Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses Anupam Das (UIUC) , Nikita Borisov (UIUC), Matthew Caesar (UIUC) February 23, 2016 1
Real World Digital Stalking How are they tracking devices? Device Fingerprint ~ Set (unique device properties) Why fingerprint devices? Targeted Advertisement (tracking usage pattern) 2 February 23, 2016
Mobile Ad Expenditure There are multiple companies such as TapAd and AdTruth that utilize device fingerprinting to build cross-device user profile. Targeted ad can help increase the Return On Ad Spend. 3 February 23, 2016
Device Fingerprinting Techniques How are device fingerprints generated? Device Fingerprint Hardware idiosyncrasies Software Variations • Difference in spectral property of • Difference in Protocol Stack/Network Stack • Radio Signal Transmitters Difference in Firmware and Device Driver • Difference in emitted radio frequency • Difference in installed Software of NIC • MAC Headers • Unique and constant clock skews in network devices Exploit small deviations in either the software or hardware characteristics of the device. 4 February 23, 2016
Example: Browser Fingerprinting https://amiunique.org 5 February 23, 2016
Fingerprinting Smartphones Can traditional approaches be applied to fingerprint smartphones? Smartphones are somewhat less susceptible to software-based fingerprinting approaches due to a stable software base . https://amiunique.org % of fingerprints sharing same value Browser Characteristic Laptop (ThinkPad L540) Smartphone (iPhone 5) User agent <0.1% <0.1% List of plugins 0.28% 17.05% List of fonts <0.1% 23.72% Screen resolution 9.83% 0.95% Canvas 0.34% 0.11% 6 February 23, 2016
How are Smartphones Different? Smartphones are equipped with a wide range of sensors. Applications: • Motion detection • Gesture detection We focus on exploiting onboard sensors • Audio Genre detection to generate unique fingerprints. • Location detection • Interaction with nearby devices • Navigation • etc. 7 February 23, 2016
Our Contribution We’ll look at addressing the following questions: Can smartphones be fingerprinted using motion sensors? Are there ways to mitigate such fingerprinting techniques? Are there any implications of such mitigation techniques? 8 February 23, 2016
Fingerprint Motion Sensors Fingerprint smartphone using accelerometer and gyroscope. Attack Scenario 1. User browses a web page where the attacker runs some JavaScript 2. Attacker collects sensor data surreptitiously and generates a fingerprint of the device Publisher Device Position: On Desk: Devices kept on top of a desk In Hand: Devices kept in the hand of the user while user is sitting in a chair Requires No Explicit Permissions!!! 9 February 23, 2016
Source of Uniqueness MEMS Accelerometer : Mechanical Energy Capacitive Change Voltage Change Movable Electrode Gap ~ 1.3µm Sensitivity ~ 20pm Possible source of idiosyncrasies: • Slightest gap difference between the structural electrodes • Flexibility of the seismic mass 10 February 23, 2016
Data Collection Setup Using JavaScript we collected sensor data through the web browser. Sampling Sensors OS Browser Freq. (Hz) Accessible* Chrome 100 A,G Android 20 A Android Opera 40 A,G 4.4 UC Browser 20 A,G Standalone App 200 A,G Safari 100 A,G iOS 8.1.3 Chrome 100 A,G Standalone App 100 A,G *A=Accelerometer, G=Gyroscope Chrome being the most popular mobile browser, we collect lab-data using the Chrome browser. 11 February 23, 2016
Experimental Setup Devices : Data Streams: Maker Model # Four data streams are considered: 1. Accelerometer Magnitude iPhone 5 4 Apple 2. Gyroscope X-axis iPhone 5s 3 3. Gyroscope Y-axis Nexus S 14 4. Gyroscope Z-axis Samsung Galaxy S3 4 Samples: Galaxy S4 5 • 10 samples per device per setting Total 30 • Each sample is around 5-8 second Settings : Stimulation Description Type No Audio No audio is being played through the speaker Inaudible Audio 20kHz Sine wave is being played through the speaker Popular Song A popular song is being played through the speaker 12 February 23, 2016
