Rui Ning,Cong Wang,ChunSheng Xin,Jiang Li,Hongyi Wu

DOI: https://doi.org/10.1016/j.pmcj.2019.101106

IF: 3.848

2020-01-01

Pervasive and Mobile Computing

Abstract:In this paper, we report a newfound vulnerability on smartphones due to the malicious use of unsupervised sensor data. We demonstrate that an attacker can train deep Convolutional Neural Networks (CNN) by using magnetometer or orientation data to effectively infer the Apps and their usage information on a smartphone with an accuracy of over 80%. Furthermore, we show that such attacks can become even worse if sophisticated attackers exploit motion sensors to cluster the magnetometer or orientation data, improving the accuracy to as high as 98%. To mitigate such attacks, we propose a noise injection scheme that can effectively reduce the App sniffing accuracy to only 15% and at the same time has negligible effect on benign Apps.

Sanorita Dey,Nirupam Roy,Wenyuan Xu,Romit Roy Choudhury,Srihari Nelakuditi

DOI: https://doi.org/10.14722/ndss.2014.23059

2014-01-01

Abstract:As mobile begins to overtake the fixed Internet access, ad networks have aggressively sought methods to track users on their mobile devices. While existing countermeasures and regulation focus on thwarting cookies and various device IDs, this paper submits a hypothesis that smartphone/tablet accelerometers possess unique fingerprints, which can be exploited for tracking users. We believe that the fingerprints arise from hardware imperfections during the sensor manufacturing process, causing every sensor chip to respond differently to the same motion stimulus. The differences in responses are subtle enough that they do not affect most of the higher level functions computed on them. Nonetheless, upon close inspection, these fingerprints emerge with consistency, and can even be somewhat independent of the stimulus that generates them. Measurements and classification on 80 standalone accelerometer chips, 25 Android phones, and 2 tablets, show precision and recall upward of 96%, along with good robustness to realworld conditions. Utilizing accelerometer fingerprints, a crowdsourcing application running in the cloud could segregate sensor data for each device, making it easy to track a user over space and time. Such attacks are almost trivial to launch, while simple solutions may not be adequate to counteract them.

Yushi Cheng,Xiaoyu Ji,Wenyuan Xu,Hao Pan,Zhuangdi Zhu,Chuang-Wen You,Yi-Chao Chen,Lili Qiu

DOI: https://doi.org/10.1145/3321705.3329817

2019-01-01

Abstract:Mobile devices have emerged as the most popular platforms to access information. However, they have also become a major concern of privacy violation and previous researches have demonstrated various approaches to infer user privacy based on mobile devices. In this paper, we study a new side channel of a laptop that could be harvested by a commercial-off-the-shelf (COTS) mobile device, eg, a smartphone. We propose MagAttack, which exploits the electromagnetic (EM) side channel of a laptop to infer user activities, i.e., application launching and application operation. The key insight of MagAttack is that applications are discrepant in essence due to the different compositions of instructions, which can be reflected on the CPU power consumption, and thus the corresponding EM emissions. MagAttack is challenging since that EM signals are noisy due to the dynamics of applications and the limited sampling rate of the built-in magnetometers in COTS mobile devices. We overcome these challenges and convert noisy coarse-grained EM signals to robust fine-grained features. We implement MagAttack on both an iOS and an Android smartphone without any hardware modification, and evaluate its performance with 13 popular applications and 50 top websites in China. The results demonstrate that MagAttack can recognize aforementioned 13 applications with an average accuracy of 98.6%, and figure out the visiting operation among 50 websites with an average accuracy of 84.7%.

