PowerPoint Presentation
Securing Applications with SmartphonesClaudio SorienteTelefnica I+D5TH JULY, 2016
Cybersecurity & FinTech
Click to edit Master title style
Telefnica Investigacin y Desarrollo1Researcher at Telefonica since 2015
Previous positions UPM (Juan de la Cierva fellow)ETH Zrich
PhD UC Irvine 2009UC PhD fellow and IBM PhD fellowAdvisor: Prof. Gene Tsudik
Interested in Security and Privacyhttp://www.tid.es/research/researchers/claudio-soriente
Click to edit Master title style
Telefnica Investigacin y Desarrollo2Located in Barcelona since 2011
~20 researchers + PhD students
Focus on Network and Data
Scientific visibilitySIGCOMM, INFOCOM, MobiCom, CoNext, CHI, UbiComp, WWW,
Internship at TID are popular! 10+ interns per year
Visiting researchers are welcome!
Click to edit Master title style
Smartphones Use Cases3
Click to edit Master title style
Smartphones Popularity41Gartner Inc.2Google Scholar Data
Click to edit Master title style
4
Securing Applications with Smartphones5SmartphonesPoS transactionsWeb authentication
Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound (Usenix Security 2015)
Smartphones as Practical and Secure Location Verification Tokens for Payments (NDSS 2014)
Click to edit Master title style
6joint work with Nikolaos Karapanos, Claudio Marforio, and Srdjan CapkunSound-Proof: Usable Two-Factor Authentication Based on Ambient Sound
Click to edit Master title style
Web Authentication - PasswordsPasswords are used everywheredespite password weakness7
anaana123anaana123
anaana111anaana111
anaana112anaana112anaana113anaana113anaana123anaana123
Click to edit Master title style
Web Authentication - PasswordsPasswords are used everywheredespite password reuse8
anaana123anaana123
anaana123anaana123
anaana123anaana123
Click to edit Master title style
Web Authentication - PasswordsPasswords are used everywheredespite password phishing9
anaana123anaana123
anaana123anaana123
www.gooogle.com
Click to edit Master title style
Web Authentication - Supplementing PasswordsPasswords are used everywheredespite password reuse, leakage, guessing, phishing, etc.10Two-factor authentication to the rescue (2FA)Password + one-time codeCode must be hard to guessPROBLEM: small user adoption (if optional)Only 25% of Americans use 2FA1Only 6% of 100k Gmail accounts have 2FA enabled21Study by Impermium, 2013 (BusinessWire article, http://goo.gl/NsUCL7) 2Petsas et al., EuroSec 2015
anaana123anaana123
359702359702
anaana123anaana123
????????????
Click to edit Master title style
Research QuestionHow to benefit from the added security of 2FA, while keeping the password-only user experience?11
Click to edit Master title style
Improving 2FA Usability Software token on the phone 12
Better than HW tokensPhone is always carriedCan accommodate multiple hardware tokensStill requires extra user interactionCognitive load
anaana123anaana123694150694150
Click to edit Master title style
Improving 2FA Usability Push-button authentication13
anaana123anaana123Yes / NoMinimize user-phone interactionLittle cognitive loadJust tap a button instead of copying a code
Login attemptYes / No
Click to edit Master title style
Improving 2FA Usability Removing User-Phone InteractionCode transfer via short-range communication between phone and laptopLaptop asks for codePhone transfers code to laptopLaptop transfers code to server14
anaana123anaana123
694150694150Code please!
Click to edit Master title style
Why Short-range?15
anaana123Code please!694150694150
Click to edit Master title style
Short-range communication16
PhoneAuth(Czeskis et al., CCS12)
Click to edit Master title style
Short-range communication17
PhoneAuth(Czeskis et al., CCS12)
FBD-WF-WF(Shirvanian et al., NDSS 14)
Click to edit Master title style
Short-range communication18
PhoneAuth(Czeskis et al., CCS12)
FBD-WF-WF(Shirvanian et al., NDSS 14)
Click to edit Master title style
Improving 2FA Usability Removing User-Phone InteractionCode transfer via short-range communication between phone and laptopLaptop asks for codePhone transfers code to laptopLaptop transfers code to server19
anaana123anaana123
Sensing the environmentPhone and laptop sense the environmentSend the measurement to the serverIf measurements match they are close to each otherMeasurement should be hard to guess!!!
