Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protección de aplicaciones con dispositivos móviles

266 views

Published on

Securing applications with mobile devices. Claudio Soriente (Telefónica I + D).

Curso de Verano 'Ciberseguridad y Fintech'.
'Cybersecurity & Fintech' Summer Course.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Protección de aplicaciones con dispositivos móviles

  1. 1. Click to edit Master title style Cybersecurity & FinTech Securing Applications with Smartphones Claudio Soriente Telefónica I+D 5TH JULY, 2016
  2. 2. Click to edit Master title styleTelefónica Investigación y Desarrollo 1 • Researcher at Telefonica since 2015 • Previous positions • UPM (Juan de la Cierva fellow) • ETH Zürich • PhD UC Irvine 2009 • UC PhD fellow and IBM PhD fellow • Advisor: Prof. Gene Tsudik • Interested in Security and Privacy http://www.tid.es/research/researchers/claudio-soriente claudio.soriente@telefonica.com
  3. 3. Click to edit Master title styleTelefónica Investigación y Desarrollo 2 • Located in Barcelona since 2011 • ~20 researchers + PhD students • Focus on Network and Data • Scientific visibility • SIGCOMM, INFOCOM, MobiCom, CoNext, CHI, UbiComp, WWW, … • Internship at TID are popular! • 10+ interns per year • Visiting researchers are welcome!
  4. 4. Click to edit Master title styleSmartphones Use Cases 3
  5. 5. Click to edit Master title styleSmartphones Popularity 4 0 500 1000 1500 2000 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Number of Publications2 0 500 1000 1500 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Smartphones vs PC sales (million)1 Smartphones PCs 1Gartner Inc. 2Google Scholar Data
  6. 6. Click to edit Master title styleSecuring Applications with Smartphones 5 Smartphones PoS transactions Web authentication Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound (Usenix Security 2015) Smartphones as Practical and Secure Location Verification Tokens for Payments (NDSS 2014)
  7. 7. Click to edit Master title style 6 joint work with Nikolaos Karapanos, Claudio Marforio, and Srdjan Capkun Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound
  8. 8. Click to edit Master title styleWeb Authentication - Passwords • Passwords are used everywhere… • …despite password weakness 7 ana ana123 ana ana123 ana ana111 ana ana111 ana ana112 ana ana112 ana ana113 ana ana113 ana ana123 ana ana123 … …
  9. 9. Click to edit Master title styleWeb Authentication - Passwords • Passwords are used everywhere… • …despite password reuse 8 ana ana123 ana ana123 ana ana123 ana ana123 ana ana123 ana ana123
  10. 10. Click to edit Master title styleWeb Authentication - Passwords • Passwords are used everywhere… • …despite password phishing 9 ana ana123 ana ana123 ana ana123 ana ana123 www.gooogle.com
  11. 11. Click to edit Master title styleWeb Authentication - Supplementing Passwords • Passwords are used everywhere… • …despite password reuse, leakage, guessing, phishing, etc. 10 Two-factor authentication to the rescue (2FA) • Password + one-time code • Code must be hard to guess PROBLEM: small user adoption (if optional) • Only 25% of Americans use 2FA1 • Only 6% of 100k Gmail accounts have 2FA enabled2 1Study by Impermium, 2013 (BusinessWire article, http://goo.gl/NsUCL7) 2Petsas et al., EuroSec 2015 ana ana123 ana ana123 359702 359702 ana ana123 ana ana123 ?????? ??????
  12. 12. Click to edit Master title styleResearch Question How to benefit from the added security of 2FA, while keeping the password-only user experience? 11
  13. 13. Click to edit Master title styleImproving 2FA Usability – Software token on the phone 12 Better than HW tokens • Phone is always carried • Can accommodate multiple hardware tokens Still requires extra user interaction • Cognitive load ana ana123 ana ana123 694150 694150
  14. 14. Click to edit Master title styleImproving 2FA Usability – Push-button authentication 13 ana ana123 ana ana123 Yes / No Minimize user-phone interaction • Little cognitive load • Just tap a button instead of copying a code Login attempt Yes / No
  15. 15. Click to edit Master title styleImproving 2FA Usability – Removing User-Phone Interaction Code transfer via short-range communication between phone and laptop • Laptop asks for code • Phone transfers code to laptop • Laptop transfers code to server 14 ana ana123 ana ana123 694150 694150 Code please!