Yeming Li,Hailong Lin,Jiamei Lv,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/infocom52122.2024.10621247

2024-01-01

Abstract:In recent years, Bluetooth Low Energy (BLE) has become one of the most wildly used wireless protocols and it is common that users carry one or more BLE devices. With the extensive deployment of BLE devices, there is a significant privacy risk if these BLE devices can be tracked. However, the common wisdom suggests that the risk of BLE location tracking is negligible. The reason is that researchers believe there are no stable BLE fingerprints that are stable across different scenarios (e.g., temperatures) for different BLE devices with the same model. In this paper, we introduce a novel physical-layer fingerprint named Transient Dynamic Fingerprint (TDF), which originated from the negative feedback control process of the frequency synthesizer. Because of the hardware imperfection, the dynamic features of the frequency synthesizer are different, making TDF unique among different devices, even with the same model. Furthermore, TDF keeps stable under different thermal conditions. Based on TDF, we propose BTrack, a practical BLE device tracking system and evaluate its tracking performance in different environments. The results show BTrack works well once BLE beacons are effectively received. The identification accuracy is 35.38%-57.41% higher than the existing method, and stable over temperatures, distances, and locations.

Li Lu,Jiadi Yu,Yingying Chen,Yanmin Zhu,Xiangyu Xu,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/infocom.2019.8737591

2019-01-01

Abstract:This paper demonstrates the feasibility of a side-channel attack to infer keystrokes on touch screen leveraging an off-the-shelf smartphone. Although there exist some studies on keystroke eavesdropping attacks on touch screen, they are mainly direct eavesdropping attacks, i.e., require the device of victims compromised to provide side-channel information for the adversary, which are hardly launched in practical scenarios. In this work, we show the practicability of an indirect eavesdropping attack, KeyListener, which infers keystrokes on QWERTY keyboards of touch screen leveraging audio devices on a smartphone. We investigate the attenuation of acoustic signals, and find that a user’s keystroke fingers can be localized through the attenuation of acoustic signals received by the microphones in the smartphone. We then utilize the attenuation of acoustic signals to localize each keystroke, and further analyze errors induced by ambient noises. To improve the accuracy of keystroke localization, KeyListener further tracks finger movements during inputs through phase change and Doppler effect to reduce errors of acoustic signal attenuation-based keystroke localization. In addition, a binary tree-based search approach is employed to infer keystrokes in a context-aware manner. The proposed keystroke eavesdropping attack is robust to various environments without the assistance of additional infrastructures. Extensive experiments demonstrate that the accuracy of keystroke inference in top-5 candidates can approach 90% with a top-5 error rate of around 6%, which is a strong indication of the possible user privacy leakage of inputs on QWERTY keyboard.

Zhongjie Ba,Tianhang Zheng,Xinyu Zhang,Zhan Qin,Baochun Li,Xue Liu,Kui Ren

DOI: https://doi.org/10.14722/ndss.2020.24076

2020-01-01

Abstract:Motion sensors on current smartphones have been exploited for audio eavesdropping due to their sensitivity to vibrations. However, this threat is considered low-risk because of two widely acknowledged limitations: First, unlike microphones, motion sensors can only pick up speech signals traveling through a solid medium. Thus, the only feasible setup reported previously is to use a smartphone gyroscope to eavesdrop on a loudspeaker placed on the same table. The second limitation comes from a common sense that these sensors can only pick up a narrow band (85-100Hz) of speech signals due to a sampling ceiling of 200Hz. In this paper, we revisit the threat of motion sensors to speech privacy and propose AccelEve, a new side-channel attack that employs a smartphone's accelerometer to eavesdrop on the speaker in the same smartphone. Specifically, it utilizes the accelerometer measurements to recognize the speech emitted by the speaker and to reconstruct the corresponding audio signals. In contrast to previous works, our setup allows the speech signals to always produce strong responses in accelerometer measurements through the shared motherboard, which successfully addresses the first limitation and allows this kind of attacks to penetrate into real-life scenarios. Regarding the sampling rate limitation, contrary to the widely-held belief, we observe up to 500Hz sampling rates in recent smartphones, which almost covers the entire fundamental frequency band (85-255Hz) of adult speech. On top of these pivotal observations, we propose a novel deep learning based system that learns to recognize and reconstruct speech information from the spectrogram representation of acceleration signals. This system employs adaptive optimization on deep neural networks with skip connections using robust and generalizable losses to achieve robust recognition and reconstruction performance. Extensive evaluations demonstrate the effectiveness and high accuracy of our attack under various settings.