Features 25 features were explored. # Spectral Feature # Temporal Feature 1 Spectral Root Mean Square 1 Mean 2 Spectral Spread 2 Standard Deviation 3 Spectral Low-Energy-Rate 3 Average Deviation 4 Spectral Centroid 4 Skewness 5 Spectral Entropy 5 Kurtosis 6 Spectral Irregularity Joint-Mutual-Information (JMI) is used for feature 6 Root Mean Square 7 Spectral Spread exploration to determine the best subset of features 7 Max 8 Spectral Skewness for classification. 8 Min 9 Spectral Kurtosis 9 Zero Crossing Rate 10 Spectral Rolloff 10 Non-Negative Count 11 Spectral Brightness 12 Spectral Flatness For Spectral Features, cubic-spline 13 Spectral Flux interpolation is used to obtain a 14 Spectral Attack Slope sampling rate of 8kHz. 15 Spectral Attack Time 13 February 23, 2016
Evaluation Algorithms & Metrics Tested several supervised classifiers: • SVM, • Naive-Bayes classifier, • Multiclass Decision Tree, • k-NN, • Bagged Decision Trees . Evaluation metrics: 𝑈𝑄 𝑄𝑠𝑓𝑑𝑗𝑡𝑗𝑝𝑜 = TP: True Positive 𝑈𝑄 + 𝐺𝑄 𝑈𝑄 FP: False Positive 𝑆𝑓𝑑𝑏𝑚𝑚 = FN: False Negative 𝑈𝑄 + 𝐺𝑂 𝐺_ 𝑇𝑑𝑝𝑠𝑓 = 2 ∗ 𝑄𝑠𝑓𝑑𝑗𝑡𝑗𝑝𝑜 ∗ 𝑆𝑓𝑑𝑏𝑚𝑚 𝑄𝑠𝑓𝑑𝑗𝑡𝑗𝑝𝑜 + 𝑆𝑓𝑑𝑏𝑚𝑚 Randomly portioned 50% of the data for training and testing. Reported the average of 10 iterations. 14 February 23, 2016
Results: Lab Setting 100 100 99 99 98 98 98 96 100 95 95 94 93 93 89 88 88 90 84 83 80 F-score (%) 70 60 50 40 30 20 10 0 No-audio Sine Song No-audio Sine Song On Desk In hand Accelerometer Gyroscope Accelerometer+Gyroscope Combining features from both accelerometer and gyroscope yielded the best results. 15 February 23, 2016
Real-World Data Invited people to voluntarily participate in our study. 76 participants visited our web page in two weeks but only 63 of the devices actually provided any form of data. 16 February 23, 2016
Public and Combined Setting On Top op of of De Desk 96 95 95 100 92 89 89 89 87 87 86 85 85 90 80 F-score (%) 70 60 50 40 30 20 10 0 No-audio Sine No-audio Sine Public Combined Accelerometer Gyroscope Accelerometer+Gyroscope Public setting : F_score of 95% Combined setting: F_score of 96% 17 February 23, 2016
Mitigation Techniques We explore two types of countermeasure techniques: • Sensor Calibration -- Computing offset and gain error of sensors. • Data Obfuscation -- Adding noise to data to obfuscate data source. Two extreme approaches: Sensor Calibration: Map every device to the same point. Data Obfuscation: Scatter the same device to different points. 18 February 23, 2016
Sensor Calibration Measured sensor value 𝑏 𝑁 = 𝑃 + 𝑇. 𝑏, where O and S represent the offset and gain error along an axis respectively. Accelerometer Calibration Gyroscope Calibration Measurements along all six directions ( ± x, ± y, ± z) are taken. 19 February 23, 2016
Results: Calibrated Data La Lab Se Settin ing g : : Cal Calib ibrated Da Data 99 99 98 98 97 97 100 93 93 91 90 89 85 90 16 23 25 18 80 19 15 77 F_score (%) 75 70 71 69 70 69 60 50 40 30 20 10 0 No-audio Sine Song No-audio Sine Song On Desk In hand Accelerometer Gyroscope Accelerometer+Gyroscope F_score reduces by approximately 15 – 25% for accelerometer data but not much for the gyroscope data. 20 February 23, 2016
Data Obfuscation Instead of removing the calibration errors, we can add extra noise to hide the miscalibration. We explore the following 3 techniques: • Uniform noise : highest entropy while having a bound. • Laplace noise : highest entropy which is inspired by Differential Privacy. • White noise : affecting all aspects of a signal. 21 February 23, 2016
Uniform Noise To add obfuscation noise, we compute 𝑏 𝑝 = 𝑃 𝑝 + 𝑇 𝑝 𝑏 𝑁 Here, 𝑇 𝑝 and 𝑃 𝑝 are the obfuscated gain and offset error. We explore three variations of adding uniform noise: • Basic Obfuscation • Increased Range Obfuscation • Enhanced Obfuscation 22 February 23, 2016
Basic Obfuscation Based on the calibration errors found from our lab phones we set the base error ranges as follows: 𝑝 ∊ [ -0.5,0.5] Accelerometer offset, 𝑃 𝑏 • 𝑝 ∊ [-0.1,0.1] Impact of audio Gyroscope offset , 𝑃 • 𝑃 ∊ [0.95,1.05] stimulation Gain for both , 𝑇 𝑏, • On Top On op of of De Desk 100 90 75 80 69 F-score (%) 66 65 70 57 55 60 52 50 50 41 40 40 27 26 30 20 10 0 No-audio Sine No-audio Sine Public Combined Accelerometer Gyroscope Accelerometer+Gyroscope 23 February 23, 2016
Recommend
More recommend