Xueqin Wang,Yiik Diew Wong,Kevin X. Li,Kum Fai Yuen

DOI: https://doi.org/10.1016/j.trf.2020.06.005

2020-01-01

Abstract:The relationship between drivers and their cars is increasingly personal, where the cars become an extension of the drivers' self-identity. However, the penetration of autonomous vehicle (AV) technology threatens consumers' self-identity as expressed by the act of driving. This study thus aims to examine the impacts of technology-identity concerns on consumers' acceptance of AV technology. Theories of identity threat, identity control and innovation diffusion are synthesised to build the conceptual framework. Face-to-face interview data were collected from 353 consumers (all with a driving license) in Singapore. The results show that consumers' technology anxiety and self-identity expressiveness act as two sources of resistance that cause consumers' intentional avoidance of the AV technology. The avoidance is further characterised by consumers' disengagement from the 'observe' and 'try' stages of technology penetration, which ultimately dissuades consumers' acceptance of AV technology. The impacts of socio-demographics are also explored. Our findings contribute to multiple streams of literature and create practical implications to AV manufacturers and retailers. (C) 2020 Elsevier Ltd. All rights reserved.

Ishtiaq Rouf,Robert D. Miller,Hossen A. Mustafa,Travis Taylor,Sangho Oh,Wenyuan Xu,Marco Gruteser,Wade Trappe,Ivan Seskar

2010-01-01

Abstract:Wireless networks are being integrated into the modern automobile. The security and privacy implications of such in-car networks, however, have are not well understood as their transmissions propagate beyond the confines of a car's body. To understand the risks associated with these wireless systems, this paper presents a privacy and security evaluation of wireless Tire Pressure Monitoring Systems using both laboratory experiments with isolated tire pressure sensor modules and experiments with a complete vehicle system. We show that eavesdropping is easily possible at a distance of roughly 40m from a passing vehicle. Further, reverse-engineering of the underlying protocols revealed static 32 bit identifiers and that messages can be easily triggered remotely, which raises privacy concerns as vehicles can be tracked through these identifiers. Further, current protocols do not employ authentication and vehicle implementations do not perform basic input validation, thereby allowing for remote spoofing of sensor messages. We validated this experimentally by triggering tire pressure warning messages in a moving vehicle from a customized software radio attack platform located in a nearby vehicle. Finally, the paper concludes with a set of recommendations for improving the privacy and security of tire pressure monitoring systems and other forthcoming in-car wireless sensor networks.

Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Abdul Moiz,Manar H. Alalfi

DOI: https://doi.org/10.48550/arXiv.2011.04066

2020-11-09

Abstract:The advancements in the digitization world has revolutionized the automotive industry. Today's modern cars are equipped with internet, computers that can provide autonomous driving functionalities as well as infotainment systems that can run mobile operating systems, like Android Auto and Apple CarPlay. Android Automotive is Google's android operating system tailored to run natively on vehicle's infotainment systems, it allows third party apps to be installed and run on vehicle's infotainment systems. Such apps may raise security concerns related to user's safety, security and privacy. This paper investigates security concerns of in-vehicle apps, specifically, those related to inter component communication (ICC) among these apps. ICC allows apps to share information via inter or intra apps components through a messaging object called intent. In case of insecure communication, Intent can be hijacked or spoofed by malicious apps and user's sensitive information can be leaked to hacker's database. We investigate the attack surface and vulnerabilities in these apps and provide a static analysis approach and a tool to find data leakage vulnerabilities. The approach can also provide hints to mitigate these leaks. We evaluate our approach by analyzing a set of Android Auto apps downloaded from Google Play store, and we report our validated results on vulnerabilities identified on those apps.