Sense!Sense!
Click to edit Master title style
Measurement should be hard to guess!20
anaana123
Sense!
Click to edit Master title style
Sensing the environment21
GPS coordinates are easy to guess!!!Sensing the environment
Click to edit Master title style
Sensing the environment22
Multi-modal(Shrestha et al., FC 14)
Click to edit Master title style
Sensing the environment23
Multi-modal(Shrestha et al., FC 14)
Sound-Proof(Karapanos et al., Usenix 16)
Click to edit Master title style
Sound-Proof Overview Take 124
ana, ana123alice, alice123recordrecordMatch?Audio could be privacy-sensitive!!!
Click to edit Master title style
Sound-Proof Overview Take 225
ana, ana123alice, alice123recordrecordSimilarity score sLogin authorization(s >? threshold)
Click to edit Master title style
Sound-proof in action26
Click to edit Master title style
Sound-Proof HighlightsNovel 2FA mechanismSense ambient audio to verify proximityUsable: no user-phone interactionDeployable: compatible with smartphones and major browsers without plugins
Prototype implementation for Android and iOS
Extensive evaluationShowing how Sound-Proof works in a variety of environments, even if the phone is in a pocket or a purse27
Click to edit Master title style
Measurement should be hard to guess!28
anaana123Record!
Yes/NoAttacker wins if
matches
Click to edit Master title style
Audio ComparisonInspired by human sound recognitionSplit signal in 1/3 octave-bands
Match filtered phone signal against filtered laptop signalComputes a similarity score 0 s 1Checks if s > t (threshold) 29
Which are the important bands?How to set the threshold t?
Click to edit Master title style
Audio Collection CampaignEnvironmentoffice, office with music, home with TV, lecture hall, train station, cafLaptopMacBook Pro Mid 2012, Dell E6510PhoneiPhone 5, Google Nexus 4Phone positionoutside, in a pocket, in a purse or rucksackUser activitybeing silent, talking, coughing, whistling304014 audio samples (2007 logins)Tune system parameters to minimizeLegitimate logins rejected (usability)Fraudulent logins not detected (security)
Click to edit Master title style
Audio Collection Campaign Results31
Legitimate logins rejectedFraudulent logins not detectedFrequency bands between 50Hz and 4kHzHigher bands suffer from directionality and fadingThreshold t = 0.13 Equal Error Rate = 0.2%
95th %ile75th %ileAverageMedian25th %ile5th %ileLeg. Login rejected
Click to edit Master title style
Sound-Proof Vs Goole 2-step verification (user study)3232 participants (no security experts)Within-subject experimentLog-in with Sound-Proof and with Google 2SV (randomized order)Fill System Usability Scale1 (after each login)Score 1-100SUS score (mean)*Sound-Proof91.09 (5.44)Google 2SV79.45 (7.56)
1SUS-A quick and dirty usability scale, J. Brooke, Usability evaluation in industry, 1996*(F(1, 31) = 21.698, p < .001, 2 = .412)
Click to edit Master title style
Non-obtrusive Continuous AuthenticationAuthentication should not happen only at loginE.g, banks ask for credentials when authorizing a transaction
https://nymi.com/Hardware-basedRequires sw on the laptop
https://www.behaviosec.com/Mouse movementsKeystrokes dynamicsRequires trainingBehavior subject to changes
http://sound-proof.ch/No sw on the laptopWorks out of the box
33
Click to edit Master title style
Sound-Proof Takeaway34Password OnlySizes are purely representative!SecurityAdoptionUsability &DeployabilitySound-ProofSecurityAdoptionUsability &DeployabilityExisting 2FASecurityAdoptionUsability &Deployability
Click to edit Master title style
sound-proof.ch35Sound-proof became a start-uphttp://sound-proof.chWorking demoAndroid and iOSDownload the app and try yourself!
