Track Me If You Can: On the Effectiveness of Context-based Identifier Changes in Deployed Mobile Networks. Authors: Laurent Bindschaedler, Murtuza Jadliwala, Igor Bilogrevic, Imad Aad, Philip Ginzboorg, Valtteri Niemi, and Jean- Pierre Hubaux, NDSS, 2012 CS 898AB PRIVACY ENHANCING TECHNOLOGIES DR. MURTUZA JADLIWALA PRESENTED BY ABDULLAHI O. OLAOYE 1

2

Content of This Presentation  Introduction  Problem statement  Mix-Zones  Previous Works on Mix-Zones  Contributions of the authors  System model  Mobile Network Model Deployment  Adversary Network and deployment  Pseudonym Change Identifier  Data Collection and processing  Tracking frameworks and algorithm  Empirical Results and Evaluation  Conclusion 3

Introduction  Smartphones are mostly used today as means to access the web due to their flexibility.  There are lots of applications available on these smartphones. It ranges from dating apps, friend finding apps, gaming etc.  Data sharing apps which are infrastructure-less are also commonly used in societies that enforce censorships. For example,  In Iran, device to device messaging applications are used to exchange sexually explicit messages.  They are also used by anti-government activists to coordinate actions  Example of such an app is NIC (Nokia instant community) 4

Problem Statement  Privacy is a serious issue in wireless systems  In a communication system, such as a WIFI network, broadcasted wireless messages are not secured  Adversaries can eavesdrop user messages. Example herehere  Users can therefore be tracked using their identifiers to infer sensitive information about them. Identifiers such as :  MAC addresses  IP addresses 5

Problem Statement  Service providers can track user preferences, locations etc.  Although this information can be useful for 3 rd parties who use user communication and location information to improve offered services  But this purpose is defeated if the information gets in the wrong hands. 6

Mix-Zones  Inspired by David Chaum’s seminal works on mix networks  They are spatio-temporally defined regions where users can mix or change their device identifiers such as IP and MAC addresses.  Users remain silent while in the mix-zone after the identifier change operation.  After exiting the mix-zone, they resume communication with a new identifier.  This concept makes it difficult for an adversary to track users due to the decorrelation between users and their identifiers. 7

Previous works on Mix-Zones  Buttyan et al and Freudiger et al focuses on mix-zone schemes that consider specific network characteristics.  Palanisamy et al proposes schemes that guarantee a lower bound on the level of achieved anonymity.  Freudiger et al and Jadliwala et al addresses the problem of optimal mix-zone deployment by minimizing the probabilistic advantage of the adversary in tracking users.  Most of these previous works consider only vehicular networking scenarios and they also consider a global passive adversary which is an unrealistic assumption. 8

Contributions of the Authors  The first field-study that evaluated context-based identifier change mechanisms under a practical adversary model both on real mobile devices and in a real communication scenario.  The authors evaluated mix-zones and context-based identifier-change mechanisms using real on-campus mobile network deployment with 80 Nokia N900 smartphones.  The phones were carried & used by students and staff for 4 months.  The phones uses standard infrastructure and infrastructure-less communication (NIC).  Adversarial mesh networks of APs were deployed on campus 9

Contributions of the Authors  They developed variety of custom applications to stimulate usage and participation, implemented and deployed a context-based identifier change service on all the deployed smartphones.  The identifier change operation is based on device context such as the number of neighborhood devices in the wireless peer-to-peer channel.  With data collected from the adversarial mesh network, they constructed the ground truth information and propose two tracking strategies.  They then evaluate the effectiveness of the deployed identifier change mechanism against the proposed tracking strategies for different adversarial strengths 10

System Model 11

Mobile Network Model Deployment  80 Volunteers (Mostly students and a few instructors)  Each participants were equipped with a Nokia N900 for 4 months  In addition to using standard WLAN and cellular interfaces, participants exchanged information with other users using an experimental wireless peer-to-peer messaging platform from Nokia called Nokia Instant community (NIC).  Participants used NIC to exchange information with other users based on relationship, interests, affiliations and context.  Seven custom NIC-based applications were built which includes an app for students to interact with the lecturer, a chat application etc. 12

Mobile Network Model Deployment  In NIC, users are grouped into communities. Users belong to one large public community. Private communities are formed locally based on interests, preference and affiliations.  The devices perform neighbor discovery to detect other NIC devices  The participants accessed internet-based services using these smartphones by connecting to the campus WiFi network.  The smartphones seamlessly switch to the wireless peer-to-peer mode when NIC applications are running or other NIC devices appear in the neighborhood. 13