Cryptography and Security,Software Engineering

Yuhong Nan,Xueqiang Wang,Luyi Xing,Xiaojing Liao,Ruoyu Wu,Jianliang Wu,Yifan Zhang,XiaoFeng Wang

2023-01-01

Abstract:Recent research has highlighted privacy as a primary concern for IoT device users. However, due to the challenges in conducting a large-scale study to analyze thousands of devices, there has been less study on how pervasive unauthorized data exposure has actually become on today's IoT devices and the privacy implications of such exposure. To fill this gap, we leverage the observation that most IoT devices on the market today use their companion mobile apps as an intermediary to process, label and transmit the data they collect. As a result, the semantic information carried by these apps can be recovered and analyzed automatically to track the collection and sharing of IoT data. In this paper, we report the first of such a study, based upon a new framework IoTProfiler, which statically analyzes a large number of companion apps to infer and track the data collected by their IoT devices. Our approach utilizes machine learning to detect the code snippet in a companion app that handles IoT data and further recovers the semantics of the data from the snippet to evaluate whether their exposure has been properly communicated to the user. By running IoTPro-filer on 6,208 companion apps, our research has led to the discovery of 1,973 apps that expose user data without proper disclosure, covering IoT devices from at least 1,559 unique vendors. Our findings include highly sensitive information, such as health status and home address, and the pervasiveness of unauthorized sharing of the data to third parties, including those in different countries. Our findings highlight the urgent need to regulate today's IoT industry to protect user privacy.

Bulut Gözübüyük,Brian Tang,Kang G. Shin,Mert D. Pesé

2024-09-24

Abstract:Modern vehicles have become sophisticated computation and sensor systems, as evidenced by advanced driver assistance systems, in-car infotainment, and autonomous driving capabilities. They collect and process vast amounts of data through various embedded subsystems. One significant player in this landscape is Android Automotive OS (AAOS), which has been integrated into over 100M vehicles and has become a dominant force in the in-vehicle infotainment market. With this extensive data collection, privacy has become increasingly crucial. The volume of data gathered by these systems raises questions about how this information is stored, used, and protected, making privacy a critical issue for manufacturers and consumers. However, very little has been done on vehicle data privacy. This paper focuses on the privacy implications of AAOS, examining the exact nature and scope of data collection and the corresponding privacy policies from the original equipment manufacturers (OEMs). We develop a novel automotive privacy analysis tool called PriDrive which employs three methodological approaches: network traffic inspection, and both static and dynamic analyses of Android images using rooted emulators from various OEMs. These methodologies are followed by an assessment of whether the collected data types were properly disclosed in OEMs and 3rd party apps' privacy policies (to identify any discrepancies or violations). Our evaluation on three different OEM platforms reveals that vehicle speed is collected at a sampling rate of roughly 25 Hz. Other properties such as model info, climate & AC, and seat data are collected in a batch 30 seconds into vehicle startup. In addition, several vehicle property types were collected without disclosure in their respective privacy policies. For example, OEM A's policies only covers 110 vehicle properties or 13.02% of the properties found in our static analysis.

Cryptography and Security

Chulin Xie,Zhong Cao,Yunhui Long,Diange Yang,Ding Zhao,Bo Li

DOI: https://doi.org/10.48550/arXiv.2209.04022

2022-09-09

Abstract:Recent advances in machine learning have enabled its wide application in different domains, and one of the most exciting applications is autonomous vehicles (AVs), which have encouraged the development of a number of ML algorithms from perception to prediction to planning. However, training AVs usually requires a large amount of training data collected from different driving environments (e.g., cities) as well as different types of personal information (e.g., working hours and routes). Such collected large data, treated as the new oil for ML in the data-centric AI era, usually contains a large amount of privacy-sensitive information which is hard to remove or even audit. Although existing privacy protection approaches have achieved certain theoretical and empirical success, there is still a gap when applying them to real-world applications such as autonomous vehicles. For instance, when training AVs, not only can individually identifiable information reveal privacy-sensitive information, but also population-level information such as road construction within a city, and proprietary-level commercial secrets of AVs. Thus, it is critical to revisit the frontier of privacy risks and corresponding protection approaches in AVs to bridge this gap. Following this goal, in this work, we provide a new taxonomy for privacy risks and protection methods in AVs, and we categorize privacy in AVs into three levels: individual, population, and proprietary. We explicitly list out recent challenges to protect each of these levels of privacy, summarize existing solutions to these challenges, discuss the lessons and conclusions, and provide potential future directions and opportunities for both researchers and practitioners. We believe this work will help to shape the privacy research in AV and guide the privacy protection technology design.