Ming Gao,Yajie Liu,Yike Chen,Yimin Li,Zhongjie Ba,Xian Xu,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2022.3193130

2023-01-01

Abstract:Eavesdropping via inertial measurement units (IMUs) has brought growing concerns over smartphone users’ privacy. In such attacks, adversaries utilize IMUs, including accelerometers and gyroscopes, which require zero permissions for access to acquire speeches. A common countermeasure is to limit sampling rates (within 200 Hz) to reduce overlap of vocal fundamental bands (85 $\sim$ 255 Hz) and inertial measurements (0 $\sim$ 100 Hz). Nevertheless, we observe that IMUs sampling below 200 Hz still record adequate speech-related information because of aliasing distortions. Accordingly, we propose a practical side-channel attack, namely InertiEAR , to break the defense of sampling rate restriction on the zero-permission eavesdropping. It leverages accelerometers and gyroscopes jointly to eavesdrop on both top and bottom speakers in smartphones. We exploit coherence between responses of the built-in accelerometer and gyroscope using a mathematical model. The coherence allows precise segmentation without manual assistance. We also mitigate the impact of hardware diversity and achieve better device-independent performance than existing approaches that have to massively increase training data from different smartphones for a scalable network model. These two advantages re-enable zero-permission attacks but also extend the attacking surface and endangering degree to off-the-shelf smartphones. InertiEAR achieves the recognition accuracy of 78.8% with the cross-device accuracy of up to 60.9% among 12 smartphones.

Khuong An Nguyen,You Wang,Guang Li,Zhiyuan Luo,Chris Watkins

DOI: https://doi.org/10.3390/s19194184

2019-09-26

Abstract:Passengers travelling on the London underground tubes currently have no means of knowing their whereabouts between stations. The challenge for providing such service is that the London underground tunnels have no GPS, Wi-Fi, Bluetooth, or any kind of terrestrial signals to leverage. This paper presents a novel yet practical idea to track passengers in realtime using the smartphone accelerometer and a training database of the entire London underground network. Our rationales are that London tubes are self-driving transports with predictable accelerations, decelerations, and travelling time and that they always travel on the same fixed rail lines between stations with distinctive bumps and vibrations, which permit us to generate an accelerometer map of the tubes' movements on each line. Given the passenger's accelerometer data, we identify in realtime what line they are travelling on and what station they depart from, using a pattern-matching algorithm, with an accuracy of up to about 90% when the sampling length is equivalent to at least 3 station stops. We incorporate Principal Component Analysis to perform inertial tracking of passengers' positions along the line when trains break away from scheduled movements during rush hours. Our proposal was painstakingly assessed on the entire London underground, covering approximately 940 km of travelling distance, spanning across 381 stations on 11 different lines.

Weixi Gu,Ming Jin,Zimu Zhou,Costas J. Spanos,Lin Zhang

DOI: https://doi.org/10.1145/2994374.2994381

2016-01-01

Abstract:Metro has become the first choice of traveling for tourists and citizens in metropolis due to its efficiency and convenience. Yet passengers have to rely on metro broadcasts to know their locations because popular localization services (e.g. GPS and wireless localization technologies) are often inaccessible underground. To this end, we propose MetroEye, an intelligent smartphone-based tracking system for metro passengers underground. MetroEye leverages low-power sensors embedded in modern smartphones to record ambient contextual features, and infers the state of passengers (Stop, Running, and Interchange) during an entire metro trip using a Conditional Random Field (CRF) model. MetroEye further provides arrival alarm services based on individual passenger state, and aggregates crowdsourced interchange durations to guide passengers for intelligent metro trip planning. Experimental results within 6 months across over 14 subway trains in 3 major cities demonstrate that MetroEye yields an overall accuracy of 80.5% outperforming the state-of-the-art.

