Defending against Sybil Devices in Crowdsourced Mapping Services

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Location Cheating: A Security Challenge to Location- based Social Network Services Wenbo He 1, Xue Liu 2, Mai Ren 1 1 University of Nebraska-Lincoln 2.
1 Integrating personal and public transport information Fred Gangemi, Steer Davies Gleave June 21 th 2012.
 Guy Jacob  Roee Shapiro Project B Spring, 2009 Cloudio  Project Supervisor: Eddie Bortnikov  Lab Chief Engineer: Dr. Ilana David.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
1 Team Management System (TMS) By DACCIT Pvt. Ltd., Indore.
Mobile site proposal. Chroma Agency An award-winning digital agency We build engaging and sustainable digital products Equally strong in design, technology.
MODEL BASED GUI TESTING FOR MOBILE APPS 1 Manoj Philip Mathen Specialized Testing Consultant, Infosys.
Online Game Trojan SecurityLabs.websense.com Hermes Li.
Smart Phone Laboratory ECEN 489 Srinivas Shakkottai.
1 Tradedoubler & Mobile Mobile web & app tracking technical overview.
Rick Conrad Efrain Lopez III Saeed Noori. What is Experience Sampling? Survey method People’s experiences Real-time Format Paper and Pencil Handheld devices.
Module 7: Advanced Application and Web Filtering.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
FriendFinder Location-aware social networking on mobile phones.
FriendFinder Location-aware social networking on mobile phones.
Group 3 CMPE Community Project. What is CMPE Community project? CMPE Community project aims to create a social web application to create an environment,
Sharique Ali Khan. THE HUNTERS:  seekers of ??  Friends searches THE PROVIDERS:  Ordinary people in need of some help  Friends / Employers  Emergency.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Overview Issues in Mobile Databases – Data management – Transaction management Mobile Databases and Information Retrieval.
Mary Ganesan and Lora Strother Campus Tours Using a Mobile Device.
Web Content And Customer Relationship Management Solution. Transforming web sites into a customer-focused, revenue generating channel with less stress.
Defending against Sybil Devices in Crowdsourced Mapping Services Gang Wang, Bolun Wang, Tianyi Wang, Ana Nika, Haitao Zheng, Ben Y. Zhao UC Santa Barbara.
Google App Engine. Contents Overview Getting Started Databases Inter-app Communications Modes.
Schools, Transportation, and Technology
Seamlessly customize and update content for each and every location.
Intro to Kinian technology
Threat, Analysis and Mitigation
2 Factor & Multi Factor Authentication
BUILD SECURE PRODUCTS AND SERVICES
CSCE 548 Student Presentation Ryan Labrador
Mobile trends in the gaming industry
doc.: IEEE g-Trends-in-SUN-capacity
Road Safety Behaviour Symposium: New technology, new connectivity
Software for GLONASS/GPS fleet management systems
Mobile learning three C’s
Opening slide.
API Security Auditing Be Aware,Be Safe
RCS v7 Infection Vectors
VEHICLE MANAGEMENT SYSTEM
EPH emergency pharmacy finder
OWASP CONSUMER TOP TEN SAFE WEB HABITS
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Beta.
ETS Inside Product Launch
How it works: Step 1 99% of CAD systems can do this without modification is sent to a unique address for your agency Example:
Human Factors in Security Phishing, Scam, Leaked Credentials
Taxi App source code Development Company
Cloud Connect Seamlessly
+Vonus: An Intuitive, Cloud-Based Point-of-Sale Solution That’s Powered by Microsoft Office 365 with Tools to Increase Sales Using Social Media OFFICE.
Iteration 1 Presentation
Housing application Presented by Phil Callaghan MD Caltech CRM
Brian Ferris, Software Engineer
Multifactor Authentication & First Time Login
SharePoint 2019 Changes Point of View.
Google App Engine Ying Zou 01/24/2016.
The 1st International Open Science Conference
What's in an Ad? Connor Leonhardt.
Mail in uncertain times.
Mobile Content Sharing Utilizing the Home Infrastructure
Crimson® 3.1 Updates January 2019.
Digital Marketing Starter Course
iOS Alert Ivo Georgiev George Emilov Stephane Petrov
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Citi Commercial Cards – Fraud Early Warning
Developing with Windows Live
9/8/ :03 PM © 2006 Microsoft Corporation. All rights reserved.
Current State of Security and Privacy
Creating a Safer World for Children with Special Needs
Presentation transcript:

Defending against Sybil Devices in Crowdsourced Mapping Services

= Mobile = Life Mobile phones for content, payment, authentication Mobile devices are virtual representations of ourselves. =

But Is This a Safe Assumption? App User = real phone + real person?