Artificial Intelligence

Shradha Neupane,Faiza Tazi,Upakar Paudel,Freddy Freddy Veloz Baez,Merzia Adamjee,Lorenzo De Carli,Sanchari Das,Indrakshi Ray

DOI: https://doi.org/10.2139/ssrn.4121997

2022-01-01

SSRN Electronic Journal

Abstract:Most Internet of Things (IoT) devices provide access through mobile companion apps to configure, update, and control the devices. In many cases, these apps handle all user data moving in and out of devices and cloud endpoints. Thus, they constitute a critical component in the IoT ecosystem from a privacy standpoint, but they have historically been understudied. In this paper, we perform a latitudinal study and analysis of a sample of 455 IoT companion apps to understand their privacy posture using various methods and evaluate whether apps follow best practices. Specifically, we focus on three aspects: data privacy, security, and risk. Our findings indicate: (i) apps may over-request permissions , particularly for tasks that are not related to their functioning; and (ii) there is widespread use of programming and configuration practices which may reduce security, with the concerning extreme of two apps transmitting credentials in unencrypted form.

Kexin Cai,Zhiyuan Yu

DOI: https://doi.org/10.1080/10447318.2024.2376302

IF: 4.92

2024-07-18

International Journal of Human-Computer Interaction

Abstract:Depending on Internet of Vehicle (IoV) and on-board units in 5 G, intelligent connected vehicles (ICVs) gradually become the digital infrastructure and data hub to provide personalized in-vehicle infotainment (IVI), which naturally collect, use, and share the data related to users' bio-informatics, travel patterns, and usage habits. The privacy concern (PC) will be generated when using those data services. In this article, we construct the structural equation model (SEM) to study the influencing factors of users' PC and self-disclosure behavior (SD) regarding to ICV data services from the personality traits (PTs) perspective. A total of 481 valid questionnaires from 700 IVI users was collected. Results show that extraversion (EXT), conscientiousness (CNS), neuroticism (NEUR), privacy invasion experience (PIE), and privacy self-efficacy (PE) have significant impacts on PC. Besides, PC does not directly affect SD, but is indirectly affected by limiting profile visibility (LPV). Through revealing the relationship among PTs, PC and SD toward ICV data services, we aim to provide insights for vehicle data governance to facilitate the human-vehicle interaction.

computer science, cybernetics,ergonomics

Zhiyuan Yu,Kexin Cai

DOI: https://doi.org/10.3390/systems10050162

2022-09-21

Systems

Abstract:With the evolution of Internet of Vehicles (IoV) and intelligent transportation systems, intelligent connected vehicles (ICV) are becoming the trend in automobile industry worldwide. Assisted by road-side infrastructure and vehicle-mounted sensors, in-vehicle infotainment (IVI) data services are gradually growing more popular with drivers and passengers. In particular, IVI data services are not only restricted to internal cabin, but also are being extended to the external environment (e.g., workplace and home). These data categories include personal demographics/bioinformatics, usage habits, travel patterns, real-time location, audio, video, etc., which in turn induce perceived risk concerns around the data privacy and security of occupants. In this paper, we collect answers from 500 valid respondents and then construct a structural equation model to investigate key factors influencing users’ attitudes and behavioral intention (BI) towards IVI data services. Therein, trust is considered to play a vital role in attitude, and is assumed to be affected by perceived security risk (PSR), perceived privacy risk (PPR), and perceived performance risk (PFR). The results show that PSR and PPR have negative effects on user trust. The data breache anxiety positively influences PPR, which explain 75% of variance. In addition, trust can directly affect attitude and BI, which explain 28.6% of variance in attitudes towards IVI data services. Respondents score higher on average for attitude (Mean = 5.762, SD = 0.89) even where perceived risks exist. BI is influenced by the factors of PSR, PFR, trust, and attitude. Through this study, we intend to reveal the relationships among the factors of perceived risk, trust, attitude, and BI towards IVI data services, then provide guidelines for vehicular data governance in order to consolidate user trust for a safer mobility ecosystem.

