All ETDs from UAB

Advisory Committee Chair

Nitesh Saxena

Advisory Committee Members

Jeremy Blackburn

Tzipora Halevi

Vir Virander Phoha

Yuliang Zheng

Document Type

Dissertation

Date of Award

2019

Degree Name by School

Doctor of Philosophy (PhD) College of Arts and Sciences

Abstract

Mobile devices (e.g., smartphones) have already become ubiquitous, and wearable technology (e.g., embodied in smartwatches or bracelets) is gaining popularity in many – commercial, medical and personal – domains of day-to-day life. Many of the security schemes, particularly authentication paradigms, have been designed and deployed utilizing the general-purpose mobile devices, and many of them have started using wearable devices. The use of these devices, on one hand, improves user experience, while, on the other hand, opens up security and privacy vulnerabilities. In this dissertation work, we explore new authentication and privacy paradigms, from both offensive and defensive perspectives, in/using mobile and wearable computing. In particular, we first investigate the security vulnerabilities of using mobile and wearable devices that an attacker can exploit to learn sensitive information about the user (e.g., PINs, passwords, messages or emails), thereby raising the threat to user’s privacy. In response to such a privacy threat, we design practical, yet intuitive, defense mechanisms. We also introduce secure and usable Two-Factor Authentication (2FA) systems by utilizing a wrist-worn wearable device (e.g., a smartwatch) that can address the security-usability issues associated with the existing 2FA systems. Further, we conduct a security analysis of a prominent Zero-Effort Deauthentication (ZED) system intended for a local machine and design a secure ZED system for a remote scenario, the web scenario to be specific. To be specific, this dissertation work comprises three parts: (1) investigating privacy threats arising from the use of mobile and wearable computing, and designing defenses against them, (2) designing a secure, yet minimal-effort, 2FA systems using a wearable device, and (3) investigating a ZED system intended for a local machine, and enhancing the ZED system to a remote web scenario. In the first part, we present the design, implementation, and evaluation of our defense to privacy threat arising from the motion sensors embedded in the mobile devices based on system-generated and user-oblivious sensory noise. We also introduce a potentially serious privacy threat of insider attacks arising due to unattended wearable devices enabling an attacker to pull and learn various sensitive information from the phone (such as messages, photos or emails) and push sensitive commands to the phone (such as making phone calls, sending text messages and taking pictures). To thwart this insider threat of unattended wearables, we provide a viable fix based on a simple notion of active audio proximity. In the second part, we introduce our minimal-effort 2FA schemes that address the security-usability issues associated with the existing 2FA systems. Specifically, we present the design, implementation, and evaluation of the 2FA scheme based on the notion of active audio proximity. We also present another minimal-effort 2FA scheme based on the wrist gesture captured by a wrist-worn wearable device while typing the password that may further improve the usability compared to that of the audio-based 2FA scheme. In the third part, we investigate a prominent local ZED system and highlight fundamental flaws in designing ZED schemes that an adversary can exploit to develop an effective and opportunistic attack strategy to defeat the scheme. Given the severity of opportunistic attacks against the ZED scheme, we propose a defense mechanism based on the notion of sound masking and evaluate its performance and security. We also present the design, implementation, and evaluation of a novel ZED system for the web scenario utilizing a wearable device that is secure against opportunistic observation attacks as well as other browser-based vulnerabilities such as password database leakage and session hijacking

Share

COinS