Ming Gao,Yajie Liu,Yike Chen,Yimin Li,Zhongjie Ba,Xian Xu,Jinsong Han

DOI: https://doi.org/10.1109/infocom48880.2022.9796890

2022-01-01

Abstract:IMU-based eavesdropping has brought growing concerns over smartphone users’ privacy. In such attacks, adversaries utilize IMUs that require zero permissions for access to acquire speeches. A common countermeasure is to limit sampling rates (within 200 Hz) to reduce overlap of vocal fundamental bands (85-255 Hz) and inertial measurements (0-100 Hz). Nevertheless, we experimentally observe that IMUs sampling below 200 Hz still record adequate speech-related information because of aliasing distortions. Accordingly, we propose a practical side-channel attack, InertiEAR, to break the defense of sampling rate restriction on the zero-permission eavesdropping. It leverages IMUs to eavesdrop on both top and bottom speakers in smartphones. In the InertiEAR design, we exploit coherence between responses of the built-in accelerometer and gyroscope and their hardware diversity using a mathematical model. The coherence allows precise segmentation without manual assistance. We also mitigate the impact of hardware diversity and achieve better device-independent performance than existing approaches that have to massively increase training data from different smartphones for a scalable network model. These two advantages re-enable zero-permission attacks but also extend the attacking surface and endangering degree to off-the-shelf smartphones. InertiEAR achieves a recognition accuracy of 78.8% with a cross-device accuracy of up to 49.8% among 12 smartphones.

Gu W,Spanos C.J,Jin M,Zhang L,Zhou Z.

DOI: https://doi.org/10.1145/2968219.2971437

2016-01-01

Abstract:Subway has become the first choice of traveling for people in metropolis due to its efficiency and convenience. Yet passengers have to rely on subway broadcasts to know their locations because popular localization services (e.g. GPS and wireless localization technologies) are often unavailable underground. To this end, we propose MetroEye, a finegrained passenger tracking service underground. MetroEye leverages smartphone sensors to record ambient contextual features, and infers the state of passengers (including stop, running, and interchange) during a metro trip using a Conditional Random Field (CRF) model. MetroEye further provides arrival alarm services based on individual passenger state, and aggregates crowdsourced interchange durations to guide passengers for intelligent metro trip planning. Experimental results within 6 months across over 14 subway trains in 3 major cities demonstrate that MetroEye outperforms the state-of-The-Art. © 2016 ACM.

Haibo Ye,Tao Gu,Xianping Tao,Jian Lu

DOI: https://doi.org/10.48550/arXiv.2003.10531

2020-03-08

Computers and Society

Abstract:Traditional fingerprint based localization techniques mainly rely on infrastructure support such as RFID, Wi-Fi or GPS. They operate by war-driving the entire space which is both time-consuming and labor-intensive. In this paper, we present MLoc, a novel infrastructure-free localization system to locate mobile users in a metro line. It does not rely on any Wi-Fi infrastructure, and does not need to war-drive the metro line. Leveraging crowdsourcing, we collect accelerometer,magnetometer and barometer readings on smartphones, and analyze these sensor data to extract patterns. Through advanced data manipulating techniques, we build the pattern map for the entire metro line, which can then be used for localization. We conduct field studies to demonstrate the accuracy, scalability, and robustness of M-Loc. The results of our field studies in 3 metro lines with 55 stations show that M-Loc achieves an accuracy of 93% when travelling 3 stations, 98% when travelling 5 stations.

Huaming Yang,Zhongzhou Xia,Jersy Shin,Jingyu Hua,Yunlong Mao,Sheng Zhong

DOI: https://doi.org/10.1109/icdcs54860.2022.00115

2022-01-01

Abstract:Many mobile apps access users’ trajectories to provide critical services (e.g., trip tracking). Unfortunately, in such apps, malicious users may upload fake trajectories to cheat providers for illegal benefits. There are few works in the literature that delicately study trajectory forgery problems. In this paper, we first take the perspective of attackers and consider how they fabricate vivid trajectories confronting a strict provider. In particular, we use the technique of adversarial examples in deep learning to propose a trajectory forgery method, which produces fake trajectories satisfying two conditions: (1) having the motion characteristics indistinguishable from those of real ones, and (2) matching a reasonable walking, cycling, or driving route when being projected to the map. We show through experiments that they can hardly be detected by mainstream trajectory service providers, even after being equipped with machine learning-based approaches. Therefore, we further present a dedicated countermeasure by validating the reasonability of reported received signal strength indicator (RSSI) data of WiFi access points (APs) nearby every location. It can well deal with the most challenging replay scenario, which can hardly be handled by existing WiFi-based location verification methods. We conduct extensive real-world experiments in three local commercial areas covering walking, cycling, and driving scenarios. Results demonstrate the high detection accuracy of this method.