Mobile Network Model Deployment  NIC messages are similar to UDP/TCP segments.  All messages contain an unencrypted identifier, the message itself.  Link-layer encryption could be used to encrypt MAC addresses, but due to its performance degradation, it isn’t used in NIC.  Each device runs Pseudonym-Change Algorithm (PCA) in its background. This paper focuses on MAC address change.  The message sent by a user u is denoted as m.  m = (t, p, u, π, c) Where t = device time (in seconds), p = location, π = device identifier, c = message content u = user (May not actually be sent with the message).  M is the set of all messages (sent by all users). t(m), p(m), π(m) is the time, position and identifier associated with m. 14

Adversary Model and Deployment  A passive adversary that is local to the network is assumed. It eavesdrops messages sent by devices in the network.  It is implemented using a mesh network of IEEE wireless routers or APs (Asus WL-500gP running OpenWRT Linux).  The mesh network consists of 37 APs located on the same floor level of six interconnected buildings. 15

Adversary Model and Deployment 16

Pseudonym Change Algorithm (PCA) 17

Pseudonym Change Algorithm (PCA) 18

Data Collection and Processing 19

Data Collection and Processing 20

Tracking Framework and Algorithms 21

Tracking Framework and Algorithms 22

Tracking Framework and Algorithms Tracking Strategies Using the above tracking framework, the authors proposed two tracking strategies.  Locally Optimal Walk (L-WALK) Reconstructs user trace by performing a locally optimal walk in the state space. Starting from the initial state, the next state candidate with the highest probability is selected.  Globally Optimal Walk (G-WALK) Reconstructs user trace by performing a walk in the state space such that the probability over the entire walk is maximized over all walks. It doesn’t rely on a locally optimal choice but makes a global optimal choice. o Simulated Annealing (SA) is an heuristic used to randomize the search 23

Empirical Results and Evaluation Privacy Metrics  Well known location privacy metrics were used to evaluate the success of L-WALK and G-WALK.  Traceability Metrics (τ-metrics) – captures the extent to which users can be tracked in time or distance.  Uncertainty Metrics (u-metrics) – captures the uncertainty of the adversary to correctly predict the next pseudonym used by the user.  Traceability-Uncertainty Metrics (μ-metrics) – captures both the extent to which users can be tracked as well as the difficulty in tracking.  Clustering Metrics (c-metrics) – captures the extent to which one user was confused with another in the context of multiple user tracking. 24

Empirical Results and Evaluation Results Overview (a – single user tracking, b – multiple user tracking) 25

Empirical Results and Evaluation 26

Empirical Results and Evaluation 27

Empirical Results and Evaluation Adversary strength  The success of the tracking algorithms were further evaluated by varying adversarial strengths.  It can be seen that the traceability success stabilizes at 31 sniffing stations. 28

Empirical Results and Evaluation 29

Empirical Results and Evaluation Impact on Network Efficiency  It was observed that between two mixing attempts, devices spend an average of 1.5% of their network time in mix-zones and results in a packet loss rate of approximately 2.4%. This shows it does not have a major effect on the network performance. Traceability in Large User Clusters  When users organize themselves in large clusters, user density increases and thus leading to larger anonymity set  This result in better protection against trace reconstruction or tracking attacks. 30

Empirical Results and Evaluation 31

Empirical Results and Evaluation PCA Improvements  The current set of PCA parameters shows that even mobile users deploying identifier changes are highly traceable and are prone to attacks. Is it possible to improve location privacy?  The authors answered this question by selecting two new set of PCA parameters.  They simulated PCA with these new Parameters.  Both the new set of parameters result in network degradation.  Tracking success is still high with multiple users tracking. 32

Empirical Results and Evaluation 33

Empirical Results and Evaluation  The traceability results shows that the current PCA specifications, regardless of the chosen parameter values is not very successful in preventing users against tracking attacks in mobile & network systems.  Due to this, the authors proposed three improvements to the original PCA specification.  PCA with radio silence randomized over a large time interval (between 0 and 30 seconds instead of 10 and 20 seconds))  PCA with longer radio silence (30 – 90 seconds)  PCA with radio silence until movement detected ( radio silence until user has traveled a distance of at least d)  These PCA improvements were simulated over the original experiment traces and the groundtruth obtained from the real experiments for multiple users tracking. 34

Empirical Results and Evaluation (c) Common sniffing stations heuristic (d) Speed matching heuristic. 35

Conclusion  The authors evaluated the effectiveness of mix-zone based identifier-change mechanisms in upcoming wireless and mobile systems by means of a real deployment.  The results shows that, in real settings, simple tracking strategies achieve high traceability success.  By changing the identifiers in an aggressive form, the traceability success reduces considerable but at a cost of network performance degradation.  Finally, they show that by randomizing silence period, within a mix-zone, the effectiveness of mixing in real systems can improve. 36

Questions 37