ACNS’06, ICNP’05, TCC’05, SASN’05, SASN’04

1414/46/46

On Pairing Constrained Wireless Devices Based on

Secrecy of Auxiliary Channels:The Case of Acoustic Eavesdropping

ACM Conference on Computer and Communications Security (CCS), October 2010

1515/46/46

Recall: The "Pairing" Problem

Solution idea use auxiliary = out-of-band (OOB) channels with minimal involvement from Alice and Bob

Audio; Visual; Tactile

1616/46/46

Examples: Manual Transfer (numbers – Uzun et al. [Usec’07]) Automated Transfer (barcode-camera – McCune et al.

[Oakland’05])

SASB

A

Pairing using Authenticated OOB (A-OOB)

B

SASB

SASA

SASA

PKA PKB

Short Authenticated Strings (SAS) Protocols Vaudenay [Crypto’05]; Nyberg-Laur [CANS’06] Pasini-Vaudenay [CT-RSA’08]; Jarecki-Saxena [SCN’10]

1717/46/46

Recall: Constrained Devices

Devices with constrained interfaces and resources

Headsets Access points RFID tags Medical implants (no physical access) …

Many common pairing scenarios involve one constrained device

1818/46/46

A-OOB Pairing: Constrained Devices

SASB

A B

SASB

SASA

SASA

PKA PKB

1919/46/46

A-OOB Pairing: Constrained Devices

Difficult and prone to fatal human errors (Kumar et al. [Percom’09])

b

A B

b = (SASB = = SASA)

SASA

SASA

PKA PKB

Saxena et al. [Oakland’05]

2020/46/46

A

Pairing using Authenticated and Secret OOB (AS-OOB)

B

K

Unidirectional OOBNo fatal human errorsSimple: no crypto

2121/46/46

A

Pairing using Authenticated and Secret OOB (AS-OOB)

B

PAKA

Password/PIN

Unidirectional OOBNo fatal human errors

2222/46/46

Focus of Our Work We examine three AS-OOB pairing

methods based on low-volume audio signals require device vibration and/or button clicks

generate acoustic emanations as by-product

Can an attacker recover the underlying OOB data (key or password) via acoustic eavesdropping?

2323/46/46

Related Work Keyboard acoustic emanations used to

detect key presses (Asonov-Agrawal [Oakland’04]) Follow-up work by Zhuang et al. [CCS’05]

and Berger et al. [CCS’06] Inference of CPU activities through

acoustic emanations (Shamir-Tromer)

2424/46/46

Our Contributions First paper to explore AS-OOB pairing security

based on acoustic emanations In general, observation attacks on pairing

Consider realistic settings: eavesdropping from 2-3 ft distance Allows an eavesdropper to place a microphone next to the

device(s) Farther eavesdropping using parabolic microphone

explored Off-the-shelf, inexpensive equipments and tools

2525/46/46

Pairing Methods Examined (1/3) IMD Pairing: Pairing an Implantable Medical Device

(IMD) and an authorized reader (Halperin et al. [Oakland’08]).

RFID tag with piezo attached to IMD beeps and transmits key to reader

Reader microphone on the body surface records the key

2626/46/46

Pairing Methods Examined (2/3) PIN-Vibra: Used for pairing a personal RFID tag with a

mobile phone (Saxena et al. [SOUPS’08 Poster]) Phones vibrates encoding a PIN and touched to the tag Tag senses the vibrations using on-board accelerometer

PIN Accelerometer

2727/46/46

Pairing Methods Examined (3/3)

BEDA (Button Enabled Device Association): Soriente et al. [IWSSI’07, IJIS’09] First device encodes a short password into

blinking of an LED or vibration Second device has a button

Blink-Button

Vibrate-Button

2828/46/46

Eavesdropping Overview Eavesdropping implemented using off-the-

shelf equipment PC microphone Parabolic microphone for larger distance recording Windows sound recorder and Matlab software

