Preserving Location Privacy in Wireless LANs Jiang, Wang and Hu MobiSys 2007 Presenter: Bibudh Lahiri

Organization Problem Definition Problem Definition Existing Solutions and Their Shortcomings Existing Solutions and Their Shortcomings Preliminaries Preliminaries Proposed Solutions Proposed Solutions Results Results Limitations of the Proposed Solutions Limitations of the Proposed Solutions

Problem Definition To preserve the location information of a mobile wireless station To preserve the location information of a mobile wireless station Location data in wrong hands can be seriously abused Location data in wrong hands can be seriously abused RF-based localization systems RF-based localization systems

Existing Solutions and Their Shortcomings Privacy of location data is at risk when transmitted for location-based services Privacy of location data is at risk when transmitted for location-based services Gruteser, Grunwald (Mobisys ‘03) Gruteser, Grunwald (Mobisys ‘03) Reduce spatial and temporal precision of location data Reduce spatial and temporal precision of location data Works for application-provided location data Works for application-provided location data This paper addresses location tracked from any wireless transmission This paper addresses location tracked from any wireless transmission

Existing Solutions… Gruteser, Grunwald (WMASH ‘03) Gruteser, Grunwald (WMASH ‘03)  Adversary can be outsmarted with frequently-changing pseudonyms  Does not work if adversary has enough knowledge of user’s mobility pattern  Can correlate the packets coming from the same mobile user

Existing Solutions… Silent Periods Silent Periods  User stops transmission for some time  Outwits an adversary that can correlate different pseudonyms  Optimal length of the silent period was not known

Existing Solutions… Mix Zones Mix Zones  Spatial version of silent period  Nodes should know their own locations precisely

Preliminaries Attacker model Attacker model  Silent: Does not emit any signals  Exposed: Provides wireless services Active: Adjusts base station’s transmission power Active: Adjusts base station’s transmission power Passive: No change in base station’s behavior Passive: No change in base station’s behavior Privacy Entropy Privacy Entropy  Uncertainty or randomness in the location inference drawn by attacker  Goal is to increase privacy entropy

Proposed Solutions: Use of Pseudonyms MAC and IP addresses must be protected with pseudonyms MAC and IP addresses must be protected with pseudonyms Association with AP Association with AP  Unique MAC address reveals identity  Random MAC may collide  Solution: Use join address  AP distinguishes requests by an 128- bit nonce

Proposed Solutions: Use of Pseudonyms Attacker cannot trivially identify a user at a particular location Attacker cannot trivially identify a user at a particular location Different pseudonyms of same user can be correlated Different pseudonyms of same user can be correlated  With knowledge of mobility pattern  If location data for all packets in network is gathered  Correletion can be reduced with silent periods

Proposed Solutions: Opportunistic Silent Period Goal: To find the optimal duration of the silent period Goal: To find the optimal duration of the silent period  Maximizes privacy entropy for a given mobility pattern Length of silent periods must be randomized Length of silent periods must be randomized  Pseudonyms used after same duration can belong to the same user w.h.p.  Make length = T d + T r  T d is deterministic  T r is chosen from uniformly at random

Proposed Solutions: Opportunistic Silent Period When T d is small, increasing T d increases the entropy When T d is small, increasing T d increases the entropy Entropy is periodic Entropy is periodic  Increasing silent period increases fraction of mobile users in silent period  Fewer mobile users transit from communicating to silence Privacy entropy monotonically increases with increasing T r Privacy entropy monotonically increases with increasing T r  Increasing T r increases total length of silent period  Includes more candidate users

Proposed Solutions: Opportunistic Silent Period For T r = 4 mins, entropy maximizes for T d = 19 mins 20 secs For T r = 4 mins, entropy maximizes for T d = 19 mins 20 secs For T d = 19 mins 20 secs, entropy maximizes for T r max = 12 mins For T d = 19 mins 20 secs, entropy maximizes for T r max = 12 mins

Proposed Solutions: Reducing Location Precision by TPC Precision of localization depends on number of APs within range of mobile user Precision of localization depends on number of APs within range of mobile user Transmission Power Control Transmission Power Control  Reduce transmission power of a user of a user  Decrease the number of APs within its reach

Proposed Solutions: Reducing Location Precision by TPC User concerned with location privacy should do TPC silently User concerned with location privacy should do TPC silently  Signal emitted from a mobile station exposes its location Silent TPC is difficult Silent TPC is difficult  Unpredictability in temporal variation of RSS  Asymmetry

Proposed Solutions: Reducing Location Precision by TPC Goal Goal  To determine relationship between two directions of a channel  Use the path loss in one direction (AP-station) to estimate the loss in the other direction (station-AP) (AP-station) to estimate the loss in the other direction (station-AP)  Use the relationship to do TPC to reduce number of APs in range

Proposed Solutions: Reducing Location Precision by TPC Observations Observations  RSSI readings for both directions are strongly correlated despite path asymmetry path asymmetry Results Results  AP 1, AP 2, …, AP i-1 can be kept within reach  AP i+1,…, AP n can be kept out of reach

Results Transmission radius r is about 10 m at the minimum transmit power Transmission radius r is about 10 m at the minimum transmit power A silent attacker needs attacker density of 1 sniffer/100 m 2 A silent attacker needs attacker density of 1 sniffer/100 m 2 Five times as high as a regular AP deployment Five times as high as a regular AP deployment

Results Mix Area: Maximum area covered by an AP Mix Area: Maximum area covered by an AP Larger mix area makes attacks more difficult Larger mix area makes attacks more difficult Silent TPC enlarges the mix area 12 times compared to the typical Silent TPC enlarges the mix area 12 times compared to the typical Number of candidates for a new pseudonym is 12 times greater when using TPC Number of candidates for a new pseudonym is 12 times greater when using TPC

Limitations of the Proposed Solutions Use of pseudonyms: Man-in-the- middle attack Use of pseudonyms: Man-in-the- middle attack  Attacker positioned between mobile user and AP  Captures request from user for new MAC address  Assigns a MAC address from its own pool  Mobile user starts operating with a MAC address known to the attacker

Limitations… Opportunistic Silent Period: Lack of Generality Opportunistic Silent Period: Lack of Generality  No rigorous mathematical formulation of the problem  Values of T d and T r max that maximize entropy are results of particular experimental set-up  Optimal length of silent period should be a function of some relevant parameters  Results are not useful under different scenarios

Limitations… TPC - Inadequate Probabilistic Analysis TPC - Inadequate Probabilistic Analysis  Probability distributions of channel asymmetry and RSS are based on experimental findings  No discussion of how experimental parameters influence the pdf  Does not explain how the probabilities are calculated What is the estimator used What is the estimator used Whether estimator is unbiased and low- variance Whether estimator is unbiased and low- variance

Thank You