Wireless Privacy Problems

1
Wireless Privacy Problems
2
How to monitor criminals
3
How to monitor citizens
Glasses bought by fiancée
Cigarettes (third pack in a week)
Tie worn when working
Phone billed to you
Fancy shoes bought with your credit card
Ten minutes late for that meeting! (The line at
Starbucks was pretty long)
4
How to monitor customers
Who is there?
What is he/she like?
and what should I try to sell him/her?
5
How to monitor peers
Who is in her address book?
Digital camera photos transferred to storage
in backpack, via a Bluetooth phone
What are those photos?
Who is with her?
What is she wearing?
What is her friend saying?
How much money is she carrying?
6
How to monitor competitors
their
Whats our best seller?
they
What are we running out of?
their
Who are our customers?
7
How could things go this wrong?

• New technology can act as a double-edged sword
• Bluetooth is vulnerable to location tracking,
  eavesdropping and impersonation.
• Radio Frequency ID (RFID) tags can be targets of
  location tracking, activity snooping, and other
  privacy intrusions.
• Smartphones may be vulnerable to eavesdropping
  and data leakage by viruses and rogue homepages.
• Multi-hop protocols can be abused for location
  tracking.

8
Note Location Services vs. Location Attacks
not necessarily the same and we can have
one without the other
9
Who would know where you are?
At the very least you! In many implementations
a (trusted) service provider.
Bad case all peers in your neighborhood. Worse
case anybody.
10
How can location privacy be violated?
Recognizing/correlating short-term
pseudonyms (Bluetooth hopping sequence, session
identifiers)
Recognizing constellations of short
identifiers (Radio Frequency ID tags)
11
Lets start with Bluetooth!
Secret key is K
"Aha! John Smith just passed!"
12
Bluetooth Basics

• Where?
• Phones, headsets, cameras, MP3 players
  gadgets.
• Whats good?
• Convenient short-distance cable substitute
  allowing cell phones to interact with printers,
  cameras, cd mp3 players, advertisers, etc.
• Whats bad?
• No authentication. Encryption weaknesses. Gaping
  holes in key establishment protocol. Privacy
  vulnerabilities (location, activities, company).
  See JW01 for some of these problems.

13
Bluetooth Primer

• Addressing by means of the unique Bluetooth
  device address, device access code (DAC), channel
  access code (CAC)
• Various device modes (discoverable, connectable)
• Various keys (unit key, link key, encryption key)

14
Bluetooth location attack

• Devices in discoverable mode
• response to inquiries reveals device identity
• Otherwise
• CAC is a deterministic function of device
  identity
• CAC tags allow indexing of victim devices

This allows an attacker not only to figure out
who is there, but also with whom!
15
Bluetooth impersonation attack

• Lack of authentication (in the cryptographic
  sense) makes it possible to impersonate one
  device to another.
• If impersonated device has read/write access then
  this allows access to victim device.
• Note encryption does not help if the adversary
  starts the attack at the key pairing stage
  (referred to as authentication in the specs)
  and obtains the keys.

16
Establishment of Initialization Key
Device A
Device B
PIN
BD_ADDR_A
PIN
RND
BD_ADDR_A
PIN
RND
BD_ADDR_A
RND
Kinit
Kinit
17
Verification of Initialization Key
Device A
Device B
BD_ADDR_B
Kinit
RND
BD_ADDR_B
Kinit
RND
RND
SRES
SRES
SRES
?
SRES
Claimant
Verifier
18
Offline PIN Crunching

• Eavesdropping on key establishment process
• attacker guesses a PIN
• correctness is checked by performing the
  verification step
• Stealing participation
• attacker guesses a PIN
• initiates the verification
• obtained challenge-response transcript used to
  check the guesses
• attacker benefits from back-off method
  

19
Now, lets consider RFID!
20
RFID Basics

• Where?
• price tags, recycle tags, tires, ExpressPayTM,
  pets, bank notes
• Whats good?
• Extremely inexpensive wireless replacement to
  barcodes.
• Whats bad?
• Virtually no computational ability, therefore no
  crypto, therefore no security. Can be
  eavesdropped on at surprising distances.

21
RFID Primer

• At 900 MHz forward channel can be monitored at
  1km distance, backward at 100m.
• Most tags can be read by anybody. Many can also
  be written by anybody.