Sha Zhao,Zhe Zhao,Yifan Zhao,Runhe Huang,Shijian Li,Gang Pan

DOI: https://doi.org/10.1109/UIC-ATC-ScalCom.2014.122

2014-01-01

Abstract:The prevalence of smart phones equipped with various sensors enables pervasive capturing users' mobility data (GPS, GSM network, WiFi, etc.), which contains approximate whereabouts of users. In order to protect users' privacy some mobility data is anonymized, which is challenging for discovering individual information implicated in the data. In this study, we are attempting to discover people's life patterns, which capture individual's life regularity and living style, from the anonymized WiFi scan lists. We transform the life pattern discovery problem into an unsupervised problem by extracting stay place, discovering trajectory patterns, etc. Particularly, we design a user feature space in which we use frequent trajectory patterns to represent each user as a feature vector. Thus, the life pattern discovery problem can be solved by finding clusters of users in the user feature space. The proposed approach is verified using the Device Analyzer data, which contains records of smart phone usage of more than 17,000 volunteering participants. Our work is a promising step towards automatically mining people's life patterns from anonymized mobility data of smart phones.

Huaming Yang,Zhongzhou Xia,Jersy Shin,Jingyu Hua,Yunlong Mao,Sheng Zhong

DOI: https://doi.org/10.1109/tmc.2023.3273411

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:Many mobile apps access users' trajectories to provide critical services (e.g., trip tracking). Unfortunately, in such apps, malicious users may upload fake trajectories to cheat providers for illegal benefits. There are few works in the literature that delicately study trajectory forgery problems. In this paper, we first take the perspective of attackers and consider how they would fabricate vivid trajectories confronting a strict provider. In particular, we use the technique of adversarial examples in deep learning to propose a trajectory forgery method, which produces fake trajectories satisfying two conditions: (1) having the motion characteristics indistinguishable from those of real ones, and (2) matching reasonable walking, cycling, or driving routes when being projected to the map. Our experiments show that they can hardly be detected by mainstream trajectory service providers, even after being equipped with machine learning-based approaches. Therefore, we further present dedicated countermeasures by validating the reasonability of reported received signal strength indicator (RSSI) data of scanned WiFi APs in commercial areas and scanned Cellular APs in rural areas, respectively. They can deal well with the most challenging replay scenario, which can hardly be handled by existing radio-based location verification methods. We conduct extensive real-world experiments covering walking, cycling, and driving scenarios to demonstrate the high detection accuracy of both methods.

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

S Abhishek Anand,Chen Wang,Jian Liu,Nitesh Saxena,Yingying Chen

DOI: https://doi.org/10.48550/arXiv.1907.05972

2020-10-19

Abstract:In this paper, we build a speech privacy attack that exploits speech reverberations generated from a smartphone's in-built loudspeaker captured via a zero-permission motion sensor (accelerometer). We design our attack Spearphone2, and demonstrate that speech reverberations from inbuilt loudspeakers, at an appropriate loudness, can impact the accelerometer, leaking sensitive information about the speech. In particular, we show that by exploiting the affected accelerometer readings and carefully selecting feature sets along with off-the-shelf machine learning techniques, Spearphone can successfully perform gender classification (accuracy over 90%) and speaker identification (accuracy over 80%) for any audio/video playback on the smartphone. Our results with testing the attack on a voice call and voice assistant response were also encouraging, showcasing the impact of the proposed attack. In addition, we perform speech recognition and speech reconstruction to extract more information about the eavesdropped speech to an extent. Our work brings to light a fundamental design vulnerability in many currently-deployed smartphones, which may put people's speech privacy at risk while using the smartphone in the loudspeaker mode during phone calls, media playback or voice assistant interactions.

