Kexiong (Curtis) Zeng,Yuanchao Shu,Shinan Liu,Yanzhi Dou,Yaling Yang

DOI: https://doi.org/10.1145/3032970.3032983

2017-01-01

Abstract:High value of GPS location information and easy availability of portable GPS signal spoofing devices incentivize attackers to launch GPS spoofing attacks against location-based applications. In this paper, we propose an attack model in road navigation scenario, and develop a complete framework to analyze, simulate and evaluate the spoofing attacks under practical constraints. To launch an attack, the framework first constructs a road network, and then searches for an attack route that smoothly diverts a victim without his awareness. In extensive data-driven simulations in College Point, New York City, we managed to navigate a victim to locations 1km away from his original destination.

Xiao Han,Junjie Xiong,Wenbo Shen,Mingkui Wei,Shangqing Zhao,Zhuo Lu,Yao Liu

DOI: https://doi.org/10.1109/tdsc.2024.3352981

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Location spoofing attack deceiving a Wi-Fi positioning system has been studied for over a decade. However, it has been challenging to construct a practical spoofing attack in urban areas with dense coverage of legitimate Wi-Fi APs. This paper identifies the vulnerability of the Google Geolocation API, which returns the location of a mobile device based on the information of the Wi-Fi access points that the device can detect. We show that this vulnerability can be exploited by the attacker to reveal the black-box localization algorithms adopted by the Google Wi-Fi positioning system and easily launch the location spoofing attack in dense urban areas with a high success rate. Furthermore, we find that this vulnerability can also lead to severe consequences that hurt user privacy, including the leakage of sensitive information like precise locations, daily activities, and demographics. Ultimately, we discuss the potential countermeasures that may be used to mitigate this vulnerability and location spoofing attack.

Kexiong (Curtis) Zeng,Shinan Liu,Yuanchao Shu,Dong Wang,Haoyu Li,Yanzhi Dou,Gang Wang,Yaling Yang

2018-01-01

Abstract:Mobile navigation services are used by billions of users around globe today. While GPS spoofing is a known threat, it is not yet clear if spoofing attacks can truly manipulate road navigation systems. Existing works primarily focus on simple attacks by randomly setting user locations, which can easily trigger a routing instruction that contradicts with the physical road condition (i.e., easily noticeable). In this paper, we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed. Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions. To demonstrate the feasibility, we first perform controlled measurements by implementing a portable GPS spoofer and testing on real cars. Then, we design a searching algorithm to compute the GPS shift and the victim routes in real time. We perform extensive evaluations using a trace-driven simulation (600 taxi traces in Manhattan and Boston), and then validate the complete attack via real-world driving tests (attacking our own car). Finally, we conduct deceptive user studies using a driving simulator in both the US and China. We show that 95% of the participants follow the navigation to the wrong destination without recognizing the attack. We use the results to discuss countermeasures moving forward.

Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Wenyuan Xu,Zhenhua Liu

2012-01-01

Abstract:The open nature of wireless communication makes it easy for adversaries to either inject random signals to wireless channels harming the network availability, or eavesdrop on the communication breaching the location privacy. Those threats are challenging to cope with, because most of them cannot be addressed by traditional cryptographic methods. One of the attacks that can easily imperil the availability of networks is jamming attacks. An adversary can launch a jamming attack either by bypassing MAC-layer protocols and keeping sending packets, or by emitting radio signals to a particular channel. To cope with jamming attacks, in this dissertation, we focus on developing mechanisms to localize jammers. We examine how jammers affect networks in terms of signal strength, nodes' communication range, and network topologies, and present how to measure these jamming effects. To localize a jammer, we design an Adaptive Least-Squares-based (LSQ-based) algorithm which performs localization by exploiting the changes of communication range. Then, to further improve the localization accuracy, we propose an error minimizing framework that can localize not only one but also multiple jammers through utilizing the strength of jamming signals (JSS). To evaluate the effectiveness of our proposed localization schemes, we conducted real-world experiments using a testbed of MicaZ, and then carried out extensive performance studies in large-scale networks by simulation. Another problem that cannot be solved by traditional cryptographic method is the location privacy issue. We study this issue in wireless sensor network because the locations of the sink nodes are critically important to the viability of wireless networks, and such information can be easily determined by attackers. For instance, attackers can eavesdrop on the network communication at several spots and trace back to the sink nodes. Then, they can destroy the sink nodes physically to disable the data collection or dissemination. In this dissertation, we examine the sink location privacy problem from both the attack and defense sides. On the attack side, we present two types of Zeroing-In attacks which allow attackers to identify the sink location by estimating the hop count or the arrival time of a broadcast packet at a few spots in the network. To cope with the Zeroing-In attacks, we propose a directed-walk-based scheme and validate that it is effective in deceiving adversaries at modest energy costs.