Can We “Authenticate” Devices? Register via email account Require CAPTCHAs 2FA via phone number Validate IMEI number Create fake email account Out-source to third party Temporary SMS services Spoofed IMEI

In This Talk Sybil device problem Software scripts emulating as real devices Allowing a single user to control many devices In the context of Waze (popular navigation app) Techniques generating Sybil devices Attacks on Waze: injecting fake events, user location tracking Defense against Sybil devices

Key Features Social features User reported events 50M active users Real-time traffic update using millions of users’ locations User reported events Accidents, construction, police cars, etc. Alert user of nearby events Social features See nearby users on the map Say “hi” and message nearby users

Sybil Devices in Waze Sybil devices have significant impact on Waze Inject fake data, retrieve sensitive information Existing work: mobile emulators Two Israeli students used emulators to created fake traffic jams in 2014 Not scalable: ~10 emulators per PC Virtualize devices using scripts Scalable: 1,000 – 10,000 Sybil devices per server Overwhelm normal users’ data Launch special large scale attacks

Create Sybil Devices using Script Intuition Goal: emulate a full mobile client Server communicates with client via limited APIs Mimic API calls to replace full client Plaintext traffic Controlled by us Waze Client Waze Server HTTPS Proxy HTTPS HTTPS We can create 10,000 Sybil devices on a single PC

Attack #1: Polluting Waze Database Fake road-side events. Any type of event at any location Potentially affect 1+billion Google Maps users Fake traffic hotspots Simulate cars driving slowly Large groups of Sybil devices to overwhelm normal users’ data Before After Users are re-routed

Attack #2: User Location Tracking Follow (stalk) any Waze user in real-time Waze marks nearby users on the map Pinpoint to exact GPS location Specific hotels, gas stations, etc. Remain invisible Move in and out quickly Track users in the background Waze uploads GPS in the background Track users across days Use creation time as GUID

A Tracking Example

effective and practical Tracking Experiments Extremely dense user population Fast moving target user Highway 101 LA downtown GPS Captured GPS Missed Tracking attack is effective and practical

The Story of Us and Waze

Conversation with Waze Time Notify Waze and Google Nov. 14 2014 1st code change: remove background GPS upload Oct. 18 2015 Pitch work to Fusion Fusion report on tracking Media attention Apr. 16 2016 Apr. 26 2016 +21 more Public PR release 2nd code change: disable social function Apr. 27 2016 More news coverage +16 more May. 11 2016 Work with Waze

Waze’s Security Measures Remove background GPS upload Hide start/end location Hide GPS when not moving Remove username Scramble creation time Require SMS verification to see identifiable information Disable social feature in versions <= 3.5 Use special encoding for app-to-server APIs Oct. 18 2015 Apr. 27 2016 Apr. 29 2016 May 11 2016 May 17 2016 May 23 2016 Time Track active users Start collaboration Use temporary SMS services to pass verification Validate via experiments Yes, we can still track Waze users Much less location information being shared Crack encoding within a day Validate via experiments

Broad Implications on Other Apps Sybil device problem is not specific to Waze E.g. Foursquare, Yelp, Uber, Lyft, Tinder, Whisper We reverse engineer their APIs, and create light-weight clients using scripts Tinder/Whisper Locate (triangulate) users Uber/Lyft Track drivers Fake rides

Today Good defense: Yik Yak Market for selling attack tools Use HMAC[1] to ensure message integrity Embed key in code Require decompiling code Market for selling attack tools Plugin apps for Didi in China Spoof location Filter orders Snatch orders [1] HMAC: Hash-based Message Authentication Code

Thank you! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.