  16. 16. Click to edit Master title styleWhy Short-range? 15 ana ana123 Code please! 694150 694150
  17. 17. Click to edit Master title styleShort-range communication 16 PhoneAuth (Czeskis et al., CCS‘12)
  18. 18. Click to edit Master title styleShort-range communication 17 PhoneAuth (Czeskis et al., CCS‘12) FBD-WF-WF (Shirvanian et al., NDSS ’14)
  19. 19. Click to edit Master title styleShort-range communication 18 PhoneAuth (Czeskis et al., CCS‘12) FBD-WF-WF (Shirvanian et al., NDSS ’14)
  20. 20. Click to edit Master title styleImproving 2FA Usability – Removing User-Phone Interaction Code transfer via short-range communication between phone and laptop • Laptop asks for code • Phone transfers code to laptop • Laptop transfers code to server 19 ana ana123 ana ana123 Sensing the environment • Phone and laptop “sense” the environment • Send the measurement to the server • If measurements match → they are close to each other • Measurement should be hard to guess!!! Sense! Sense!
  21. 21. Click to edit Master title styleMeasurement should be hard to guess! 20 ana ana123 Sense!
  22. 22. Click to edit Master title style environment 21 GPS coordinates are easy to guess!!! Sensing the environment
  23. 23. Click to edit Master title styleSensing the environment 22 Multi-modal (Shrestha et al., FC ’14)
  24. 24. Click to edit Master title styleSensing the environment 23 Multi-modal (Shrestha et al., FC ’14) Sound-Proof (Karapanos et al., Usenix ’16)
  25. 25. Click to edit Master title styleSound-Proof Overview – Take 1 24 Match? Audio could be privacy-sensitive!!!
  26. 26. Click to edit Master title styleSound-Proof Overview – Take 2 25 Similarity score s
  27. 27. Click to edit Master title styleSound-proof in action 26
  28. 28. Click to edit Master title styleSound-Proof – Highlights • Novel 2FA mechanism • Sense ambient audio to verify proximity • Usable: no user-phone interaction • Deployable: compatible with smartphones and major browsers without plugins • Prototype implementation for Android and iOS • Extensive evaluation • Showing how Sound-Proof works in a variety of environments, even if the phone is in a pocket or a purse 27
  29. 29. Click to edit Master title styleMeasurement should be hard to guess! 28 ana ana123 Record! Yes/No Attacker wins if matches
  30. 30. Click to edit Master title styleAudio Comparison • Inspired by human sound recognition • Split signal in 1/3 octave-bands • Match filtered phone signal against filtered laptop signal • Computes a similarity score 0 ≤ s ≤ 1 • Checks if s > t (threshold) 29 Which are the important bands? How to set the threshold t?
  31. 31. Click to edit Master title styleAudio Collection Campaign • Environment • office, office with music, home with TV, lecture hall, train station, café • Laptop • MacBook Pro Mid 2012, Dell E6510 • Phone • iPhone 5, Google Nexus 4 • Phone position • outside, in a pocket, in a purse or rucksack • User activity • being silent, talking, coughing, whistling 30 4014 audio samples (2007 logins) • Tune system parameters to minimize • Legitimate logins rejected (usability) • Fraudulent logins not detected (security)
  32. 32. Click to edit Master title styleAudio Collection Campaign – Results 31 Legitimate logins rejected Fraudulent logins not detected • Frequency bands between 50Hz and 4kHz • Higher bands suffer from directionality and fading • Threshold t = 0.13 • Equal Error Rate = 0.2% 95th %ile 75th %ile Average Median 25th %ile 5th %ile Leg. Login rejected
  33. 33. Click to edit Master title styleSound-Proof Vs Goole 2-step verification (user study) 32 • 32 participants (no security experts) • Within-subject experiment • Log-in with Sound-Proof and with Google 2SV (randomized order) • Fill System Usability Scale1 (after each login) • Score 1-100 SUS score (mean)* Sound-Proof 91.09 (±5.44) Google 2SV 79.45 (±7.56) 1SUS-A quick and dirty usability scale, J. Brooke, Usability evaluation in industry, 1996 *(F(1, 31) = 21.698, p < .001, η2 = .412)
  34. 34. Click to edit Master title styleNon-obtrusive Continuous Authentication • Authentication should not happen only at login • E.g, banks ask for credentials when authorizing a transaction • https://nymi.com/ • Hardware-based • Requires sw on the laptop • https://www.behaviosec.com/ • Mouse movements • Keystrokes dynamics • Requires training • Behavior subject to changes • http://sound-proof.ch/ • No sw on the laptop • Works out of the box 33