Yeming Li,Hailong Lin,Jiamei Lv,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/infocom52122.2024.10621247

2024-01-01

Abstract:In recent years, Bluetooth Low Energy (BLE) has become one of the most wildly used wireless protocols and it is common that users carry one or more BLE devices. With the extensive deployment of BLE devices, there is a significant privacy risk if these BLE devices can be tracked. However, the common wisdom suggests that the risk of BLE location tracking is negligible. The reason is that researchers believe there are no stable BLE fingerprints that are stable across different scenarios (e.g., temperatures) for different BLE devices with the same model. In this paper, we introduce a novel physical-layer fingerprint named Transient Dynamic Fingerprint (TDF), which originated from the negative feedback control process of the frequency synthesizer. Because of the hardware imperfection, the dynamic features of the frequency synthesizer are different, making TDF unique among different devices, even with the same model. Furthermore, TDF keeps stable under different thermal conditions. Based on TDF, we propose BTrack, a practical BLE device tracking system and evaluate its tracking performance in different environments. The results show BTrack works well once BLE beacons are effectively received. The identification accuracy is 35.38%-57.41% higher than the existing method, and stable over temperatures, distances, and locations.

Yanzhe Che,Kevin Chiew,Xiaoyan Hong,Qinming He

DOI: https://doi.org/10.1145/2442810.2442820

2012-01-01

Abstract:ABSTRACTThere is a potential privacy breach when users access various location-based social applications on a mobile social network (MSN), e.g., sharing locations with friends. To preserve location privacy, one of the most common methods is to use a coarse or fake location instead of a user's exact location. However, most of these previous approaches only provide geometric strategies without considering the semantic context of the geographical locations. For example, if a cloaked region contains a part of a lake, where no boats are allowed, an adversary can easily prune the cloaked region to a smaller range covering a user's actual location. In this paper, we propose SALS, a semantics-aware location sharing framework based on cloaking zone for an MSN environment. By considering a user's social relations and activities which are available in an MSN environment, SALS does not assume any trustworthy entities, including strangers, friends or any third parties. As a solution, SALS enables users to cooperate with each other, in a Peer-to-Peer (P2P) way, to generate the cloaking zones, which will be used instead of the actual locations. Different from the previous cloaking techniques, SALS considers the semantic location which can influence the distribution probability of a user's locations. We also propose metrics for measuring the quality of the cloaking zone. The evaluation shows that our method can well defend the semantic-location attack.

Hao Zhou,Yingjie Wu,Sisi Zhong,Zhao Luo,Xiaodong Wang

DOI: https://doi.org/10.1109/icicee.2012.418

2012-01-01

Abstract:The query privacy issue in location-based services (LBS) has recently received considerable attention. To protect the query privacy of users, current state-of-the-art techniques adopt cloaking which cloaks the sender's location to k-anonymized spatial region (ASR), such that an attack based on the sender's location cannot identify the query source with probability larger than 1/k, among other k-1 users. However, these techniques do not consider that these k-1 additional mobile users with different privacy requirements may send request at the same time. In this paper, we propose a new attack model that an adversary who observes all the ASRs at one time can identify the query source with probability larger than 1/k based on prior knowledge of the locations of all users. And we propose our two algorithms, namely, Basic and Adaptive Algorithms, which strengthen the privacy guarantee to defend such inference attack while still support personalized user privacy requirements. We verify the effectiveness of the proposed algorithms by experiments on location data which synthetically generated on real road maps.