Click to edit Master title style
36joint work with Claudio Marforio, Nikolaos Karapanos, Kari Kostiainen, and Srdjan CapkunSmartphones as Practical and Secure Location Verification Tokens for Payments
Click to edit Master title style
Fraudulent Transactions with Credit/Debit cards371.33 billion euros in 2012160% online23% PoS17% ATM
3D-Secure mitigates online fraud
PoS + ATM fraud?>.5 billion valueChip&Pin improves the situation but attacks have been found2
1European Central Bank: Third Report on Card Fraud (2014)2[BCMSA, S&P 2014]
Click to edit Master title style
Research QuestionHow to detect fraudulent transactions at PoS, while keeping the current PoS infrastructureand the traditional (swipe+pin) user experience?38
Click to edit Master title style
Fraudulent Transactions with Credit/Debit cards at Point of Sale39Phone as 2nd authentication factorUse phones locationWhen card is swipedApp sends authenticated GPS coordinates Using a key shared with the serverServer authorizes the transaction if phone is close to PoS
Click to edit Master title style
Location Verification Legitimate Transaction40
Authorization requestLocation requestLat: 40.417454, Lon: -3.704477Authorize
Click to edit Master title style
Location Verification Fraudulent Transaction41
Authorization requestLocation requestLat: 40.417454, Lon: -3.704477Reject
Click to edit Master title style
Location Verification Fraudulent Transaction42
Authorization requestLocation requestLat: 39.913143, Lon: 116.405141
Authorize
Malware on the phone can forge GPS coordinates!
Click to edit Master title style
ARM TrustZone43HW support for securityARM TrustZoneAvailable on (almost) every smartphoneLong history, little use (e.g., subsidy lock)Currently not open for developmentEmerging standard to open it up
Isolate apps from OS!OS compromise does not affect TEE applications
TPM-like servicesattestation, secure storage, etc.
TrustZone
Click to edit Master title style
ARM TrustZone44
Application processorBasebandprocessorBaseband OSSIM
Androidappapp
Trusted OS
Kernelbug
app
Normal worldSecure world
Normal WorldAndroid + Apps Android is big and has bugs
Secure World - Trusted OS + Apps - Trusted OS is small- Less chances of compromise
Click to edit Master title style
Location Verification Fraudulent Transaction45
Authorization requestLocation requestLat: 40.417454, Lon: -3.704477
Reject
Even if OS is compromised, the adversary cannot forge GPS coordinates
Click to edit Master title style
PrototypeARM TrustZone not open for development400MHz TrustZone-enabled Cortex-A9 processorSW: Sierra Open Virtualization1NW: Android 4.1.1App 150LoCHMAC-256 on GPS coord. 3msSamsung Galaxy S3
46
1http://www.openvirtualization.org/
Click to edit Master title style
Office Test Feasibility47
Click to edit Master title style
Field Study48
Click to edit Master title style
Field StudyTolerable delay (~4 seconds)Enough accuracy to distinguish nearby shopsIndoor reception better than expectedFemtocells in tunnels,
No user interaction requiredNo privacy leakThe bank knows transaction location for legitimate transactions
49
Click to edit Master title style
TakeawaySmartphones are a formidable tool to secure applicationsNot the app on your phone!
Key challenges areTime-to-marketSolutions that cannot be used today have little valueUsabilityIf hard to use, no-one will use it
In this talk(web-based) Second-factor AuthenticationTransactions at Point of Sales
50
Click to edit Master title style
Thank You!51
http://www.tid.es/research/researchers/claudio-soriente
Click to edit Master title style
Top Related