Preserving Location Privacy in Wireless LANs

1
Preserving Location Privacy in Wireless LANs

• Presented by
• Alvin Yonggang Yun
• April 9, 2008

CSCI 388 - Wireless and Mobile Security
2
Authors

• Tao Jiang University of Maryland
• Helen J. Wang Microsoft Research
• Yih-Chun Hu University of Illinois
• Presented MobiSys07,
• June 1113, 2007,
• San Juan, Puerto Rico, USA

3
Do you care someone know where you are?
4
Someone does care location privacy
5
220,000 Cell Towers Can Find You
6
Location-based Services
Location-based Networking (Always connected
Continuous services)
Location-based Fitness Assistant and Shopping
Assistant
7
Location and Location Privacy

• Location Information can be obtained through
  direct communication with the respective entity
  or through indirect means such as observation and
  inference.
• The claim/right of individuals, groups and
  institutions to determine for themselves, when,
  how and to what extent location information about
  them is communicated to others.
• Location privacy is the ability to prevent other
  parties from learning ones current or past
  location

8
Problem

• Broadcast nature of wireless networks and
  widespread deployment of Wi-Fi hotspots makes it
  easy to remotely locate a user by observing
  wireless signals.
• Location information can be used by malicious
  individuals for blackmail, stalking, and other
  privacy violations.

9

• Balance

Location Privacy
Location-based Services
Whats NEW? Adjustable Privacy Entropy More
detail below
Privacy
10
Paper Overview

• So, how to improve location privacy?
• Obfuscate 3 types of privacy-compromising
  information
• Sender identity
• Time of transmission
• Signal strength

11
Paper Overview

• Why? Because of 5 types of leakage of location
  information in the course of wireless
  communications
• Sender node identity
• Time
• Location
• Receiver node identity -- resolved MIX-net or
  Crowd
• Content -- resolved encryption

12
FOCUS

• Anonymize the user or node identity with
  frequently changing pseudonyms MAC address in
  this paper
• Unlink different pseudonyms of the same user with
  silent periods optimal model
• Reduce the transmission range through transmit
  power control

13
Design Overview

• Driven by real-system implementation and field
  experiments along with analysis and simulations
• Privacy level available to choose, for both
  privacy-sensitive users and non-
  privacy-sensitive users.
• Evaluate system based on real-life mobility data
  and wireless LAN coverage

14
Research Background

• Y.-C. Hu and H. J. Wang. Location privacy in
  wireless networks. In Proceedings of the ACM
  SIGCOMM Asia Workshop, Beijing, 2005. extension
  and improvement
• M. Gruteser and D. Grunwald. Enhancing location
  privacy in wireless LAN through disposable
  interface identifiers a quantitative analysis.
  In WMASH 03
• L. Huang, K. Matsuura, H. Yamane, and K. Sezaki.
  Enhancing wireless location privacy using silent
  period.
• C. Shannon. A mathematical theory of
  communication. Bell Systems Technical Journal,
  27379423, 623656 Entropy ( metric of privacy
  level )

15
Related Work

• Location technologies RF-based
• Application-Level Location Privacy
• Network-Level Location Privacy
• RF Fingerprinting

16
Related WorkLocation technologies

• Only consider RF-based localization systems
• Location accuracy achievement
• Indoor --- lt 1 meter in 50 time
• Outdoor --- 15-30 meters as median
• Two phases
• Training phase war-driving to collect a
  large amount of signal data
• Positioning phase compare to the radio map

17
Related WorkApplication-Level Location Privacy

• Anonymous usage of location-based services
  through spatial and temporal
• Design protocols and APIs that consider the
  privacy issues in the transfer of location
  information to external services
• Target location information provided by
  applications
• This paper Privacy of location information that
  can be inferred from the wireless transmissions
  of network users

18
Related WorkNetwork-Level Location Privacy

• Frequently changing user pseudonyms blind
  signatures for anonymous communication
• Silent periods
• Pseudo-randomly chosen channel assume AP
  operator is trusted

19
Related WorkNetwork-Level Location Privacy

• Frequently changing user pseudonyms blind
  signatures for anonymous communication vs
  Sender identity with MAC changing
• Silent periods vs Opportunistic Silent
  periods
• Pseudo-randomly chosen channel vs Reduce
  transmission power less APs in range -- even AP
  cannot be trusted

20
Anonymous Communication

• Bob and the Server want to prevent outsiders from
  knowing the fact that they are communicating -
  Unlinkablility
• Bob wants to prevent the server from knowing its
  identity - Sender (Source) anonymity

21
Related WorkNetwork-Level Location Privacy

• Definition
• Silent period The time when privacy-sensitive
  users intentionally do not transmit, in order to
  reduce the effectiveness of correlation based on
  mobility pattern of users
• Opportunistic silent period Optimal silent
  period calculation methodology

22
Related WorkNetwork-Level Location Privacy

• Again
• Obfuscate 3 types of privacy-compromising
  information
• Sender identity
• Time of transmission
• Signal strength

23
Related WorkRF Fingerprinting

• Requires high speed and high resolution
  Analog-to-Digital Converter Expensive to deploy
• Prevented by intentionally adding strong noise
• The paper cant resolve this, important future
  work

24
Attacker Model

• Silent attackers sniffer, do not emit any
  signals, only listen and localize mobile users
• Exposed attackers network providers,
  trustworthy? How about accidentally leak
• Active attackers adjust base station
  transmission power
• Passive attackers no change on base station

25
Measure of Privacy

• How good we can preserve location privacy?
• We need to quantify
• Privacy Entropy