22

• No battery power by induction from reader
• (Almost) no memory
• Static 64-to-96-bit identifier in current
  few-cent
• generation
• Hundreds of bits soon
• Little computational power
• A few thousand gates
• No cryptographic functions available
• Static keys for read/write permission

23
Attacks on location privacy.
24
RFID location attack

• Read tags to find particular items. Identify
  constellations to establish unique identifier,
  allowing the attacker to track the user.
• Not necessary to for the attacker to read tags to
  locate them attacker can simply listen to the
  forward channel to determine who is being polled.
  This allows an eavesdropper to determine
  inventories, etc.
• See RSA RFID page for more details.

25
Where is RFID used, and why?

• Smoother inventory tracking
• Military supply logistics
• Gulf War I Double orders to ensure arrival
• Gulf War II RFID makes supply chain reliable
• Proctor Gamble Elimination of dock
  bottleneck fast loading of paletts onto trucks
• Parenting logistics
• Water park uses RFID bracelets to track children
• Inventory control (i.e., theft-prevention)
• Air Canada tracking of food carts
• Gillette Mach3 razor blades

26
Where is RFID used, and why?

• Refining retail experience
• Prada in Soho, NYC
• Payment technologies
• ExxonMobil Speedpass
• Maintaining shelf stocks in retail environments
• Tagging pets
• Proximity badges for building access
• Clothing anti-forgery, customer returns

27
Some applications tomorrow

• Smart appliances
• Refrigerators that automatically create shopping
  lists
• Ovens that know how to cook pre-packaged food
• Smart products
• Clothing, appliances, CDs tagged for store
  returns
• Smart paper
• Airline tickets that indicate your location in
  the airport
• Library books
• Business cards
• Recycling
• Plastics that sort themselves

28
Simple approaches to consumer privacy
Method 1 Place RFID-tags in protective mesh or
foil
Problem makes locomotion difficult
perhaps useful for wallets
29
Simple approaches to consumer privacy
Method 2 Kill RFID tags
Problem RFID tags are much too useful
30
Approach 1 External re-encryption (Juels
Pappu 2003)

• Problem avoid tracking of Euro notes (RFID
  rumor)
• Change ID using re-encryption (same plaintext,
  new ciphertext)
• RFID cannot re-encrypt done by external privacy
  agent
• How to ensure that re-encryption done when
  wanted?
• Require optical scan for changes to banknotes
• Writing can be restricted (reading is still
  easy)
• How to ensure that privacy machine did its job
  properly?
• Cryptographic tricks Special formatting of
  ciphertexts

31
Approach 2 Universal Re-encryption (Golle et
al, 04)

• Problem re-encryption situation with multiple
  public keys
• Must re-encrypt ciphertexts without knowing the
  public key!
• New technique allows one ciphertext to be
  transformed into another so that they cannot be
  linked
• Where the transformation requires no knowledge of
  the public keys!

32
Universal Re-encryption for RFID tags
Broadcast a barcode
Is this a privacy risk?
How about if we encrypt it?
We want to re-encrypt!
Problem no computational ability!
Let helpers re-encrypt!
Many public keys!
33
Review El Gamal encryption

• Prime p, secret key x, generator g, public key
  ygx mod p
• Message m
• Encryption Ey(m) (a,b)(yam,ga)
• Decryption Dx(a,b) ma/bx
• Re-encryption Ry(a,b) (a,b)(a,b)(yb,gb)(ya
  m yb, ga gb)
• Blinding B(a,b) (a,b)(ag,bg)(yagmg,gag)
• Note Dx(B(Ey(1)))1

34
Universal re-encryption using EG

• Encryption UEy(m) (m,u)(Ey(m),Ey(1))
• Decryption UDx(m,u)Dx(m) if Dx(u)1
• Re-encryption UR(m,u)(m B(u), uB(u))
• (m B(u), u B(u)) (m ud1,ud2)

35
A look at the details

• Encryption UEy(m) (m,u)(Ey(m),Ey(1))
• ((yam,ga), (yb,gb))
• Decryption UDx(m,u)Dx(m) if Dx(u)1
• Re-encryption UR(m,u)(mB(u),uB(u))
• ((yam,ga)(yd1,gd1), (yb,gb) (yd2,gd2))
• ((yad1m,gad1), (ybd2,gbd2))
• ((yam,ga), (yb,gb))

36
RFID application

• 1. Each device contains a UE of its data, using
  the public key of the appropriate authority.
• 2. Helpers perform UR on ciphertexts.
• 3. Everybody can read, but only the appropriate
  authorities can decrypt!
• Notice Tracking not possible!

