Sensory and Mobile Malware
As smartphones become more pervasive, they are increasingly targeted by malware. At the same time, each new generation of smartphone features increasingly powerful onboard sensor suites. A new strain of what we call ‘sensory malware’ has been developing that leverages these sensors to steal information from the physical environment — we recently demonstrated how malware can ‘listen’ (Soundcomber) for spoken credit card numbers through the microphone or ‘see’ (PlaceRaider) through the camera and steal 3D models of a person’s physical environment. We are also exploring how malware can accelerate the death of FLASH memory on mobile devices (GANGRENE).
Vision for Privacy: Privacy-aware Visual Sensing
The millions of smartphones that people use every day are sophisticated computational and sensory devices. A variety of powerful and potentially transformative applications could be created by aggregating together data from the cameras and sensors on these phones in order to observe the world at a massive scale and in real time. Emerging technologies such as augmented reality glasses (e.g., Google Glass) are also expected to make cameras and such applications ubiquitous. However, such `visual social sensing’ would raise major privacy concerns because of the large amount of potentially private data that could be captured. Our research objective is to investigate how to use opportunistically-captured photos for innovative and potentially transformative applications, while providing guarantees on privacy to both people using the smartphones and the people who are near the phones. For more details, see our work on PlaceAvoider and our project page.
Some users may misbehave under the cover of anonymity by, e.g., defacing webpages on Wikipedia or posting vulgar comments on YouTube. To prevent such abuse, we have explored various anonymous credential schemes to revoke access for misbehaving users while maintaining their anonymity. Our latest scheme, PERM, supports millions of user sessions and makes reputation-based blacklisting practical for large-scale deployments. Our other schemes include PEREA, BLAC, BLACR and Nymble. For more details, see the accountable anonymity page.
Managing your Digital Exposure
With the advent of sensor-rich mobile devices such as smartphones, an increasing number of people are sharing personal “contextual” information like location, activity, and health/fitness information with members of their social network. While a large body of research has focused on ways for users to specify who should be authorized to access their information, this research improves end-user privacy by addressing the related question of “Who is accessing my information and to what extent?”. Providing users with an accurate sense of their “exposure” will enable them to better control how their contextual information is shared and will help mitigate emerging privacy risks. For more details, see the Exposure project page.
Security and Privacy Enhanced Peer-to-Peer Systems
Online social networks such as Facebook, and Google+, and Twitter have emerged as significant social and technical phenomena. However, such services are centrally managed, and therefore they put the privacy of users’ information at risk. Our research investigates security and privacy aware peer-to-peer alternatives to such systems. Our recent work on Cachet describes an architecture that provides strong security and privacy guarantees while preserving the main functionality of online social networks. We also study how to improve the resilience of searches against attack in the underlying distributed hash table (DHT) through a technique called ReDS. Our work addresses popular DHTs such as Chord and Kademlia, and shows how reputation information can be inferred at the DHT’s routing layer.
The primary goal of this research is to determine the potential of crowdsourcing as a complementary strategy for enhancing security. An example challenge addressed in this research pertains to the security of one’s personal data. Specifically the research seeks to develop security mechanisms that can exploit naturally occurring social relationships and utilize ‘human computation’ to shift the burden of security via authentication from machines to humans. Within this framework, the research investigates both questions about the technical effectiveness of crowdsourced security solutions, as well as socio-behavioral questions about users’ preferences, motivations, and privacy concerns about such systems. For more details, see the CrowdSec page.