Shuai Li,Zhemin Yang,Nan Hua,Peng Liu,Xiaohan Zhang,Guangliang Yang,Min Yang

DOI: https://doi.org/10.1145/3548606.3559371

2022-01-01

Abstract:ABSTRACTRecent years have witnessed the interesting trend that modern mobile apps perform more and more likely as user-to-user platforms, where app users can be freely and conveniently connected. Upon these platforms, rich and diverse data is often delivered across users, which brings users great conveniences and plentiful services, but also introduces privacy security concerns. While prior work has primarily studied illegitimate personal data collection problems in mobile apps, few paid little attention to the security of this emerging user-to-user platform feature, thus providing a rather limited understanding of the privacy risks in this aspect. In this paper, we focus on the security of the user-to-user platform feature and shed light on its caused insufficiently-studied but critical privacy risk, which is brought forward by cross-user personal data over-delivery (denoted as XPO). For the first time, this paper reveals the landscape of such XPO risk in wild, along with prevalence and severity assessment. To achieve this, we design a novel automated risk detection framework, named XPOChecker, that leverages the advantages of machine learning and program analysis to extensively and precisely identify potential privacy risks during user-to-user connections, and regulate whether the delivered data is legitimate or not. By applying XPOChecker on 13,820 real-world popular Android apps, we find that XPO is prevalent in practice, with 1,902 apps (13.76%) being affected. In addition to the mere exposure of diverse private user data which causes serious and broad privacy infringement, we demonstrate that the XPO exploits can invalidate privacy preservation mechanisms, leak business secrets, and even restore the sensitive membership of victims which potentially poses personal safety threats. Furthermore, we also confirm the existence of XPO risks in iOS apps for the first time. Last, to help understand and prevent XPO, we have responsibly launched two notification campaigns to inform the developers of the affected apps, with the conclusion of five underlying lessons from developers' feedback. We hope our work can make up for the deficiency of the understandings of XPO, help developers avoid XPO, and motivate further researches.

Jiangrong Wu,Yuhong Nan,Luyi Xing,Jiatao Cheng,Zimin Lin,Zibin Zheng,Min Yang

DOI: https://doi.org/10.14722/ndss.2024.24138

2024-01-01

Abstract:Cross-app content sharing is one of the prominent features widely used in mobile apps.For example, a short video from one app can be shared to another (e.g., a messaging app) and further viewed by other users.In many cases, such Crossapp content sharing activities could have privacy implications for both the sharer and sharee, such as exposing app users' personal interests.In this paper, we provide the first in-depth study on the privacy implications of Cross-app content sharing (as we call Cracs) activities in the mobile ecosystem.Our research showed that during the sharing process, the adversary can not only track and infer user interests as traditional web trackers but also cause other severe privacy implications to app users.More specifically, due to multiple privacy-intrusive designs and implementations of Cracs, an adversary can easily reveal a user's social relations to an outside party, or unnecessarily expose user identities and her associated personal data (e.g., user accounts in another app).Such privacy implications are indeed a concern for app users, as confirmed by a user study we have performed with 300 participants.To further evaluate the impact of our identified privacy implications at large, we have designed an automatic pipeline named Shark, combined with static analysis and dynamic analysis to effectively identify whether a given app introduces unnecessary data exposure in Cracs.We analyzed 300 top downloaded apps collected from app stores in both the US and China.The analysis results showed that over 55% of the apps from China and 10% from the US are indeed problematic.

