A&S Graduate Studies
[PAST EVENT] Qing Yang, Computer Science - Oral Preliminary Exam
Abstract
Smartphone users face increasing security and privacy risks. Power
consumption has become a key issue for smartphone security and
privacy protection. It creates two problems: power-based security
attack, and energy efficiency of privacy protection. In this
dissertation we propose to exploit power for smartphone security,
as well as to optimize energy consumption for smartphone privacy.
First, we show that public USB charging stations pose a
significant privacy risk to smartphone users even when no data
communication exists between the station and the user?s mobile
device. We present a side-channel attack that allows a charging
station to identify which webpages are loaded while the smartphone
is charging. To evaluate this side-channel, we collected power
traces of Alexa top 50 websites on multiple smartphones under
several conditions, including: varied battery charging level,
browser cache enabled/disabled, taps/no taps on the screen, WiFi/
LTE, TLS encryption enabled/disabled, different amounts of time
elapsed between collection of training and testing data, and
various hosting locations of the website being visited. The
results of our evaluation show that the attack is highly
successful: in many settings, we were able to achieve over 90%
accuracy on webpage identification. On the other hand, our
experiments also show that this side-channel is sensitive to some
of the aforementioned conditions.
Second, we introduce a new attack that allows a malicious charging
station to identify which website is being visited by a smartphone
user via Tor network. Our attack solely depends on power
measurements performed while the user is charging her smartphone
and does not require the adversary to observe any network traffic
or to transfer data through the USB port. We evaluated the attack
by training a machine learning model on power traces from 50
regular webpages and 50 Tor hidden services. We considered
realistic constraints such as different Tor circuits types and
battery charging levels. In our experiments, we were able to
correctly identify webpages visited using the official mobile Tor
browser with accuracy of up to 85.7% when the battery was fully
charged, and up to 46% when the battery level was between 30% and
50%. Surprisingly, our results show that hidden services can be
identified with higher accuracies than regular webpages.
Third, we propose a memory- and energy-efficient garbled circuit
evaluation (MEG) mechanism on smartphones by transmitting the
circuit data in bursts for secured two-party computation. We
evaluated MEG using different burst sizes and compared the
evaluation results with existing circuit evaluation methods. The
preliminary evaluation results show that the energy consumption of
MEG is less than the current pipelining schemes and close to that
of the no-pipelining method. MEG also significantly reduces the
evaluation time compared to the basic pipelining.
Bio
Qing Yang is a Ph.D candidate in Computer Science at William & Mary. His research interests include mobile security and
privacy protection. Before joining William & Mary, Qing Yang earned a B.S. in Computer Science and an M.E. in Computer Engineering.