location cheating: a security challenge to location-based social network services
DESCRIPTION
The 31st Int'l Conference on Distributed Computing Systems (ICDCS 2011). Location Cheating: A Security Challenge to Location-based Social Network Services. Wenbo He 1 , Xue Liu 2 , Mai Ren 1 1 University of Nebraska-Lincoln 2 McGill University. 左昌國 Seminar @ ADLab , NCU-CSIE . Outline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/1.jpg)
Location Cheating: A Security Challenge to Location-based Social Network ServicesWenbo He1, Xue Liu2, Mai Ren1
1University of Nebraska-Lincoln2McGill University
左昌國Seminar @ ADLab, NCU-CSIE
The 31st Int'l Conference on Distributed Computing Systems (ICDCS 2011)
![Page 2: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/2.jpg)
2
Outline• Introduction• Location Cheating Attacks• Evaluation of Location Cheating on foursquare• Possible Solutions against Location Cheating• Conclusions
![Page 3: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/3.jpg)
3
Introduction• Location-based Services(LBS)
• foursquare• Gowalla• GyPSii• Loopt• Brightkite
• foursquare• Launch in March 2009• 1.89 million users (August 2010)• More than 10,000 new members per day• Real world rewards
![Page 4: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/4.jpg)
4
Introduction
![Page 5: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/5.jpg)
5
Introduction
![Page 6: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/6.jpg)
6
Introduction
![Page 7: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/7.jpg)
7
Introduction
![Page 8: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/8.jpg)
8
Introduction
![Page 9: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/9.jpg)
9
Introduction• Business Model of foursquare
• Progressive reward mechanism• Points• Badges• Mayorship
• Real-world rewards• More than 90% of rewards are only for mayors
![Page 10: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/10.jpg)
10
Introduction• Possible Location Cheating Scenarios
• A user may cheat on her location for reasons.• Get rewards• Impress others by claiming a false location• A business owner may use location cheating to check into a competing
business, and leaves bad comments.• The objectives: Automatically and frequently check into many
businesses• Venue profile analysis• Less competitive “Mayor” selection
![Page 11: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/11.jpg)
11
Introduction• Cheater Code
• foursquare adopted Cheater Code to defend against the location cheating attacks. • Verify the location of a device• Cheater Code rules
• Frequent check-ins• Super human speed• Rapid-fire check-ins• Others…
![Page 12: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/12.jpg)
12
Location Cheating Attacks• Location Cheating Against GPS Verification
• foursquare client applications gets the GPS location data from GPS APIs
• There are several ways for an attacker to pass the GPS verification by providing the application with fake GPS coordinates.• Via GPS APIs
• Modify the GPS-related APIs in the OS• Via GPS module
• Hardware• GPS simulator
• Via server provided APIs• Application APIs provided from foursquare
• Via device emulator• Including the simulated GPS module• The experiments of this paper adopt this approach
![Page 13: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/13.jpg)
13
Location Cheating Attacks
![Page 14: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/14.jpg)
14
Location Cheating Attacks• Via device emulator
• Use “Dalvik Debug Monitor Server”(DDMS) to connect to the emulator and to set GPS coordinates
• The cheating process• Hack the emulator• Install and run foursquare application• Find the coordinates of the target venue in Google Earth• Use DDMS to set the coordinates in the emulator• Find the target venue in the list of nearby venues in the foursquare
application• Check into the target venue
• Successfully get the points, badges, and mayorship
![Page 15: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/15.jpg)
15
Location Cheating Attacks• Crawling Data From foursquare Website
• Users’ profiles and venues’ profiles• Crawler
• Multi-thread crawler• Download and process over 7 million webpages• 3 Windows PCs(C2D 2.0GHz, 1GB RAM)• 1 Ubuntu 8.10 server as the database• Crawl 100,000 users per hour (14-16 threads per machine)• Crawl 50,000 venues per hour (5-6 threads per machine)
• In total: 1.89 million users and 5.6 million venuesUpdate all user profiles in less than 2 daysUpdate all venue profiles in about 5 days
![Page 17: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/17.jpg)
17
Location Cheating Attacks• Automated Cheating
• To achieve significant benefits from location cheating, attackers need to control a large number of users and make them check in automatically.• Find location coordinates of venues• Automatically select a list of venues to check into pass the Cheater
Code
![Page 18: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/18.jpg)
18
Location Cheating Attacks
![Page 19: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/19.jpg)
19
Location Cheating Attacks• Semi-automatic location cheating tool
• Choose a starting point• Set the moving direction and distance• The tool will search the nearest location
• Successfully get the points and badges
![Page 20: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/20.jpg)
20
Location Cheating Attacks• Cheating with Venue Profile Analysis
• An attacker may select the victim venues that provide special offers to their mayors and don’t have a mayor yet (or are less competitive for mayorship) as targets.• Around 1000 venues
• The attack can also target other user.• Stop a user from getting any mayorship
• Interesting finding:• A user is the mayor of 865 venues but with total check-ins of 1265.• Most of the 865 venues have no other visitors during the past 60 days.
![Page 21: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/21.jpg)
21
Evaluation of Location Cheating on foursquare
• High Check-in Frequency in Recent Visitor List
100
![Page 22: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/22.jpg)
22
Evaluation of Location Cheating on foursquare
• Low Reward Rate
1000 0.2%
![Page 23: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/23.jpg)
23
Evaluation of Location Cheating on foursquare
• Suspicious Check-in Patterns
![Page 24: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/24.jpg)
24
Possible Solutions against Location Cheating
• Location Verification Techniques• Distance bounding
• Distance bounding protocols• Limitation on transmission range or speed of a communication signal for
location verification• Requires the deployment of verifiers around the venues.
• Address mapping• Address mapping to geolocate IP addresses
• Tracert Map• Google Location Service
• Venue side location verification• Verify on Wi-Fi router in venues.
![Page 25: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/25.jpg)
25
Possible Solutions against Location Cheating
• Mitigating Threat from Location Cheating• Access control for crawling
• Limit crawling data to logged-in users only• Blocking IP address
• Hiding information from profiles
![Page 26: Location Cheating: A Security Challenge to Location-based Social Network Services](https://reader035.vdocuments.mx/reader035/viewer/2022070500/568168b2550346895ddf76e3/html5/thumbnails/26.jpg)
26
Conclusions• This paper introduced a novel cheating attack to location-
based services.• Through real word experiments on foursquare, it shows
that the attacking approach works as expected.• The counter measures against location cheating in current
systems are not perfect.