Mark Quinlan,Jun Zhao,Andrew Simpson

DOI: https://doi.org/10.48550/arXiv.2207.06182

2022-07-13

Cryptography and Security

Abstract:Just as the world of consumer devices was forever changed by the introduction of computer controlled solutions, the introduction of the engine control unit (ECU) gave rise to the automobile's transformation from a transportation product to a technology platform. A modern car is capable of processing, analysing and transmitting data in ways that could not have been foreseen only a few years ago. These cars often incorporate telematics systems, which are used to provide navigation and internet connectivity over cellular networks, as well as data-recording devices for insurance and product development purposes. We examine the telematics system of a production vehicle, and aim to ascertain some of the associated privacy-related threats. We also consider how this analysis might underpin further research.

Jennifer Dukarski,

DOI: https://doi.org/10.4271/epr2021019

2021-09-13

Abstract:Modern automobiles collect around 25 gigabytes of data per hour and autonomous vehicles are expected to generate more than 100 times that number. In comparison, the Apollo Guidance Computer assisting in the moon launches had only a 32-kilobtye hard disk. Without question, the breadth of in-vehicle data has opened new possibilities and challenges. The potential for accessing this data has led many entrepreneurs to claim that data is more valuable than even the vehicle itself. These intrepid data-miners seek to explore business opportunities in predictive maintenance, pay-as-you-drive features, and infrastructure services. Yet, the use of data comes with inherent challenges: accessibility, ownership, security, and privacy. Unsettled Legal Issues Facing Data in Autonomous, Connected, Electric, and Shared Vehicles examines some of the pressing questions on the minds of both industry and consumers. Who owns the data and how can it be used? What are the regulatory regimes that impact vehicular data use? Is the US close to harmonizing with other nations in the automotive data privacy? And will the risks of hackers lead to the “zombie car apocalypse” or to another avenue for ransomware? This report explores a number of these legal challenges and the unsettled aspects that arise in the world of automotive data

Jian Bai,Zhuo Zhang,Bingshen Shen

DOI: https://doi.org/10.3233/jcm-215889

2022-01-26

Journal of Computational Methods in Sciences and Engineering

Abstract:With the rise of technologies such as mobile Internet, 5G networks and artificial intelligence, the development of Internet of Vehicle Information Security (ICVS) has become the mainstream and direction for the future development of the automotive industry. ICVS, people, roads, clouds, and APP constitute a complex network of vehicles. As part of the Internet, vehicle networking will inevitably face various complex information security threats and risks. This paper aims to design a kind of security situation awareness of Internet of vehicles based on intrusion detection protection systems (IDPS). By collecting the security data of car, app and private cloud for big data analysis, the whole smart car security situation awareness system is constructed. The system can be used to analyze potential threats, send out warnings, and carry out emergency responses.

Che Li,Yue Zhou,Shuang Li,Yaru Deng,Meng Zhang,Kanghui Wang

DOI: https://doi.org/10.1109/ICIS51600.2021.9516873

2021-06-23

Abstract:Privacy protection is a vital part of information security. However, the excessive collections and uses of personal information have intensified in the area of mobile apps (applications). To comprehend the current situation of APP personal information security problem of APP, this paper uses a combined approach of static analysis technology, dynamic analysis technology, and manual review to detect and analyze the installed file of mobile apps. 40 mobile apps are detected as experimental samples. The results demonstrate that this combined approach can effectively detect various issues of personal information security problem in mobile apps. Statistics analysis of the experimental results demonstrate that mobile apps have outstanding problems in some aspects of personal information security such as privacy policy, permission application, information collection, data storage, etc.

Computer Science

Li Lyna Zhang,Chieh-Jan Mike Liang,Zhao Lucis Li,Yunxin Liu,Feng Zhao,Enhong Chen

DOI: https://doi.org/10.1109/tmc.2017.2708716

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:Given the emerging concerns over app privacy-related risks, major app distribution providers (e.g., Microsoft) have been exploring approaches to help end users to make informed decision before installation. This is different from existing approaches of simply trusting users to make the right decision. We build on the direction of risk rating as the way to communicate app-specific privacy risks to end users. To this end, we propose to use sensitivity analysis to infer whether an app requests sensitive on-device resources/data that are not required for its expected functionality. Our system, Privet, addresses challenges in efficiently achieving test coverage and automated privacy risk assessment. Finally, we evaluate Privet with 1,000 Android apps released in the wild.

