Visible to the public Biblio

Filters: Author is Demetriou, Soteris  [Clear All Filters]
2017
Srivastava, Animesh, Jain, Puneet, Demetriou, Soteris, Cox, Landon P., Kim, Kyu-Han.  2017.  CamForensics: Understanding Visual Privacy Leaks in the Wild. Proceedings of the 15th ACM Conference on Embedded Network Sensor Systems. :30:1–30:13.

Many mobile apps, including augmented-reality games, bar-code readers, and document scanners, digitize information from the physical world by applying computer-vision algorithms to live camera data. However, because camera permissions for existing mobile operating systems are coarse (i.e., an app may access a camera's entire view or none of it), users are vulnerable to visual privacy leaks. An app violates visual privacy if it extracts information from camera data in unexpected ways. For example, a user might be surprised to find that an augmented-reality makeup app extracts text from the camera's view in addition to detecting faces. This paper presents results from the first large-scale study of visual privacy leaks in the wild. We build CamForensics to identify the kind of information that apps extract from camera data. Our extensive user surveys determine what kind of information users expected an app to extract. Finally, our results show that camera apps frequently defy users' expectations based on their descriptions.

Demetriou, Soteris, Zhang, Nan, Lee, Yeonjoon, Wang, XiaoFeng, Gunter, Carl A., Zhou, Xiaoyong, Grace, Michael.  2017.  HanGuard: SDN-driven Protection of Smart Home WiFi Devices from Malicious Mobile Apps. Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. :122–133.
A new development of smart-home systems is to use mobile apps to control IoT devices across a Home Area Network (HAN). As verified in our study, those systems tend to rely on the Wi-Fi router to authenticate other devices. This treatment exposes them to the attack from malicious apps, particularly those running on authorized phones, which the router does not have information to control. Mitigating this threat cannot solely rely on IoT manufacturers, which may need to change the hardware on the devices to support encryption, increasing the cost of the device, or software developers who we need to trust to implement security correctly. In this work, we present a new technique to control the communication between the IoT devices and their apps in a unified, backward-compatible way. Our approach, called HanGuard, does not require any changes to the IoT devices themselves, the IoT apps or the OS of the participating phones. HanGuard uses an SDN-like approach to offer fine-grained protection: each phone runs a non-system userspace Monitor app to identify the party that attempts to access the protected IoT device and inform the router through a control plane of its access decision; the router enforces the decision on the data plane after verifying whether the phone should be allowed to talk to the device. We implemented our design over both Android and iOS (\textbackslashtextgreater 95% of mobile OS market share) and a popular router. Our study shows that HanGuard is both efficient and effective in practice.