Utilized signal processing methods and neural networks to decode the OOB data

2929/46/46

Research Challenges IMD binary bit signal characteristics unknown

Small differences in spectrum of “mark” and “space” bits

Short bits sometimes overlap each other Vibration and button clicks

Signal stretches over a wide range of frequencies Signal affected by background noise when

recorded from a distance

3030/46/46

Eavesdropping IMD Pairing

3131/46/46

IMD Pairing System described in IMD paper recreated

Included a piezo connected to an Intel’s WISP tag Inserted within a combination of meats

Emulated human chest Random 128-bit key encoded into the piezo

Plus 8 bit pre-amble start sequence Using 2-FSK modulation

Acoustic signal recorded and processed from different distances

3232/46/46

IMD Setup

Piezo attached to the WISP

Meat combination used to simulate human body

Implanted IMD*

*from Halperin et al.

3333/46/46

Our Attack Characteristic frequency components detected

for each of the 2-FSK signals encoded Utilized for detecting accurate signal beginning Small differences in frequencies used to distinguish

between bits and detect beginning sequence FFT and MFCC features created for each

consecutive bit in the signal Multiple Neural networks explored to classify

each bit Both supervised and unsupervised networks

3434/46/46

Results – from 3 ft away

3535/46/46

Results About 99% detection accuracy from up to

3 ft away MFCC features provided better results then

FFT features Both supervised and unsupervised neural

networks provide similar results Tests using parabolic microphone showed

about 80% accuracy utilizing only signal processing techniques 12 ft away recording

3636/46/46

Eavesdropping PIN-Vibra

3737/46/46

Method Description PIN encoded into vibrations (on-off encoding) 14 bits random key hardcoded into cell phone Three additional bits (“110”) beginning

sequence used to indicate key beginning (to a valid decoder)

'1' bit marked by vibration, '0' bit marked by “sleep” period

3838/46/46

Our Attack Similar to IMD eavesdropping:

Spectrum analysis used to detect key beginning sequence

Neural Network classifiers used to decode key

Attack resulted in 100% successful detection of key

3939/46/46

Results

4040/46/46

Eavesdropping BEDA

4141/46/46

Method Description

Password encoded on one device As function of distances (time interval) between events Each event generates blink or vibration

User presses button on other device when first device blinks or vibrates

Implemented with 21-bit random password Provides 8 total signals

4242/46/46

Our Attack For Blink-Button, we analyze button-pressing signals; for

Vibrate-Button, we analyze vibration (button-pressing is subsumed within)

Only used signal processing methods Detected each button press or vibration event

Since in this case, the binary bits are not continuous, no classification is needed It is sufficient to detect each signal beginning

Attack resulted in an accuracy of 98%

4343/46/46

Implications of Our Attacks IMD Pairing: directly learn the shared secret PIN-Vibra: directly learn the shared secret

no protection in the event of loss/theft of RFID still resistant to (remote) unauthorized reading

BEDA Need to launch a man-in-the-middle attack as

soon as the password is learned The three methods provide weaker security

than what was assumed or is desired

4444/46/46

Conclusions and Future Work The three AS-OOB pairing methods vulnerable

to acoustic eavesdropping attacks Neural networks useful in correctly decoding

bits from spectrum features Successful eavesdropping possible even from

farther using a parabolic microphone Broadly, secure and usable pairing of

constrained devices resistant to observation attacks is a research challenge

Open problem

4545/46/46

Other Projects Strong Password Authentication Password-Protected Secret Sharing Privacy of Web and Location-based Search Security and Privacy of P2P Systems Inference of Private Attributes in Online Social

Networks Playful Security Security and Privacy of Medical Devices

Selected contributions: Percom’11, AsiaCCS’11, TIFS’10, TIFS’09, TPDS’09, P2P’10, PETS’10, FC’10, ACNS’06, ICNP’05, TCC’05, SASN’05, SASN’04

4646/46/46

Acknowledgments Sponsors: NSF, NYU, NYU-Poly, Google,

Nokia, Intel, Research in Motion Students – the SPIES: Jon Voris, Tzipora

Halevi, Sai Teja Peddinti, Justin Lin, Borhan Uddin, Ambarish Karole, Arun Kumar, Ramnath Prasad, Alexander Gallego

Collaborators

Thanks!