Hazel Si Min Lim,Araz Taeihagh

DOI: https://doi.org/10.48550/arXiv.1804.10367

2018-04-27

Computers and Society

Abstract:Amidst rapid urban development, sustainable transportation solutions are required to meet the increasing demands for mobility whilst mitigating the potentially negative social, economic, and environmental impacts. This study analyses autonomous vehicles (AVs) as a potential transportation solution for smart and sustainable development. We identified privacy and cybersecurity risks of AVs as crucial to the development of smart and sustainable cities and examined the steps taken by governments around the world to address these risks. We highlight the literature that supports why AVs are essential for smart and sustainable development. We then identify the aspects of privacy and cybersecurity in AVs that are important for smart and sustainable development. Lastly, we review the efforts taken by federal governments in the US, the UK, China, Australia, Japan, Singapore, South Korea, Germany, France, and the EU, and by US state governments to address AV-related privacy and cybersecurity risks in-depth. Overall, the actions taken by governments to address privacy risks are mainly in the form of regulations or voluntary guidelines. To address cybersecurity risks, governments have mostly resorted to regulations that are not specific to AVs and are conducting research and fostering research collaborations with the private sector.

Yun Shen,Pierre-Antoine Vervier,Gianluca Stringhini

DOI: https://doi.org/10.48550/arXiv.2102.12869

2021-02-25

Abstract:Mobile phones enable the collection of a wealth of private information, from unique identifiers (e.g., email addresses), to a user's location, to their text messages. This information can be harvested by apps and sent to third parties, which can use it for a variety of purposes. In this paper we perform the largest study of private information collection (PIC) on Android to date. Leveraging an anonymized dataset collected from the customers of a popular mobile security product, we analyze the flows of sensitive information generated by 2.1M unique apps installed by 17.3M users over a period of 21 months between 2018 and 2019. We find that 87.2% of all devices send private information to at least five different domains, and that actors active in different regions (e.g., Asia compared to Europe) are interested in collecting different types of information. The United States (62% of the total) and China (7% of total flows) are the countries that collect most private information. Our findings raise issues regarding data regulation, and would encourage policymakers to further regulate how private information is used by and shared among the companies and how accountability can be truly guaranteed.

Cryptography and Security

Shuai Li,Zhemin Yang,Yunteng Yang,Dingyi Liu,Min Yang

DOI: https://doi.org/10.1109/tifs.2024.3356197

IF: 7.231

2024-02-14

IEEE Transactions on Information Forensics and Security

Abstract:With the characteristics of free installation and rich functionalities, mobile mini-apps have become more and more popular in people's daily life. A large amount of sensitive personal data is thus involved in them and shared across users for providing various services, which raises great privacy concerns. However, few researchers have paid attention to the potential privacy risks that may exist when user data is shared across users in mobile mini-apps. In this paper, we introduce a novel privacy risk that is brought forward by cross-user personal data over-delivery (denoted as XPO) in mobile mini-apps. Such a discovered privacy risk is demonstrated to be able to cause serious leakage of diverse user data. To detect XPO risk, a dynamic and lightweight mini-app analysis framework – XPOScope is proposed. XPOScope is able to automatically identify XPO risk at a large scale. By applying it to 4,273 mini-apps hosted on three popular platforms, i.e., WeChat, Baidu and Alipay, XPOScope reported 71 vulnerable ones, with a precision of 92.21% and a recall of 80.68%. In addition to the mere exposure of diverse private user data, case studies performed show that XPO in mini-apps can further lead to impersonation attacks, the infringement of employees' privacy, economic loss and even the leakage of sensitive business secrets. The results call for the awareness and actions of mobile mini-app developers to secure cross-user personal data delivery. The code of this work is available at https://github.com/ppflower/XPOScope.

computer science, theory & methods,engineering, electrical & electronic