Muyuan Li,Haojin Zhu,Zhaoyu Gao,Si Chen,Kui Ren,Le Yu,Shangqian Hu

DOI: https://doi.org/10.1145/2632951.2632953

2013-01-01

Abstract:Location-based social networks (LBSNs) feature friend discovery by location proximity that has attracted hundreds of millions of users world-wide. While leading LBSN providers claim the well-protection of their users' location privacy, for the first time we show through real world attacks that these claims do not hold. In our identified attacks, a malicious individual with the capability of no more than a regular LBSN user can easily break most LBSNs by manipulating location information fed to LBSN client apps and running them as location oracles. We further develop an automated user location tracking system and test it on leading LBSNs including Wechat, Skout, and Momo. We demonstrate its effectiveness and efficiency via a 3 week real-world experiment on 30 volunteers and show that we could geo-locate any target with high accuracy and readily recover his/her top 5 locations. Finally, we also develop a framework that explores a grid reference system and location classifications to mitigate the attacks. Our result serves as a critical security reminder of the current LBSNs pertaining to a vast number of users.

Zhongxiao Wang,Hong Li,Jian Wen,Mingquan Lu

DOI: https://doi.org/10.33012/2021.17995

2021-01-01

Abstract:With the wide use of mobile navigation, the number of GNSS portable terminals such as smartphones without any ability of spoofing defense is growing rapidly, which induces a critical threat to our daily lives. To cope with the challenge of spoofing attacks, in this paper, we are going to develop a prototype of an online spoofer localization system, using raw GNSS measurements captured from Android smartphones in the spoofing area. We assume that each smartphone receives both authentic signals and spoofing signals simultaneously. With spoofing signals discriminated, a normal PVT solution can be recovered with authentic signals and then TOA measurements of spoofing signals can be captured from the smartphone and form a log file. We select a combination of smartphones with a minimum number of users and a maximum positioning accuracy. Each smartphone selected for spoofer localization uploads its logged data file to the server. Synchronization of observations and iterative least square (LS) algorithm will be carried out online to solve the position of the spoofer. Some difficulties and challenges, such as smartphones geometry and time synchronization are discussed in this paper. A fundamental field experiment is conducted to verify the feasibility of our proposed scheme.

Huaming Yang,Zhongzhou Xia,Jersy Shin,Jingyu Hua,Yunlong Mao,Sheng Zhong

DOI: https://doi.org/10.1109/icdcs54860.2022.00115

2022-01-01

Abstract:Many mobile apps access users’ trajectories to provide critical services (e.g., trip tracking). Unfortunately, in such apps, malicious users may upload fake trajectories to cheat providers for illegal benefits. There are few works in the literature that delicately study trajectory forgery problems. In this paper, we first take the perspective of attackers and consider how they fabricate vivid trajectories confronting a strict provider. In particular, we use the technique of adversarial examples in deep learning to propose a trajectory forgery method, which produces fake trajectories satisfying two conditions: (1) having the motion characteristics indistinguishable from those of real ones, and (2) matching a reasonable walking, cycling, or driving route when being projected to the map. We show through experiments that they can hardly be detected by mainstream trajectory service providers, even after being equipped with machine learning-based approaches. Therefore, we further present a dedicated countermeasure by validating the reasonability of reported received signal strength indicator (RSSI) data of WiFi access points (APs) nearby every location. It can well deal with the most challenging replay scenario, which can hardly be handled by existing WiFi-based location verification methods. We conduct extensive real-world experiments in three local commercial areas covering walking, cycling, and driving scenarios. Results demonstrate the high detection accuracy of this method.

Dawei Liu,Yuedong Xu,Xin Huang

DOI: https://doi.org/10.1109/tii.2017.2767631

IF: 12.3

2017-01-01

IEEE Transactions on Industrial Informatics

Abstract:Location spoofing and non-line-of-sight (NLOS) propagation are two leading reasons of serious localization errors in wireless networks. Previous studies have managed to identify these two factors separately. However, when present in the same system, these two factors can cause localization errors in a similar manner, making the identification difficult. In this paper, we address the problem of identifying location spoofing in NLOS conditions. We first carry out a geometric analysis on NLOS and derive a bound that can be used to differentiate NLOS from location spoofing. Based on the bound, we propose an identification method. We show that the proposed method is secure against different types of spoofing attacks including those from individuals and from multiple collaborative attackers. In particular, it can be used to identify the well-known “perfect location spoofing.” Simulation in wireless sensor networks indicates that our method can achieve a high accuracy with 0 false positive on identifying individual attacks and perfect location spoofing in NLOS conditions.