Given an attacker and the set of all mobile users
U, let be the bservation of the attacker about
the user at some location L. Given observation
, the attacker computes a probability
distribution P over users Entropy is the number
of bits of additional information the attacker
needs to definitively identify the
user. Probability () 1 ? enough information
to identify the user
26
Ways to go

• Pseudonym for sender identity
• Opportunistic Silent Period for transmission time
• Transmit power control for signal strength

27
Pseudonym

• Anonymity is a prerequisite for location privacy
• User must use frequently chahging pseudonyms for
  communications
• Pseudonyms MAC address, IP address

28
How to choose pseudonym?

• Important! Avoid address collisions
• Let AP assign MAC addresses to users/clients

• Join Address(well known address) is used to avoid
  MAC conflicts
• MAC Address is got from the MAC address pool
• Nonce Cryptographic nonce, a 128-bit string
  used only once for multiple simultaneous requests

29
How to choose pseudonym?

• Why not choose IP address?
• MAC is enough, we do not need to extract and
  obfuscate application layer user identities
• Sources cannot easily communicate with AP during
  IP changes ( trusted anonymous bulletin boards
  with cryptographic mechanisms is used )

30
When to change pseudonym?

• Opportunistic Silent Period
• ONLY allows address changes just before the start
  of a new association ( between client and AP )
• H (N)
• Attacker can attempt to correlate different
  pseudonyms with the same user. Silent period can
  reduce such correlations.

31
Opportunistic Silent Period

• During silent period, a user does not send any
  wireless transmissions
• The effectiveness of silent periods depends
  heavily on user density. ( higher ? better )
• Forced silent periods can disrupt communications.
  Opportunistic silent period minimizes disruption,
  which takes place during idle time between
  communications

32
Opportunistic Silent Period

• Data shows opportunistic silent periods are quite
  suitable for WLAN

CDF of session duration from Dartmouth
campus-wide WLAN trace
CDF of Duration between Sessions from Dartmouth
campus-wide WLAN trace
33
Methodology for choosing a Silent Period

• Efficacy of silent period depends on user density
• Mobility pattern data consists lt time,
  pseudonym, location gt
• Probability that user i is linked to the new
  pseudonym among the Candidate
• Pi is the probability distribution used for
  privacy entropy

34
Maximize privacy entropy

• Previous work shows the silent periods must be
  randomized ( no detail in this paper )
• Random silent period Td Tr
• Td deterministic silent periods ( previous
  work )
• Tr between 0 and
• So, larger offers better possible
  privacy?
• Not necessary

35
Case Study

• Mobility data of Seattle bus system
• 5-days training set and 8-hour test set

36
Case Study

• Mobility data of Seattle bus system
• 5-days training set and 8-hour test set

37
Maximize privacy entropy

• Choose
• close to but not greater than 12 minutes

38

• Balance

Location Privacy
Service Quality
Optimal silent period upper bound on the
necessary silent period
Privacy
39
Control Signal Strength

• Reduce Location Precision number of APs within
  the users communication range
• Transmit power control(TPC) minimize the number
  of APs in the range while ensuring at least one
  AP for connectivity ( assume APs do not adjust
  transmit power )
• TPC scheme hold transmit power to the lowest
  possible productive level to minimize imposed
  interference

40
RSS-based Silent TPC

• Mobile station must perform TPC silently
• The only information available to mobile station
  is the received signal strength(RSS) from APs
  within range
• Challenging due to reflection, scattering,
  multipath fading and absorption of radio waves

41
Asymmetry and Variations of Channels

• Goal determine the relationship between the two
  directions of a channel and use the path loss in
  one direction to infer the loss in the other
  direction
• Two scenarios
• corner of an office
• open outdoor space

42
Asymmetry of 802.11 channels

• RSSI reading for both directions are strongly
  correlated

43
Path loss margin (PLM)

• Definition PLM is the magnitude of the maximum
  difference between path losses in opposite
  directions that result from environmental
  influences and wireless channel asymmetry

44
PLM calculation
45
PLM calculation
46
PLM calculation

• From the experimental results on path asymmetry
  and variation above, we choose PLM
• 11.3dB for indoor
• 10.5dB for outdoor
• So, PLM 10 dB

47
Silent TPC Design

• Design Goal adjust transmit power of mobile
  station(no AP), to reduce the numbers of Aps in
  range by only using the path loss observed from
  the opposite direction of the path, from the
  in-range Aps to the mobile station
• The minimum signal strength reaches AP must be
  greater than RS

48
TPC vs RSSI
Transmission power is controlled by configuration
parameters provided by Atheros drivers
49
Silent TPC Scheme

• TPC scheme can work only when receive signal
  strength of two APs differs by at least 20 dB

50
Effectiveness of Silent TPC

• More than 73 of the sports(356) have RSS
  difference more than 20dB, and can use TPC to
  improve privacy

51
APs in range between TPC
52
Operational Model
Alert Message
User Interface Privacy Mode
53
Operational Model
54
Contributions

• Solution to preserve better location privacy
• Solution can be applied to cellular networks
• Frequently change pseudonyms (MAC)
• Pause opportunistically for silent period
• Perform silent TPC to reduce the location
  precision

55
Future work

• The system sacrifice service quality, not good
  for real-time application
• Silent TPC scheme reduces the signal-to-noise
  ratio received at AP, and reduces the
  transmission data rate
• Wireless card rate control

56
My thoughts

• MAC address selection model is vulnerable to
  Man-in-the-middle attack and DoS attack
• Tr(max) should be different from various
  scenarios/conditions, hard to implement TPC in
  reality
• TPC scheme has 20dB limit, big concern for better
  AP deployment
• Not all wireless drivers support TPC

57
(No Transcript)