Location Privacy Why should we care

1
Location Privacy - Why should we care?

• Markus Jakobsson
• Principal Research Scientist, RSA Labs
• www.markus-jakobsson.com

2
Location Services vs. Location Attacks
not necessarily the same and we can have
one without the other
3
Who would know where you are?
At the very least you! In many implementations
a (trusted) service provider.
Bad case all peers in your neighborhood. Worse
case anybody.
4
Why is this so bad?
5
How can location privacy be violated?
6
Attacks on location privacy. Example 1 Bluetooth

• Ideal
• Unique identifying information is used
• Encryption of information is supported (complying
  with local jurisdiction)
• User privacy is guaranteed

• State-of-the-Art
• Addressing by means of the unique Bluetooth
  device address, device access code (DAC), channel
  access code (CAC)
• Various device modes (discoverable, connectable)
• Various keys (unit key, link key, encryption key)

7
Attacks on location privacy. Example 1
Bluetooth (Jakobsson Wetzel 00)

• Devices in discoverable mode
• response to inquiries reveals device identity
• received responses sent to application layer
• Otherwise
• CAC is a deterministic function of device
  identity, so becomes a pseudonym
• CAC not reported to application layer in an
  unmodified device
• Same goes for hopping sequence

8
Attacks on location privacy. Example 2 RFID

• RFID tags dumb computers soon everywhere
• No battery power by induction from reader
• (Almost) no memory
• Static 64-to-96-bit identifier in current 5
  cent generation
• Hundreds of bits soon
• Little computational power
• A few thousand gates
• No cryptographic functions available
• Static keys for read/write permission

9
Attacks on location privacy. Example 2 RFID
10
Where is RFID used, and why?

• Smoother inventory tracking
• Military supply logistics
• Gulf War I Double orders to ensure arrival
• Gulf War II RFID makes supply chain reliable
• Proctor Gamble Elimination of dock
  bottleneck fast loading of palettes onto trucks
• Parenting logistics
• Water park uses RFID bracelets to track children
• Inventory control (i.e., theft-prevention)
• Air Canada tracking of food carts
• Gillette Mach3 razor blades

11
Where is RFID used, and why?

• Refining retail experience
• Prada in Soho, NYC
• Payment technologies
• ExxonMobil Speedpass
• Maintaining shelf stocks in retail environments
• Tagging pets
• Proximity badges for building access
• Clothing anti-forgery, customer returns

12
Some applications tomorrow

• Smart appliances
• Refrigerators that automatically create shopping
  lists
• Ovens that know how to cook pre-packaged food
• Smart products
• Clothing, appliances, CDs tagged for store
  returns
• Smart paper
• Airline tickets that indicate your location in
  the airport
• Library books
• Business cards
• Recycling
• Plastics that sort themselves

13
Simple approaches to consumer privacy
Method 1 Place RFID-tags in protective mesh or
foil
Problem makes locomotion difficult
perhaps useful for wallets
14
Simple approaches to consumer privacy
Method 2 Kill RFID tags
Problem RFID tags are much too useful
15
Approach 1 External re-encryption (Juels
Pappu 2003)

• Problem avoid tracking of Euro notes.
• Change ID using re-encryption (same plaintext,
  new ciphertext)
• RFID cannot re-encrypt done by external privacy
  agent
• How to ensure that re-encryption done when
  wanted?
• Require optical scan for changes to banknotes
• Writing can be restricted (reading is still
  easy)
• How to ensure that privacy machine did its job
  properly?
• Cryptographic tricks Special formatting of
  ciphertexts

16
Approach 2 Universal Re-encryption (Golle et
al, 04)

• Problem re-encryption situation with multiple
  public keys
• Must re-encrypt ciphertexts without knowing the
  public key!
• New technique allows one ciphertext to be
  transformed into another so that they cannot be
  linked
• Where the transformation requires no knowledge of
  the public keys!

17
Approach 3 The Blocker Tag (Juels, Rivest
Szydlo)
Blocker simulates all (billions of) possible tag
serial numbers!!
18
Tree-walking protocol for identifying RFID tags
0
1
00
01
10
11
000
010
111
101
001
011
100
110
19
Blocker tags in a nutshell

• Tree-walking protocol for identifying tags
  recursively asks questions
• Is there a tag whose next bit is a 1?
• Is there a tag whose next bit is a 0?
• Blocker tag always says yes to both questions
• Makes it seem like all tags are present
• Thus reader cannot figure out which tags are
  actually present
• Number of possible tags is huge (at least a
  billion billion), so reader stalls

20
Consumer privacy commercial security

• Blocker tag can be selective
• Privacy zones Only block certain ranges of
  RFID-tag serial numbers
• Zone mobility Allow shops to move items into
  privacy zone upon purchase
• Example
• Blocker blocks all identifiers with leading 1
  bit
• Items in supermarket carry leading 0 bit
• On checkout, leading bit is flipped from 0 to
  1

21
Blocking with privacy zones
0
1
00
01
10
11
000
010
111
101
001
011
100
110
Transfer to privacy zone on purchase of item
22
Location privacysome considerations.

• Privacy can become a competitive feature.
• Privacy is not only for individuals, but
  corporations, too.
• Privacy does not necessarily make the application
  less reliable or efficient. (At least when
  designed well.)
• Too much privacy may hurt society consider
  risks too.
• It is hard to fix protocols when privacy is an
  afterthought (but sometimes it is necessary.)
• Cryptographers seldom understand wireless issues,
  and are not likely to help a whole lot.
• Slides available at www.markus-jakobsson.com