Designing Effective Security and Privacy Schemes for Wireless Mobile Devices

Abstract

The growing ubiquity of modern wireless and mobile electronic devices has brought our daily lives with more convenience and fun. Today's smartphones are equipped with a variety of sensors and wireless communication technologies, which can support not only the basic functions like phone call and web browsing, but also advanced functions like mobile pay, biometric security, fitness monitoring, etc. Internet-of-Things (IoT) is another category of popular wireless devices that are networked to collect and exchange data. For example, the smart appliances are increasingly deployed to serve in home and office environments, such as smart thermostat, smart bulb, and smart meter. Additionally, implantable medical devices (IMD) is the typical type of modern wireless devices that are implanted within human body for diagnostic, monitoring, and therapeutic purposes. However, these modern wireless and mobile devices are not well protected compared with traditional personal computers (PCs), due to the intrinsic limitations in computation power, battery capacity, etc. In this dissertation, we first present the security and privacy vulnerabilities we discovered. Then, we present our designs to address these issues and enhance the security of smartphones, IoT devices, and IMDs. For smartphone security, we investigate the mobile phishing attacks, mobile clickjacking attacks and mobile camera-based attacks. Phishing attacks aim to steal private information such as credentials. We propose a novel anti-phishing scheme MobiFish, which can detect both phishing webpages and phishing applications (apps). The key idea is to check the consistency between the claimed identity and the actual identity of a webpage/app. The claimed identity can be extracted from the screenshot of login user interface (UI) using the optical character recognition (OCR) technique, while the actual identity is indicated by the secondary-level domain name of the Uniform Resource Locator (URL) to which the credentials are submitted. Clickjacking attacks intend to hijack user inputs and re-route them to other UIs that are not supposed to receive them. To defend such attacks, a lightweight and independent detection service is integrated into the Android operating system. Our solution requires no user or app developer effort, and is compatible with existing commercial apps. Camera-based attacks on smartphone can secretly capture photos or videos without the phone user's knowledge. One advanced attack we discovered records the user's eye movements when entering passwords. We found that it is possible to recover simple passwords from the video containing user eye movements. Next, we propose an out-of-band two-factor authentication scheme for indoor IoT devices (e.g., smart appliances) based on the Blockchain infrastructure. Since smart home environment consists of multiple IoT devices that may share their sensed data to better serve the user, when one IoT device is being accessed, our design utilizes another device to conduct a secondary authentication over an out-of-band channel (light, acoustic, etc.), to detect if the access requestor is a malicious external device. Unlike smartphones and IoT devices, IMDs have the most limited computation and battery resources. We devise a novel smartphone-assisted access control scheme in which the patient's smartphone is used to delegate the heavy computations for authentication and authorization. The communications between the smartphone and the IMD programmer are conducted through an audio cable, which can resist the wireless eavesdropping and other active attacks.