powerspy - usenix · goal 1: we can distinguish between routes unique routes # ref. profiles/route...
TRANSCRIPT
![Page 1: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/1.jpg)
PowerSpyLocation Tracking using Mobile Device Power Analysis
Yan Michalevsky(1), Gabi Nakibly(2), Aaron Schulman(1), Gunaa Arumugam Veerapandian(1) and Dan Boneh(1)
(1) Stanford University, (2) National Research and Simulation Center, Rafael Ltd.
![Page 2: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/2.jpg)
Smartphones have many sensors
![Page 3: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/3.jpg)
Related Work on Information Leakage Through SensorsSpeaker on/off status [Zhou et al. '13]Accelerometers [Hua et al. '15, Han et al. '12]Microphone [Schlegel at al. '11]and many more...
![Page 4: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/4.jpg)
Accessing Location Requires Permissions
Even coarse location based on cellular network information
![Page 5: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/5.jpg)
Reading Voltage and Current Requires NO Permissions
/sys/class/power_supply/battery/voltage_now/sys/class/power_supply/battery/current_now
![Page 6: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/6.jpg)
Reading Voltage and Current Requires NO Permissions
/sys/class/power_supply/battery/voltage_now/sys/class/power_supply/battery/current_now
Nexus 4, Nexus 5, HTC Desire, iPhone 6... Sampling at order of 100 Hz
![Page 7: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/7.jpg)
Power Meter RevealsLocation
![Page 8: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/8.jpg)
A seemingly innocent application can read the power meter
![Page 9: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/9.jpg)
Signal Strength Depends on Location and Environment
![Page 10: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/10.jpg)
Signal Strength is Stable Across Days06/23/2014 06/24/2014
![Page 11: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/11.jpg)
Power = f (Signal Strength)More power used upon transmission under low SNRSignal amplification, error correction on the receive partVerified experimentally in [Schulman et al. '10]Bartendr
![Page 12: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/12.jpg)
Power Profile is Consistent Across Devices
Two phones of same model, same route Different models, same route
![Page 13: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/13.jpg)
What can we achieve with that?
![Page 14: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/14.jpg)
Goal 1: Route DistinguishabilityDetermine the routetaken by the user from agiven setLearn past locationsApplication:advertisement, etc.
![Page 15: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/15.jpg)
Goal 2: Real-Time Trackingalong a known (or assumed) route
Perform tracking of theuser's current location on agiven route
![Page 16: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/16.jpg)
Goal 3: New Route InferenceLearn the route usingpreviously measured powerprofiles of many short roadsegments
![Page 17: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/17.jpg)
Distinguishing RoutesEach power profile is a time-series
Classifier based on time series comparison using Dynamic Time Warping (DTW) [Sakoe and Chiba 1978]
![Page 18: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/18.jpg)
Dynamic Time Warping
Euclidean distance DTW distance
![Page 19: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/19.jpg)
DTW Alignment
![Page 20: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/20.jpg)
Data ProcessingDC offset removal and normalization
Compensate for background appications introducinga constant offsetCompensate for gain differences
Smoothing: Moving Average filter (obtain general trends)Downsampling (important for computation reduction)
![Page 21: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/21.jpg)
Evaluation
![Page 22: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/22.jpg)
Goal 1: We can Distinguish between RoutesUniqueRoutes
# Ref.Profiles/Route
# TestRoutes
Success%
RandomGuess %
8 10 55 85 13
17 5 119 71 6
17 4 136 68 6
21 3 157 61 5
25 2 182 53 4
29 1 211 40 3
![Page 23: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/23.jpg)
Real-Time TrackingA window of received samples is a subsequence of thereference power profileUsing Subsequence-DTW determine the offset of thesubsequenceInfer location from reference profile
![Page 24: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/24.jpg)
Goal 2: We can Track Along a Route
![Page 25: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/25.jpg)
Goal 2: We can Track Along a Route
Error(time) Error histogram
![Page 26: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/26.jpg)
Goal 2: We can Track Along a Route
Error(time) Error histogram
![Page 27: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/27.jpg)
Goal 2: We can Track Along a Route
Error(time) Error histogram
![Page 28: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/28.jpg)
And compensate for obvious errors...
![Page 29: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/29.jpg)
Improved tracking using Optimal Subsequence Bijection (OSB)[Latecki et al. '07]
![Page 30: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/30.jpg)
Tracking using OSB
![Page 31: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/31.jpg)
Goal 3: New Route Inference based on Road Segments
Points on map representedby nodesConnecting road segmentsrepresented by edgesProbabilistic graphical modelof location
![Page 32: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/32.jpg)
New Route Inference based on Road Segments: The Area Map
![Page 33: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/33.jpg)
Evaluation metric based on Levenshtein Distance
Route Inference based on Road Segments
d = 0.125 d = 0.25 d = 0.43
![Page 34: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/34.jpg)
Future WorkBuild a big dataset of power profiles for US routesImproved route inference (Hidden Markov Model,Viterbi...)
![Page 35: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/35.jpg)
Future Warning!HTML5 provides battery API that enables recevingnotifications about changes in battery level.The derivative of the battery level is a very coarse powerconsumption profile.Keep power measurement coarse!
![Page 36: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/36.jpg)
Defenses
![Page 37: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/37.jpg)
Non-DefensesAdding noiseLimiting power sampling rate (1 Hz)
![Page 38: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/38.jpg)
DefensesSecure hardware design
Exclude TX/RX chain from power measurementPower consumption as a coarse location indicatorProvide abstractions, not raw data [Jana et al. '13]
![Page 39: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/39.jpg)
ConclusionSensors can have unintended consequencesPower meter access should be restrictedPermissions needed to address sensor access
![Page 40: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/40.jpg)
Thank you for attending
www.stanford.edu/~yanm2
![Page 41: PowerSpy - USENIX · Goal 1: We can Distinguish between Routes Unique Routes # Ref. Profiles/Route # Test Routes Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 17 4 136 68 6](https://reader036.vdocuments.mx/reader036/viewer/2022081615/5fd478b37c4ccd6bf503b188/html5/thumbnails/41.jpg)
A phone call can be easily distinguished and removed from apower profile
Phone Call Profile