NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Preserving Location Privacy in Wireless LANs Tao Jiang, Helen J. Wang, Yih-Chun Hu MobiSys’07 Speaker ： Fang

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Outline 1. Introduction 2. Attacker Model 3. Privacy Entropy 4. Achieving Location Privacy 5. Operational Model 6. Concluding Remarks

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 1. Introduction Pervasive deployment of Wi-Fi hotspots –Taipei, London, Singapore, … Wireless medium, broadcast nature –Much easier to compromise privacy –Infer a user’s physical location Precise positioning of a mobile node is possible This paper treat the problem of location privacy

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 1. Introduction Basic approach to location privacy –Obfuscate privacy-compromising information –5 sources: Time, Location, Sender identity, Receiver identity, Content Content: encryption ; Receiver ID: MIX-net Broadcast nature inevitably exposes the first three –Sender ID Pseudonym –Time Opportunistic Silent Period –Location Reducing the Location Precision

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 1. Introduction Analyze the achieved location privacy using the metric of privacy entropy Location privacy V.S wireless service provisioning and location-based services –Need not reveal identity to receive wireless service –Anonymous billing –Calculate its own current location –Choice of privacy

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 2. Attacker Model Silent attackers –Sniffers, listen and localize mobile users –Strongest when they are densely scattered –Substantial resources –Government, competing service provider Exposed attackers –Network providers –Active exposed attackers Dynamically adjust their base station’s transmission power –Passive exposed attackers Do not change base station behavior

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 3. Privacy Entropy The higher the privacy entropy is, the more uncertain attackers will be of their user location inference U : set of all mobile users λ: observation of the attacker at some location L P : probability distribution

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 3. Privacy Entropy Define the privacy entropy of this observation λ As the number of bits of additional information –Attacker need to definitively identify the user u observed with λ at Location L Later, show this in a realistic mobile system

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4. Achieving Location Privacy Obfuscate three sources –Sender ID: Pseudonym (4.1) –Time of transmission: Opportunistic silent period (4.2) –Location and signal strength: Location precision (4.3) Focus description on a protocol built around an WLAN Can generalize to other types of wireless network

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.1 Pseudonym To prevent an attacker from using user identity for tracking –Use frequently changing pseudonyms for communications –In MAC and IP address are user identity Address collision problem –Only 48 bits in a MAC address –Randomly chosen address have high probability of collision in networks

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.1 Pseudonym Address collision problem solution –MAC addresses are assigned by access points

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.1 Pseudonym IP address selection –As same as MAC address Disruption problem –Changing the MAC and IP address may cause disruption when the user associates with a new AP Disruption problem solution –Only allows address changes just before the start of a new association –Do not change addresses during inter-AP handoff

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.1 Pseudonym Privacy entropy H is log 2 (N) –Without any additional information –N: total number of users in the network But attackers can attempt to correlate different pseudonyms with the same user –By accumulates the location information in the network –Solution: use silent period

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.2 Opportunistic Silent Period Silent period –User does not send any wireless transmission –Mix in with other possible nodes –Effectiveness depends heavily on user density Forced silent period can disrupt communications –Solution: Introduce the opportunistic silent period Opportunistic Silent Period –Take place during the idle time of communication –Uses that time to change pseudonyms –Mitigate the impact of silent period on communication

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.2 Opportunistic Silent Period Shows that opportunistic silent periods are quite suitable for WLANs

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Methodology for Choosing a Silent Period Input –Mobility pattern within a service area –Mobility pattern: Compute the privacy entropy In training phase –Represents how likely a user was in L i Δt time ago, given it is observed at L ob

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Methodology for Choosing a Silent Period In the test phase –Use p i (Δt) to compute the privacy entropy –The probability that i is linked to the new pseudonym among these candidate is –Where p i, (L i,L ob ) is the probability distribution used for privacy entropy

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Methodology for Choosing a Silent Period Consider the worst case scenario Our goal –Choose a silent period –That maximizes the privacy entropy Silent period must be randomized –Silent period: T d + T r –T d : deterministic –T r : drawn from a uniform distribution between 0 and T r max –T min = T d and T max = T d + T r max –Upper bound of the best possible privacy

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Case Study on Bus Mobility Data Use the mobility data of Seattle bus system –5-day training set, 8-hour test set –30 second interval –Square sections 300 feet on each side –5 mph –8 equally-sized direction –Chose a communication schedule for each bus –Communication time for each session chosen form a uniform distribution with a mean of 10 mins