Cryptography and Security

Paul-Olivier Dehaye,Joel Reardon

DOI: https://doi.org/10.1145/3411497.3420219

2020-09-14

Abstract:Proximity tracing apps have been proposed as an aide in dealing with the COVID-19 crisis. Some of those apps leverage attenuation of Bluetooth beacons from mobile devices to build a record of proximate encounters between a pair of device owners. The underlying protocols are known to suffer from false positive and re-identification attacks. We present evidence that the attacker's difficulty in mounting such attacks has been overestimated. Indeed, an attacker leveraging a moderately successful app or SDK with Bluetooth and location access can eavesdrop and interfere with these proximity tracing systems at no hardware cost and perform these attacks against users who do not have this app or SDK installed. We describe concrete examples of actors who would be in a good position to execute such attacks. We further present a novel attack, which we call a biosurveillance attack, which allows the attacker to monitor the exposure risk of a smartphone user who installs their app or SDK but who does not use any contact tracing system and may falsely believe that they have opted out of the system. Through traffic auditing with an instrumented testbed, we characterize precisely the behaviour of one such SDK that we found in a handful of apps---but installed on more than one hundred million mobile devices. Its behaviour is functionally indistinguishable from a re-identification or biosurveillance attack and capable of executing a false positive attack with minimal effort. We also discuss how easily an attacker could acquire a position conducive to such attacks, by leveraging the lax logic for granting permissions to apps in the Android framework: any app with some geolocation permission could acquire the necessary Bluetooth permission through an upgrade, without any additional user prompt. Finally we discuss motives for conducting such attacks.

Cryptography and Security

Zhen Tu,Fengli Xu,Yong Li,Pengyu Zhang,Depeng Jin

DOI: https://doi.org/10.1109/tnet.2018.2829173

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Human mobility data have been ubiquitously collected through cellular networks and mobile applications, and publicly released for academic research and commercial purposes for the last decade. Since releasing individual's mobility records usually gives rise to privacy issues, data sets owners tend to only publish aggregated mobility data, such as the number of users covered by a cellular tower at a specific timestamp, which is believed to be sufficient for preserving users' privacy. However, in this paper, we argue and prove that even publishing aggregated mobility data could lead to privacy breach in individuals' trajectories. We develop an attack system that is able to exploit the uniqueness and regularity of human mobility to recover individual's trajectories from the aggregated mobility data without any prior knowledge. By conducting experiments on two real-world data sets collected from both the mobile application and cellular network, we reveal that the attack system is able to recover users' trajectories with an accuracy of about 73%similar to 91% at the scale of thousands to ten thousands of mobile users, which indicates severe privacy leakage in such data sets. Our extensive analysis also reveals that by generalization and perturbation, this kind of privacy leakage can only be mitigated. Through the investigation on aggregated mobility data, this paper recognizes a novel privacy problem in publishing statistic data, which appeals for immediate attentions from both the academy and industry.

Zhang, F.,Zhao, J.,Tian, C.,Xu, C.

DOI: https://doi.org/10.1109/TVT.2015.2409815

2016-01-01

Abstract:Contactless smart card systems have gained universal prevalence in modern metros. In addition to its original goal of ticketing, the large amount of transaction data collected by the smart card system can be utilized for many operational and management purposes. This paper investigates an important problem: how to extract spatio-temporal segmentation information of trips inside a metro system. More specifically, for a given trip, we want to answer several key questions: how long it takes for a passenger to walk from the station gantry to the station platform? How much time he/she waits for the next train? How long he/she spends on the train? How long it takes to transfer from one line to another? etc. This segmentation information is important for many application scenarios such as travel time prediction, travel planning, and transportation scheduling. However, in reality we only assume that only each trip’s tap-in and tap-out time can be directly obtained; all other temporal endpoints of segments are unknown. This makes the research very challenging. To the best of our knowledge, we are the first to give a practical solution to this important problem. By analyzing the tap-in/tap-out events pattern, our intuition is to pinpoint some special passengers whose transaction data can be very helpful for segmentation. A novel methodology is proposed to extract spatio-temporal segmentation information: first for non-transfer trips by deriving the boarding time between the gantry and the platform, then for with-transfer trips by deriving the transfer time. Evaluation studies are based on a large scale real-system data of Shenzhen metro system, which is one of the largest metro systems in China and serves millions of passengers daily. On-site investigations validate that our algorithm is accurate and the average estimation error is only around 15%.