SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?
INDIAN INSTITUTE OF TECHNOLOGY
KHARAGPUR
Presenter:
Sandip Chakraborty
Systems and Mobile Research Lab, Department of Computer Science and Engineering
CONTEXT OF THIS TALK
Indian Institute of Technology Kharagpur
• Do we sacrifice privacy by using various network services (Internet, online social networks, mobile phones, wearables)?
• How does the structure/topology of a network affect its privacy properties?
• Techniques for enhancing privacy?
• Privacy is hard!
• Few slides of this talk have been taken from https://www.cs.duke.edu/courses/spring11/cps096/notes/privacy.pptxThanks to the author!
WHAT DO WE MEAN BY PRIVACY?
Indian Institute of Technology Kharagpur
• Louis Brandeis (1890)
• “right to be left alone”
• protection from institutional threat: government, press
• Alan Westin (1967)
– “right to control, edit, manage, and delete information about themselves and decide when, how, and to what extent information is communicated to others”
PRIVACY VS SECURITY
Indian Institute of Technology Kharagpur
• Security helps enforce privacy policies
• Can be at odds with each other
– e.g., invasive screening to make us more “secure” against terrorism
Privacy: what information goes where?
Security: protection against unauthorized access
TRACKING ON THE WEB
Indian Institute of Technology Kharagpur
• IP address
• Number identifying your device on the Internet
• Visible to application you are visiting
• Not always permanent
• Cookies
• Text stored on your device by the application
• Sent back to application server by your device application
• Used to save prefs, shopping cart, etc.
• Can track you even if IP changes
APPLICATION PRIVACY: APPS OVER WEARABLES
Indian Institute of Technology Kharagpur
SOCIAL APPS OVER WEARABLES ARE MORE VULNEARABLE
Indian Institute of Technology Kharagpur
• Apps are more optimized to run over low resource devices –compromization with security
• Data is transmitted through multiple interfaces • Wearables are connected to smart-
phones. Ex. Twitter app over smart-phone trigger a notification over the Twitter app in the wearable.
• Multi-modal data processing: Device – Cloud – Device
FACEBOOK WANTS YOU TO BE LESS PRIVATE !!!!
Indian Institute of Technology Kharagpur
ATTACK ON THE ZOMBIE PHOTOS
Indian Institute of Technology Kharagpur
OSN MISHANDLES DATA ….
Indian Institute of Technology Kharagpur
THREAT: COLLUSION AMONG SERVICES
Indian Institute of Technology Kharagpur
• Pros• Simplifies data analysis
• High availability
• Cons• Single point of attack
• No longer control access to own data
Centralized structure
OSN APPS ARE SOURCES FOR SINGLE-POINT ATTACK
Indian Institute of Technology Kharagpur
Personal data
• Anonymization• Do not use real names
• Encryption• NOYB, flyByNight
• Decentralization• Tighter control over data
ALTERNATIVES?
Indian Institute of Technology Kharagpur
• Hide identity, remove identifying info
• Proxy server: connect through a third party to hide IP
• Health data released for research purposes: remove name, address, etc
ANONYMIZATION
Indian Institute of Technology Kharagpur
• Netflix Prize dataset, released 2006
• 100,000,000 (private) ratings from 500,000 users
• Competition to improve recommendations• i.e., if user X likes movies A,B,C, will also like D
• Anonymized: user name replaced by a number
THREAT: DEANONYMIZATION
Indian Institute of Technology Kharagpur
• Problem: can combine “private” ratings from Netflix with public reviews from IMDB to identify users in dataset
• May expose embarrassing info about members…
THREAT: DEANONYMIZATION
Indian Institute of Technology Kharagpur
User Movie Rating
1234 Rocky II 3/5
1234 The Wizard 4/5
1234 The Dark Knight 5/5
…
1234 Girls Gone Wild 5/5
User Movie Rating
dukefan The Wizard 8/10
dukefan The Dark Knight 10/10
dukefan Rocky II 6/10
…
User 1234 is dukefan!
THREAT: DEANONYMIZATION
Indian Institute of Technology Kharagpur
• Lesson: cannot always anonymize data simply by removing identifiers
• Vulnerable to aggregating data from multiple sources/networks
• Humans are predictable• E.g., try Rock-paper-scissors vs AI
THREAT: DEANONYMIZATION
Indian Institute of Technology Kharagpur
• Mobile phones/ Wearables:• Always in your pocket, hands• Always connected• Always knows where it is: GPS
• Location-based services
• Location-based ads
• What are we giving up?
LOCATION PRIVACY
Indian Institute of Technology Kharagpur
Indian Institute of Technology Kharagpur
• It is not a simple question!
• Tradeoff between functionality
• Also important whom to disclose it to?• Relatives
• Co-workers
• Friends
• There have been studies about this• Not easy to classify
• People want to disclose only what is useful
WHY, WHEN AND WHAT TO DISCLOSE?
Indian Institute of Technology Kharagpur
• Many “free” apps supported by ads
• Analytics: profiling users
• Our research: found it common for popular free apps to send location and device ID to advertising and analytics servers
• What can we do?• More visibility into what app
does with data once it reads it
HOW IS YOUR DATA USED BY APPS?