Juraj Machaj,Clément Safon,Slavomír Matúška,Peter Brída

DOI: https://doi.org/10.3390/s24237624

IF: 3.9

2024-11-29

Sensors

Abstract:Indoor positioning based on Wi-Fi signals has gained a lot of attention lately. There are many advantages related to the use of Wi-Fi signals for positioning, including the availability of Wi-Fi access points in indoor environments and the integration of Wi-Fi transceivers into consumer devices. However, since Wi-Fi uses an unlicensed spectrum, anyone can create their own access points. Therefore, it is possible to affect the function of the localization system by spoofing signals from access points and thus alter positioning accuracy. Previously published works focused mainly on the evaluation of spoofing on localization systems and the detection of anomalies when updating the radio map. Spoofing mitigation solutions were proposed; however, their application to systems that use off-the-shelf items is not straightforward. In this paper filtering algorithms are proposed to minimize the impact of access point spoofing. The filtering was applied with a combination of the widely used K-Nearest Neighbours (KNN) localization algorithm and their performance is evaluated using the UJIIndoorLoc dataset. During the evaluation, the spoofing of Access Points was performed in two different scenarios and the number of spoofed access points ranged from 1 to 10. Based on the achieved results proposed SFKNN provided good detection of the spoofing and helped to reduce the mean localization error by 2–5 m, especially when the number of spoofed access points was higher.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Giuseppe Ateniese,Briland Hitaj,Luigi V. Mancini,Nino V. Verde,Antonio Villani

DOI: https://doi.org/10.48550/arXiv.1505.07774

2015-09-04

Abstract:News reports of the last few years indicated that several intelligence agencies are able to monitor large networks or entire portions of the Internet backbone. Such a powerful adversary has only recently been considered by the academic literature. In this paper, we propose a new adversary model for Location Based Services (LBSs). The model takes into account an unauthorized third party, different from the LBS provider itself, that wants to infer the location and monitor the movements of a LBS user. We show that such an adversary can extrapolate the position of a target user by just analyzing the size and the timing of the encrypted traffic exchanged between that user and the LBS provider. We performed a thorough analysis of a widely deployed location based app that comes pre-installed with many Android devices: GoogleNow. The results are encouraging and highlight the importance of devising more effective countermeasures against powerful adversaries to preserve the privacy of LBS users.

Cryptography and Security

Hao Zhou,Xiaodong Wang,Sisi Zhong,Yingjie Wu,Zhao Luo

DOI: https://doi.org/10.1109/icicee.2012.419

2012-01-01

Abstract:Recently, several techniques have been proposed to preserve the user location privacy in road networks. To protect the location privacy of users, many of the existing techniques adopt cloaking which blurs the actual location into a set of segments. But these techniques do not take the weight of the segments into account in the situation of road networks. In this paper, we propose a new attack model that an adversary can infer the true location of the requester according to the weight distribution with a certain probability. And we also design an approach to solve this problem, which can guarantee better distribution of the weights in the cloaked set. The experiment result shows the effectiveness and feasibility of our algorithm.

Li Zang,Yanyong Zhang,Wade Trappe,Badri Nath

2004-01-01

Abstract:The infrastructure provided by wireless networks promises to have a significant impact on the way computing is performed. Not only will information be available while we are on the go, but new locationaware computing paradigms along with location-sensitive security policies will emerge. Already, many techniques have emerged to provide the ability to localize a communicating device [?], [1]–[4]. Enforcement of location-aware security policies (e.g., this laptop should not be taken out of this building, or this file should not be opened outside of a secure room) requires trusted location information. As more of these location-dependent services get deployed, the very mechanisms that provide location information will become the target of misuse and attacks. Therefore, as we move forward with deploying wireless systems that support location services, it is prudent to integrate security into the protection of localization techniques. The purpose of this paper is to examine the problem of secure localization from a viewpoint different from traditional network security services. In addition to the different attacks and misuse faced by wireless localization mechanisms, it is our viewpoint that these vulnerabilities can be mitigated by exploiting the redundancy present in typical wireless deployments. Rather than introducing countermeasures for every possible attack, our approach is to provide localization-specific, attack-tolerant mechanisms that shield the localization infrastructure from threats that bypass traditional security defenses. The idea is to live with bad nodes rather than eliminate all possible bad nodes.