37
Approach 3 The Blocker Tag (Juels, Rivest
Szydlo)
Blocker simulates all (billions of) possible tag
serial numbers!!
38
Tree-walking protocol for identifying RFID tags
0
1
00
01
10
11
000
010
111
101
001
011
100
110
39
Blocker tags in a nutshell

• Tree-walking protocol for identifying tags
  recursively asks questions
• Is there a tag whose next bit is a 1?
• Is there a tag whose next bit is a 0?
• Blocker tag always says yes to both questions
• Makes it seem like all tags are present
• Thus reader cannot figure out which tags are
  actually present
• Number of possible tags is huge (at least a
  billion billion), so reader stalls

40
Consumer privacy commercial security

• Blocker tag can be selective
• Privacy zones Only block certain ranges of
  RFID-tag serial numbers
• Zone mobility Allow shops to move items into
  privacy zone upon purchase
• Example
• Blocker blocks all identifiers with leading 1
  bit
• Items in supermarket carry leading 0 bit
• On checkout, leading bit is flipped from 0 to
  1

41
Blocking with privacy zones
0
1
00
01
10
11
000
010
111
101
001
011
100
110
Transfer to privacy zone on purchase of item
42
And now to smartphones
43
Smartphone Basics

• Where?
• In everybodys pockets ... if Microsoft get it
  their way.
• Whats good?
• Update the functionality of your phone without
  replacing the phone just download new software!
• Whats bad?
• Vulnerable to viruses and other malicious
  updates, and to unfriendly web pages.

44
Smartphone Primer

• The phone that is a computer. The computer that
  is a phone.
• Inherits computer vulnerabilities, such as
  viruses, spyware, etc.
• Inherits phone vulnerabilities, such as being the
  target of location tracking.

45
Smartphone Typical Application
read voice data
find local devices
read/write data
46
Abusive Smartphone Application
always eavesdrop
monitor neighborhood
steal data
47
Smartphone corruption

• Infiltrate a phone using a virus or other
  malicious program.
• Turn on voice export to eavesdrop on voice
  data.
• Read data on phone, and export to attacker.
• Relay long-distance call made by the local
  attacker (victim pays the bill.)
• Initiate m-commerce transactions.
• Report GPS location to attacker.
• Even if this did not happen, a user could claim
  it did!

48
And on to multi-hop protocols!
49
Multi-hop Basics

• Where?
• Devices with small batteries that should last
  very long.
• Whats good?
• Reduce power consumption by collaboration.
• Whats bad?
• Routing information gives location information.
  Possible to perform stealth attacks to partition
  the network, or to hijack traffic for purposes of
  traffic analysis. See JWY03 for details.

50
Multi-hop Primer

• Send message to a recipient using peers as
  routers to lower power requirements and
  interference.
• Hybrid (with backbone) or true ad-hoc network.
• All nodes need some routing information

Steve Wozniak, co-founder of Apple
51
Multi-hop location attack

• Inspect routing tables for fix points and
  victims, or send Route Requests to find victims.
• Allows the adversary to find locations and
  associations.
• Note If the apparent victim is a dog, the real
  victim may be its owner.

52
Lets take a big step back(and a large breath)
53
What can be done?

• Improved Bluetooth versions using changing
  pseudonyms, better key establishment protocols.
• Kill and sleep functionality for RFID
  devices, RFID blockers, and collaborative
  re-encryption.
• Privacy preserving routing algorithms.
• Policies for when to respond to an inquiry, and
  how.
• Secure OS for phones palm pilots.
• Legislation, voluntary agreements, consumer
  rejection.
• More research relating to problems solutions.

54
Things to remember

• Different types of applications pose different
  privacy threats, and to different entities.
• Cryptographic techniques are useful to mitigate
  some of these threats, but simple encryption is
  not always enough for privacy!
• Legislation will not be a sufficient measure due
  to the P2P setting, but can be useful to avoid
  abuse by corporations.
• Things will get worse before they get any better.

55
Location privacysome considerations.

• Privacy can become a competitive feature.
• Privacy is not only for individuals, but
  corporations, too.
• Privacy does not necessarily make the application
  less reliable or efficient. (At least when
  designed well.)
• Too much privacy may hurt society consider
  risks too.
• It is hard to fix protocols when privacy is an
  afterthought (but sometimes it is necessary.)
• Cryptographers seldom understand wireless issues,
  and are not likely to help a whole lot.