Author: Franziska Roesner

Kimberly Ruth was named as a Finalist for the 2018 CRA Outstanding Undergraduate Research Award! This is a very competitive award that “recognizes undergraduate students in North American universities who show outstanding research potential in an area of computing research.” Kimberly’s current research focus is on security and privacy for emerging augmented reality (AR) technologies, and she’s been a member of the Security and Privacy Lab since she was a freshman. Kimberly has had an incredible year, adding this award to the Mary Gates Research Scholarship, the SWSIS Scholarship, and the WRF Fellowship. Congratulations Kimberly on this huge honor!

  

To celebrate the end of the academic quarter, Security and Privacy Lab members participated in an improvisation team building workshop facilitated by an instructor from Unexpected Productions. Not only is improv funny and fun, it also provides surprisingly relevant lessons for research and collaboration — such as the “Yes, and…” mindset for brainstorming.

Congratulations to Security Lab alum Alexei Czeskis and the team he led at Google for launching Google’s Advanced Protection Program! According to the website, “the Advanced Protection Program safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams.” Thanks to Alexei and his team for helping keep Google’s users safe. Consider signing up to better protect your own Google account!

Security and Privacy Lab co-director Professor Franzi Roesner is interviewed on the CBC Radio show “Spark” about potential risks with emerging augmented reality technologies. Listen to the full interview “Going beyond Pokemon Go: Preparing for an augmented reality future” (direct audio link here), and learn more about the UW Security and Privacy Lab’s efforts to secure future AR technologies here.

The Security and Privacy Lab hosted two sessions of research talks at the Allen School’s Industry Affiliates Research Day today. Presentations included:

• Kiron Lebeck on “Securing Augmented Reality Output”
• Peter Ney on “Computer Security, Privacy, and DNA Sequencing. Compromising Computers with Synthetic DNA, Privacy Leaks, and More”
• Camille Cobb on “Privacy in Online Dating”
• Eric Zeng on “End User Security & Privacy Concerns with Smart Homes”
• Ivan Evtimov on “Robust Physical-World Attacks on Deep Learning Models”
• Lucy Simko on “Recognizing and Imitating Programmer Style”
• Alex Takakuwa on “Moving to New Devices in the FIDO Ecosystem”
• Peter Ney on “SeaGlass: Enabling City-Wide IMSI-Catcher Detection”

Thanks to all the speakers for the great talks and to all the attendees for joining us!

 

Security Lab co-director Franzi Roesner traveled to Cambridge, MA this week to speak at MIT Technology Review’s EmTech 2017 conference and receive an “Innovator Under 35” award. See the video of her talk on security and privacy for emerging augmented reality technologies here or embedded below.

Web archives such as the Internet Archive’s Wayback Machine are used for a variety of important uses today, including citations and evidence in journalism, scientific articles, and legal proceedings. In a new paper, Security Lab PhD alumna Ada Lerner (now an assistant professor at Wellesley College) and Lab co-directors Yoshi Kohno, and Franzi Roesner show how a malicious actor might be able to manipulate what users see when they view archived pages. The image on the right shows a proof-of-concept example in which a 2011 snapshot of a website has been temporarily modified to show 2017 content.

For more details about how these attacks work and how to defend against them, see the Rewriting History project website or read the full conference paper. Dr. Lerner will be presenting this work this week at the ACM Conference on Computer and Communications Security (CCS) 2017.

We disclosed our results to the Wayback Machine before publication, and we are extremely grateful to Mark Graham and his team at the Internet Archive for their prompt and thoughtful responses in taking action to mitigate these attacks! They have already implemented Content-Security Policy headers, which instruct client browsers not to load content from outside the Archive, blocking many vulnerabilities to one of our attacks. Additionally, they launched a new feature, described in this blog post, which shows users of the Archive the relationship of the timestamps of subresources to the snapshot currently being viewed. This information can help expert users better interpret archival snapshots and catch “anachronistic” requests which may result in benign or malicious modifications to the view of a page.

With this paper, we are also releasing Tracking Excavator, a tool for measuring web tracking in the Archive. Tracking Excavator is described in more detail in our paper from USENIX Security 2016.