Shuang Zhao,Xiapu Luo,Bo Bai,Xiaobo Ma,Wei Zou,Xinliang Qiu,Man Ho Au

DOI: https://doi.org/10.1007/978-3-319-40253-6_1

2016-01-01

Abstract:Mobile social apps have been changing the way people interact with each other in the physical world. To help people extend their social networks, Location-Based Social Network LBSN apps e.g., Wechat, SayHi, Momo that encourage people to make friends with nearby strangers have gained their popularity recently. They provide a \"Nearby\" feature for a user to find other users near him/her. While seeing other users, the user, as well as his/her coarse-grained relative location, will also be visible in the \"Nearby\" feature of other users. Leveraging this observation, in this paper, we model the location probing attacks, and propose three approaches to perform large-scale such attacks on LBSN apps. Moreover, we apply the new approaches in the risk assessment of eight popular LBSN apps, each of which has millions of installation. The results demonstrate the severity of such attacks. More precisely, our approaches can collect a huge volume of users' location information effectively and automatically, which can be exploited to invade users' privacy. This study sheds light on the research of protecting users' private location information.

Jiacheng Shang,Si Chen,Jie Wu,Shu Yin

DOI: https://doi.org/10.1109/tmc.2020.3007740

IF: 6.075

2022-02-01

IEEE Transactions on Mobile Computing

Abstract:Augmented reality (AR) applications that overlay the perception of the real world with digitally generated information are on the cusp of commercial viability. AR has appeared in several commercial platforms like Microsoft HoloLens and smartphones. They extend the user experience beyond two dimensions and supplement the normal 3D world of a user. A typical location-based multi-player AR application works through a three-step process, wherein the system collects sensory data from the real world, identifies objects based on their context, and finally, renders information on top of senses of a user. However, because these AR applications frequently exchange data with users, they have exposed new individual and public safety issues. In this paper, we develop ARSpy, a user location tracking system solely based on network traffic information of the user, and we test it on location-based multi-player AR applications. We demonstrate the effectiveness and efficiency of the proposed scheme via real-world experiments on 12 volunteers and show that we could obtain the geolocation of any target with high accuracy. We also propose three mitigation methods to mitigate these side channel attacks. Our results reveal a potential security threat in current location-based multi-player AR applications and serve as a critical security reminder to a vast number of AR users.

computer science, information systems,telecommunications

Roshan Ayyalasomayajula,Aditya Arun,Wei Sun,Dinesh Bharadia

DOI: https://doi.org/10.48550/arXiv.2211.10014

2022-11-18

Abstract:WiFi-based indoor localization has now matured for over a decade. Most of the current localization algorithms rely on the WiFi access points (APs) in the enterprise network to localize the WiFi user accurately. Thus, the WiFi user's location information could be easily snooped by an attacker listening through a compromised WiFi AP. With indoor localization and navigation being the next step towards automation, it is important to give users the capability to defend against such attacks. In this paper, we present MIRAGE, a system that can utilize the downlink physical layer information to create a defense against an attacker snooping on a WiFi user's location information. MIRAGE achieves this by utilizing the beamforming capability of the transmitter that is already part of the WiFi protocols. With this initial idea, we have demonstrated that the user can obfuscate his/her location from the WiFi AP always with no compromise to the throughput of the existing WiFi communication system and reduce the user location accuracy of the attacker from 2.3m to more than 10m.

Cryptography and Security,Signal Processing,Systems and Control

Song Fang,Yao Liu,Wenbo Shen,Haojin Zhu,Tao Wang

DOI: https://doi.org/10.1109/tmc.2016.2549519

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:In wireless networks, location distinction aims to detect location changes or facilitate authentication of wireless users. To achieve location distinction, recent research has focused on investigating the spatial uncorrelation property of wireless channels. Specifically, differences in wireless channel characteristics are used to distinguish locations or identify location changes. However, we discover a new attack against all existing location distinction approaches that are built on the spatial uncorrelation property of wireless channels. In such an attack, the adversary can easily hide her location changes or impersonate movements by injecting fake wireless channel characteristics into a target receiver. To defend against this attack, we propose a detection technique that utilizes an auxiliary receiver or antenna to identify these fake channel characteristics. We also discuss such attacks and corresponding defenses in OFDM systems. Experimental results on our USRP-based prototype show that the discovered attack can craft any desired channel characteristic with a successful probability of 95.0 percent to defeat spatial uncorrelation based location distinction schemes and our novel detection method achieves a detection rate higher than 91.2 percent while maintaining a very low false alarm rate.