Gang Wang Bolun Wang Tianyi Wang Ana Nika Haitao Zheng Ben Y Zhao UC Santa Barbara bolunwangcsucsbedu Mobile Life Mobile phones for content payment authentication Mobile devices are ID: 830228
Download The PPT/PDF document "Defending against Sybil Devices in Crowd..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Defending against Sybil Devices in Crowdsourced Mapping Services
Gang Wang, Bolun Wang, Tianyi Wang, Ana Nika, Haitao Zheng, Ben Y. ZhaoUC Santa Barbarabolunwang@cs.ucsb.edu
Slide2Mobile = Life
Mobile phones for content, payment, authenticationMobile devices are virtual representations of ourselves.1
=
Slide3But Is This a Safe Assumption?
App User = real phone + real person?2
Slide4Can We “Authenticate” Devices?
Register via email accountRequire CAPTCHAs2FA via phone numberValidate IMEI number
Create fake email
account
Out-source to third party
Temporary SMS
services
Spoofed
IMEI
3
Slide5In This Talk
Sybil device problemSoftware scripts emulating as real devicesAllowing a single user to control many devicesIn the context of Waze (popular navigation app)Techniques generating Sybil devicesAttacks on Waze: injecting fake events, user location trackingDefense against Sybil devicesThe story between us and WazeBroader implications
4
Not in paper
Slide6Key Features
5User reported events
Accidents, construction, police cars, etc.
Alert user of nearby events
Social features
See nearby users on the map
Say “hi” and message nearby users
50M active users
Real-time traffic update using millions of users’ locations
Slide7Sybil Devices in Waze
Sybil devices have significant impact on WazeInject fake data, retrieve sensitive informationExisting work: mobile emulatorsTwo Israeli students used emulators to created fake traffic jams in 2014
Not scalable
: ~10 emulators per PC
Virtualize devices using scripts
Scalable
: 1,000 – 10,000 Sybil devices per server
Overwhelm normal users’ data
Launch special large scale attacks
6
Slide8Create Sybil Devices using Script
IntuitionGoal: emulate a full mobile clientServer communicates with client via limited APIsMimic API calls to replace full client7
Waze Client
Waze Server
HTTPS
HTTPS Proxy
HTTPS
HTTPS
Controlled by us
Plaintext
traffic
We can create 10,000 Sybil devices on a single PC
Slide9Attack #1: Polluting Waze Database
Fake road-side events.Any type of event at any locationPotentially affect 1+billion Google Maps usersFake traffic hotspotsSimulate cars driving slowly
Large groups of Sybil
devices
to overwhelm
normal users’
data
8
Before
After
Users are re-routed
Slide10Attack #2: User
Location TrackingFollow (stalk) any Waze user in real-timeWaze marks nearby users on the mapPinpoint to
exact GPS location
Specific hotels, gas stations, etc.
Remain
invisible
Move in and out quickly
Track users
in the background
Waze uploads GPS in the background
Track users across days
Use creation time as GUID
9
Slide11A Tracking Example
10
Slide12Tracking Experiments
11
GPS Captured
GPS Missed
Extremely dense user population
Fast moving target user
Tracking attack is
effective and practical
LA downtown
Highway 101
Slide13The Story of Us and Waze
12
Slide14Conversation with Waze
13Time
Notify Waze and Google
Nov. 14 2014
1
st
code change: remove background GPS upload
Oct. 18 2015
Pitch work to Fusion
Fusion report on tracking
Media attention
Public PR release
2
nd
code change: disable social function
More news coverage
Apr. 16 2016
Apr. 26 2016
Apr. 27 2016
May. 11 2016
Work with Waze
+21 more
+16 more
Slide15Waze’s
Security Measures14Time
Disable social feature in versions <= 3.5
Use special encoding for app-to-server APIs
Crack encoding within a day
Validate via experiments
Remove username
Scramble creation time
Require SMS verification to see identifiable information
Use temporary SMS services to pass verification
Validate via experiments
Apr. 27 2016
Apr. 29 2016
May 17 2016
May 23 2016
Remove background GPS upload
Hide start/end location
Hide GPS when not moving
Oct. 18 2015
Track active users
May 11 2016
Start collaboration
Yes, we can still track Waze users
Much less location information being shared
Slide16Broad Implications on Other Apps
Sybil device problem is not specific to WazeE.g. Foursquare, Yelp, Uber, Lyft, Tinder
,
Whisper
We reverse engineer their APIs, and create light-weight clients using scripts
Tinder/Whisper
Locate (
triangulate) users
Uber
/
Lyft
Track driversFake rides
15
Slide17Today
Good defense: Yik YakUse HMAC[1] to ensure message integrityEmbed key in codeRequire decompiling codeMarket for selling attack toolsPlugin apps for Didi
in China
Spoof location
Filter orders
Snatch orders
16
[1] HMAC: Hash-based Message Authentication Code
Slide1817
Thank you!Questions?