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Case Study on Bus Mobility Data Achieves maximum entropy 5.38, with T d = 19mins 20s T r = 4mins Privacy entropy is monotonically increasing with increasing T r

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Case Study on Bus Mobility Data To minimize the silent periods while retaining good location privacy T r max = 12mins T d = 19mins 20s

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.3 Location Precision Reducing the location precision of a localization scheme can offer better privacy –Presence of the mobile users is blended in with more users in the larger area Transmit power control (TPC) –Use it to minimize the number of APs in range Assume –APs do not dynamically adjust their transmit power –Exposed passive attackers

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 4.3 Location Precision TPC challenge –The only information available is received signal strength (RSS) –Unpredictability –Asymmetric

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Asymmetric and Variations of Wireless Channels Our goal –Determine the relationship between the two directions of a channel –Use the path loss in one direction to infer the loss in the other direction

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Asymmetric and Variations of Wireless Channels This strong correlation suggests that RSSI- based silent TPC can be quite successful

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Asymmetric and Variations of Wireless Channels

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Asymmetric and Variations of Wireless Channels

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Asymmetric and Variations of Wireless Channels Define the path loss margin (PLM) –Magnitude of the max difference between path loss in opposite direction Experiment result –Indoor: 11.3 dB –Outdoor: 10.5 dB –For simplicity, 10 dB

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Silent TPC Design Our goal –Intelligent adjust the transmit power to reduce the number of APs in range

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Effectiveness of the Silent TPC Experiment environmental –Microsoft Office 3 rd floor –6 APs using b –356 spots uniformly cover the entire floor –A laptop with customized wireless card At each spot –First passively listen to all the channels used by the APs –Records the RSS from each AP –Adjusted the card’s transmit power using TPC scheme

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Effectiveness of the Silent TPC How often a mobile station is able to adjust –73% of the spots have RSS difference more than 20 dB and can use TPC to improve privacy

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Effectiveness of the Silent TPC Effectiveness of our TPC

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Effectiveness of the Silent TPC Result shows that –Before TPC AP1 and AP2 are in range –After TPC Only AP1 in range –Before TPC 3% of the spots have only one AP in range 11% of the spots have two APs in range –After TPC 36% of the spots have only one AP in range 23% of the spots have two APs in range

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Privacy Gain with Our Solutions Silent attackers –Transmission radius r is 10 m at minimum transmit power –In order for a node to be heard by three attackers –Attacker density ρ must be such that ρ*πr 2 ≥ 3, ρ ≥ sniffer/m 2 –Our experiments is one AP every 500 m 2

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Privacy Gain with Our Solutions Active exposed attackers –The user could potentially detect such attackers –In-depth investigation on approaches against such attackers is future work Passive exposed attackers –Mix area Maximum area that is covered by just this AP –34 spots whose signals can be heard by only the target AP –Mix area of target AP = 352 m 2 –Users in mix area are distinguishable for attackers

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Privacy Gain with Our Solutions –Assume attackers using RADAR with 3 APs –Location precision achieved is a circle with area 28m 2 –Mix area is increased 12 times (352/28) by applying TPC Maximum privacy entropy that our system can provide is 11.1 bits –7.4 bits from silent period –3.7 bits from transmit power control

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 5. Operational Model Mobile node operation Service provider operation

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 5.1 Mobile Node Goal: allow each user to configure her privacy requirements as policies Location privacy requires the participation of the whole mobile system including all applications

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 5.1 Mobile Node During a silent period –User-initiated communication are reject

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 5.1 Mobile Node Even non-privacy-sensitive users obtain new MAC addresses to increase the entropy for privacy-sensitive users. Not disrupting the communication of non- privacy-sensitive users

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 5.2 Service Providers Access points need provide a DHCP-like service Providing the length of silent period to their users Need obtain the mobility patterns of their users and choose the silent period

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 6. Concluding Remarks Approach in achieving location privacy –Have mobile station frequently change their pseudonyms –To pause opportunistically for a silent period –To perform silent TPC to reduce the location precision Can offer up to 11-bit entropy protection for location privacy Future work –Investigate the tradeoff between privacy and service quality –Study on the interplay of our silent TPC and wireless card rate control

NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室 Thanks!