Eavesrdropping, Location Tracking and other Side-Channels on Mobile Devices


Yan Michalevsky

Stanford University

Smartphones have many sensors

What can side-channels enable?


Fingerprinting

Eavesdropping

Location tracking

Mobile Device Identification via Sensor Fingerprinting

Hristo Bojinov, Gabi Nakibly, Yan Michalevsky, Dan Boneh

Robust identifiers from sensor fingerprints

  • Independent of software state
  • Survives hard reset
  • (Might depend on calibration data stored in the firmware)

We experimented with two sensor systems

  1. Speaker-microphone system
  2. Accelerometer

Gyrophone

Recognizing Speech from Gyroscope Signals

Yan Michalevsky(1), Gabi Nakibly (2), and Dan Boneh (1)

(1) Stanford University, (2) National Research and Simulation Center, Rafael Ltd.

Microphone access

Requires permissions

Gyroscope access

Does not require permissions

MEMS Gyroscopes

Major vendors:

  • STM Microelectronics (Samsung Galaxy)
  • InvenSense (Google Nexus)

Gyroscopes are susceptible to sound

70 Hz tone power spectral density

50 Hz tone power spectral density

Gyroscopes are (lousy, but still) microphones

  • Hardware sampling frequency:
    • InvenSense: up to 8000 Hz
    • STM Microelectronics: 800 Hz
  • Software sampling frequency:
    • Android: 200 Hz
    • iOS: 100 Hz

Gyroscopes are (lousy, but still) microphones

  • Very low SNR (Signal-to-Noise Ratio)
  • Acoustic sensitivity threshold: ~70 dB
    Comparable to a loud conversation.
  • Sensitive to sound angle of arrival
  • Directional microphone (due to 3 axes)

Browsers allow gyroscope access too

Browsers allow gyroscope access too

Browsers allow gyroscope access too

Browsers allow gyroscope access too

Problem: how do we look into higher frequencies?

Speech range

Adult male85 - 180 Hz
Adult female165 - 255 Hz

We can sense high frequency signals

Due to aliasing

The result of recording tones between 120 and 160 Hz on a Nexus 7 device

Speech analysis using a single gyroscope

  • Gender identification
  • Speaker identification
  • Isolated word recognition

We can successfully identify gender


Nexus 4

84% (DTW)

Galaxy S III

82% (SVM)
Random guess probability is 50%

A good chance to identify the speaker


Nexus 4 Mixed Female/Male 50% (DTW)
Female speakers 45% (DTW)
Male speakers 65% (DTW)
Random guess probability is 20% for one gender and 10% for a mixed set

Isolated words recognition

Speaker independent

Nexus 4 Mixed Female/Male 17% (DTW)
Female speakers 26% (DTW)
Male speakers 23% (DTW)
Random guess probability is 9%

Isolated words recognition

Speaker dependent

DTW
65%
Random guess probability is 9%

How can we leverage eavesdropping simultaneously on two devices?

Defenses

Software Defenses


  • Low-pass filter the raw samples
  • 0-20 Hz range should be enough for browser based applications (according to WebKit)
  • Access to high sampling rate should require a special permission

Hardware Defenses


  • Hardware filtering of sensor signals
    (Not subject to configuration)
  • Acoustic masking
    (won't help against vibration of the surface)

Additional use: Hot-word recognition

  • Low power consumption
  • Limited dictionary (even one word is good enough)
[AccelWord: Energy Efficient Hotword Detection through Accelerometer (Zhang et al.)]

PowerSpy

Location Tracking using Mobile Device Power Analysis

Yan Michalevsky(1), Gabi Nakibly(2), Aaron Schulman(1),
Gunaa Arumugam Veerapandian(1) and Dan Boneh(1)

(1) Stanford University, (2) National Research and Simulation Center, Rafael Ltd.

Accessing Location Requires Permissions

Even coarse location based on cellular network information

Reading Voltage and Current Requires NO Permissions

/sys/class/power_supply/battery/voltage_now
/sys/class/power_supply/battery/current_now

Reading Voltage and Current Requires NO Permissions

/sys/class/power_supply/battery/voltage_now
/sys/class/power_supply/battery/current_now
Nexus 4, Nexus 5, HTC Desire, iPhone 6...
Sampling rate on the order of 100 Hz

Power Meter Reveals Location

A seemingly innocent application can read the power meter

Signal Strength Depends on Location and Environment

Signal Strength is Stable Across Days

06/23/2014 06/24/2014

$Power = f(Signal\ Strength)$

  • More power used upon transmission under low SNR
  • Signal amplification, error correction on the receive part
  • Verified experimentally in Bartendr [Schulman et al. '10]

Power Profile is Consistent Across Devices

Two phones of same model, same route

Different models, same route

What can we achieve with that?

Goal 1: Route Distinguishability

  • Determine the route taken by the user from a given set
  • Learn past locations
  • Application: advertisement, etc.

Goal 2: Real-Time Tracking

along a known (or assumed) route

Perform tracking of the user's current location on a given route

Goal 3: New Route Inference

Learn the route using previously measured power profiles of many short road segments

Distinguishing Routes

Each power profile is a time-series

Classifier based on time series comparison using
Dynamic Time Warping (DTW) [Sakoe and Chiba 1978]

Dynamic Time Warping

Euclidean distance

DTW distance

DTW Alignment

Data Processing

  • DC offset removal and normalization
    • Compensate for background appications introducing
      a constant offset
    • Compensate for gain differences
  • Smoothing: Moving Average filter (obtain general trends)
  • Downsampling (important for computation reduction)

Evaluation

Goal 1: We can Distinguish between Routes

Unique Routes# Ref. Profiles/Route# Test Routes Success %Random Guess %
810558513
175119716
174136686
213157615
252182534
291211403

Real-Time Tracking

  • A window of received samples is a subsequence of the reference power profile
  • Using Subsequence-DTW determine the offset of the subsequence
  • Infer location from reference profile

Goal 2: We can Track Along a Route

Goal 2: We can Track Along a Route

Error(time) Error histogram

Goal 2: We can Track Along a Route

Error(time) Error histogram

Goal 2: We can Track Along a Route

Error(time) Error histogram

And compensate for obvious errors...

Improved tracking using Optimal Subsequence Bijection (OSB) [Latecki et al. '07]

Tracking using OSB

Goal 3: New Route Inference based on Road Segments

  • Points on map represented by nodes
  • Connecting road segments represented by edges
  • Probabilistic graphical model of location

New Route Inference based on Road Segments: The Area Map

Route Inference based on Road Segments

Evaluation metric based on Levenshtein Distance

$d = 0.125$

$d = 0.25$

$d = 0.43$

Future Work

  • Build a big dataset of power profiles for US routes
  • Improved route inference (Hidden Markov Model, Viterbi...)

Future Warning!

  • HTML5 provides battery API that enables receving notifications about changes in battery level.
  • The derivative of the battery level is a very coarse power consumption profile.
  • Keep power measurement coarse!

Defenses

Non-Defenses

  • Adding noise
  • Limiting power sampling rate (1 Hz)

Defenses

  • Secure hardware design
    • Exclude TX/RX chain from power measurement
  • Power consumption as a coarse location indicator
  • Provide abstractions, not raw data [Jana et al. '13]

Conclusion

  • Sensors can have unintended consequences
  • Power meter access should be restricted
  • Permissions needed to address sensor access

Thank you for attending


Questions?

yanm2@cs.stanford.edu
www.stanford.edu/~yanm2

Phone Call Profile

A phone call can be easily distinguished and removed from a power profile