  35. 35. Click to edit Master title styleSound-Proof – Takeaway 34 Password Only Sizes are purely representative! Security AdoptionUsability & Deployability Sound-Proof Security AdoptionUsability & Deployability Existing 2FA Security AdoptionUsability & Deployability
  36. 36. Click to edit Master title stylesound-proof.ch 35 • Sound-proof became a start-up • http://sound-proof.ch • Working demo • Android and iOS • Download the app and try yourself!
  37. 37. Click to edit Master title style 36 joint work with Claudio Marforio, Nikolaos Karapanos, Kari Kostiainen, and Srdjan Capkun Smartphones as Practical and Secure Location Verification Tokens for Payments
  38. 38. Click to edit Master title styleFraudulent Transactions with Credit/Debit cards 37 • 1.33 billion euros in 20121 • 60% online • 23% PoS • 17% ATM • 3D-Secure mitigates online fraud • PoS + ATM fraud? • >.5 billion value • Chip&Pin improves the situation but attacks have been found2 1European Central Bank: Third Report on Card Fraud (2014) 2[BCMSA, S&P 2014]
  39. 39. Click to edit Master title styleResearch Question How to detect fraudulent transactions at PoS, while keeping the current PoS infrastructure and the traditional (swipe+pin) user experience? 38
  40. 40. Click to edit Master title styleFraudulent Transactions with Credit/Debit cards at Point of Sale 39 • Phone as 2nd authentication factor • Use phone’s location • When card is swiped • App sends authenticated GPS coordinates • Using a key shared with the server • Server authorizes the transaction if phone is close to PoS
  41. 41. Click to edit Master title styleLocation Verification – Legitimate Transaction 40 Authorization request Location request Lat: 40.417454, Lon: -3.704477 Authorize
  42. 42. Click to edit Master title styleLocation Verification – Fraudulent Transaction 41 Authorization request Location request Lat: 40.417454, Lon: -3.704477 Reject
  43. 43. Click to edit Master title styleLocation Verification – Fraudulent Transaction 42 Authorization request Location request Lat: 39.913143, Lon: 116.405141 Authorize Malware on the phone can forge GPS coordinates!
  44. 44. Click to edit Master title styleARM TrustZone 43 HW support for security • ARM TrustZone • Available on (almost) every smartphone • Long history, little use (e.g., subsidy lock) • Currently not open for development • Emerging standard to open it up • Isolate apps from OS! • OS compromise does not affect TEE applications • TPM-like services • attestation, secure storage, etc. TrustZone
  45. 45. Click to edit Master title styleARM TrustZone 44 Application processor Baseband processor Baseband OS SIM Android app app Trusted OSKernel bug app Normal world Secure world Normal World - Android + Apps - Android is big and has bugs Secure World - Trusted OS + Apps - Trusted OS is small - Less chances of compromise
  46. 46. Click to edit Master title styleLocation Verification – Fraudulent Transaction 45 Authorization request Location request Lat: 40.417454, Lon: -3.704477 Reject Even if OS is compromised, the adversary cannot forge GPS coordinates
  47. 47. Click to edit Master title stylePrototype • ARM TrustZone not open for development • 400MHz TrustZone-enabled Cortex-A9 processor • SW: Sierra Open Virtualization1 • NW: Android 4.1.1 • App ≈ 150LoC • HMAC-256 on GPS coord. ≈ 3ms • Samsung Galaxy S3 46 1http://www.openvirtualization.org/
  48. 48. Click to edit Master title styleOffice Test – Feasibility 47
  49. 49. Click to edit Master title styleField Study 48
  50. 50. Click to edit Master title styleField Study • Tolerable delay (~4 seconds) • Enough accuracy to distinguish nearby shops • Indoor reception better than expected • Femtocells in tunnels, … • No user interaction required • No privacy leak • The bank knows transaction location for legitimate transactions 49
  51. 51. Click to edit Master title styleTakeaway • Smartphones are a formidable tool to secure applications • Not the app on your phone! • Key challenges are • Time-to-market • Solutions that cannot be used today have little value • Usability • If hard to use, no-one will use it • In this talk • (web-based) Second-factor Authentication • Transactions at Point of Sales 50
  52. 52. Click to edit Master title styleThank You! 51 http://www.tid.es/research/researchers/claudio-soriente claudio.soriente@telefonica.com

×