Congratulations to Kimberly Ruth on receiving a Washington Research Foundation Fellowship! These fellowships “recognize and support undergraduates who achieve a high level of accomplishment in research, particularly in areas relevant to the development of new technologies.” Since her freshman year, Kimberly has been an undergraduate researcher in the UW CSE Security and Privacy Lab, co-advised by Professors Tadayoshi Kohno and Franziska Roesner. Her current research focus is on the security and privacy implications of emerging augmented reality (AR) technologies. Read the full award citation here — congratulations Kimberly!

(Cross-posted from Allen School News.)

Online ads may not only be trying to sell you something; they may be selling you out. That’s according to a team of researchers in the Allen School’s Security and Privacy Research Lab, who recently discovered how easy it is for someone with less than honorable intentions to turn online ads into a surveillance tool. They found that, for as little as $1,000, a person or organization could conceivably purchase ads that will enable them to track someone’s location and app use via their mobile phone — gaining access to potentially sensitive personal information about that individual’s dating preferences, health, religious and political affiliation, and more. The team hopes that by sharing its findings publicly, it will raise awareness among online advertisers, mobile service providers, and customers about a potential new cybersecurity threat.

This threat stems from how the existing online advertising ecosystem enables ad purchasers to precisely target consumers based on their geographic location, interests, and browsing history for marketing purposes. The problem, as researchers explained in a UW News release, is that the same infrastructure can be exploited by people and organizations other than advertisers to precisely target individuals in ways that could compromise their privacy and security. According to former Allen School Ph.D. student Paul Vines, lead author on the project, it would be easy for anyone from a foreign agent to a jealous spouse to sign up with an online advertising service and track another individual.

“If you want to make the point that advertising networks should be more concerned with privacy, the boogeyman you usually pull out is that big corporations know so much about you. But people don’t really care about that,” Vines explained in a Wired article about the project. “[T]he potential person using this information isn’t some large corporation motivated by profits and constrained by potential lawsuits. It can be a person with relatively small amounts of money and very different motives.”

As the team discovered, online advertising can deliver fairly detailed information about a person’s behavior. For example, the researchers were able to determine an individual user’s location within a distance of 8 meters based on where their ads were being served. By establishing a grid of hyperlocal ads, the team was able to discern an individual’s daily routine based on where ads were served to the user’s device at various points along the way.

The team refers to this method of information gathering as ADINT, or “advertising intelligence,” reminiscent of well-known intelligence collection tactics such as SIGINT (signals intelligence) and HUMINT (human intelligence). To test the capabilities of ADINT, Vines and his coauthors — Allen School professors Franziska Roesner and Tadayoshi Kohno — purchased a series of ads through a demand-side provider, or DSP, which is an entity that facilitates the purchase and delivery of targeted advertising. They set up their ads to target a mix of 10 actual users and 10 facsimile users with the help of each device’s unique mobile advertising identifier (MAID), which functions as a sort of “whole device” tracking cookie. The team then repurposed the tools designed to deliver relevant ads for commercial purposes to instead collect information on each user’s whereabouts and behavior.

Movement was not the only thing they could track; it turns out that ad purchasers have the ability to learn a lot about a person by viewing what apps they use, including popular dating and fitness-tracking apps. The team’s experiments also revealed that the individual being tracked does not need to actually click on an ad in order for ADINT to work, because purchasers can see where the ad is being served regardless of whether the target interacts with it.

“To be very honest, I was shocked at how effective this was,” said Kohno, who co-directs the Allen School’s Security and Privacy Research Lab with Roesner. “There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision.”

The team surmises that ADINT attacks could be driven by a variety of motives, from criminal intent, to political ideology, to financial profit. According to Roesner, the ease with which the team was able to deploy targeted ads against individuals calls for heightened awareness and vigilance — not just within the computer security community, but on the part of the policy and regulatory communities, as well.

“We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks,” she explained, “and so that there can be a broad public discussion about how we as a society might try to prevent them.”

The team will present its findings at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society taking place in Dallas, Texas later this month.

To learn more about ADINT, visit the project website here. Read the UW News release here and the Wired feature here, and check out additional coverage by The Verge, Mashable, and Mic.

As the new academic year starts, the Security and Privacy Lab is excited to be joined by three first-year PhD students, Christine Chen, Ivan Evtimov, and Christine Geeng. Welcome!!