Indian Institute of Technology Kharagpur
• Monitors app behavior to determine when privacy sensitive information leaves the phone
APPSCOPE
Indian Institute of Technology Kharagpur
• Develop a learning algorithm to identify the “Personally Identifiable Information” (PII)• Find keywords corresponds to PIIs
• Location
• Name
• Phone Number
• Gender
• …
• 30 popular Android applications that access Internet, camera, location or microphone
Of 105 flagged connections, only 37 were legitimate
APPLICATION STUDY
Indian Institute of Technology Kharagpur
• 15 of the 30 applications shared physical location with an ad server
• Most of this information was sent in the clear
• In no case was sharing obvious to user• Or written in the EULA
• In some cases it occurred without app use!
FINDINGS - LOCATION
Indian Institute of Technology Kharagpur
• 7 applications sent device unique identifiers (IMEI) and 2 apps sent phone info (e.g. phone number) to a remote location without warning• One app’s EULA indicated the IMEI was sent
• Appeared to be sent to app developers
“There has been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.” -- Lookout
FINDINGS – PHONE IDENTIFIERS
Indian Institute of Technology Kharagpur
• Decentralized network structure can enhance privacy
• Difficult to achieve true anonymity
• Fine-grained control over data can help• Tension with usability
TAKEAWAYS
Indian Institute of Technology Kharagpur
• Decentralized network structure can enhance privacy
• Difficult to achieve true anonymity
• Fine-grained control over data can help• Tension with usability
TAKEAWAYS
Indian Institute of Technology Kharagpur
APPSCOPE WORKS IN USER SPACE – AN APP CAN HIDE ITS PERMISSION FROM APPSCOPE
• Secure area of the main processor in a smart phone or any connected device
• Ensures sensitive data is stored, processed and protected in an isolated and trusted environment
• GlobalPlatform standardizes the TEE and generates specifications, compliance programs and certification schemes.
TRUSTED EXECUTION ENVIRONMENT
Indian Institute of Technology Kharagpur
TEE ARCHITECTURE
Indian Institute of Technology Kharagpur
"TEE allows Applications to execute, process, protect and store sensitive data in an isolated, trusted environment”
Indian Institute of Technology Kharagpur
• Platform integrity
• Secure storage
• Isolated execution
• Device identification
• Device authentication
• User Authentication
• Transaction Validation
TEE USE CASE
Indian Institute of Technology Kharagpur
• Architectures with single TEE • ARM TrustZone
• TI M-Shield
• Smart card
• Crypto co-processor
• TPM Architectures with multiple TEEs• Intel SGX
• TPM
• Hypervisor
TEE IN INDUSTRY
Indian Institute of Technology Kharagpur
• TrustZone is a set of security extensions added to ARMv6 processors and greater, such as ARM11, CortexA8, CortexA9 and CortexA15.
• TrustZone enables the development of separate environments • Rich Operating System - Normal domain
• Trusted Execution – Secure domain
• Both domains have the same capabilities • Operate in a separate memory space
• Enables a single physical processor core to execute from both the Normal world and the Secure world • Normal world components cannot access secure world resources
ARM TRUSTZONE
Indian Institute of Technology Kharagpur
• User space applications operate in "normal" world
• The kernel runs "system" mode. The trusted kernel operates in "monitor" mode in secure world
• Because of this architecture, even a "rooted" application cannot access protected regions within the trusted kernel.
• Uses a “33rd bit”, signaling whether in secure mode
• This bit is also propagated outside the system on chip (SoC)
• Peripherals and memory are configured during startup which side to belong to (normal/secure)
HOW TRUSTZONE WORKS?
Indian Institute of Technology Kharagpur
• TrustZone Non Secure Bit• The memory is split in Secure and Non-secure regions
• Non-secure (NS) bit determines if the program execution is in the Secure or Nonsecure world
• TRANSITION MANAGEMENT• Switch between normal and secure domain
• Monitor Gatekeeper that controls migration between Normal and Secure world
TRUSTZONE WORKING
Indian Institute of Technology Kharagpur
Source:https://www.arm.com/products/processors/technologies/trustzone/tee-smc.php
ARM TRUSTZONE ARCHITECTURE
Indian Institute of Technology Kharagpur
Source: https://www.cs.helsinki.fi/group/secures/CCS-tutorial/
ARM TRUSTZONE ARCHITECTURE
Indian Institute of Technology Kharagpur
• TrustZone software provides a minimal secure kernel which can be run in parallel with a more fully featured high-level OS-such as Linux.
• Android, or BSD-on the same core. It also provides drivers for the normal, rich OS ("normal world") to communicate with the secure OS ("secure world")
TRUSTZONE SOFTWARE
Indian Institute of Technology Kharagpur
• TrustZone API was targeted for applications running in the normal OS and they masked the secure OS implementation from the normal OS
• It was the initial endeavor by ARM to standardize software development for the TrustZone hardware security extensions
• ARM has partnered with Global Platform to define a new Trusted Execution Environment (TEE) API that covers all three aspects:• TEE Client API Specification
• TEE Internal API Specification
• TEE System Architecture
TRUSTZONE API & GLOBALPLATFORM TEE API
Indian Institute of Technology Kharagpur
• Reliable and Trustworthy Memory Acquisition on Smartphones(IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015)
• Using ARM TrustZone to Build a Trusted Language Runtime for Mobile Applications
(ASPLOS '14 Proceedings of the 19th international conference on Architectural support for programming languages and operating systems)
• TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens
(CCS '15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security)
RESEARCH WITH TRUSTZONE
Indian Institute of Technology Kharagpur
Systems and Mobile Research Lab,
Department of Computer Science and Engineering, IIT KharagpurINDIA 721302http://cse.iitkgp.ac.in/~sandipc/