research-article

Location-enhanced authentication using the IoT: because you cannot be in two places at once

Authors:

Ioannis Agadakos,

Dimitrios Damopoulos,

Andrei Sabelfeld,

Georgios PortokalidisAuthors Info & Claims

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Pages 251 - 264

https://doi.org/10.1145/2991079.2991090

Published: 05 December 2016 Publication History

Abstract

User location can act as an additional factor of authentication in scenarios where physical presence is required, such as when making in-person purchases or unlocking a vehicle. This paper proposes a novel approach for estimating user location and modeling user movement using the Internet of Things (IoT). Our goal is to utilize its scale and diversity to estimate location more robustly, than solutions based on smartphones alone, and stop adversaries from using compromised user credentials (e.g., stolen keys, passwords, etc.), when sufficient evidence physically locates them elsewhere. To locate users, we leverage the increasing number of IoT devices carried and used by them and the smart environments that observe these devices. We also exploit the ability of many IoT devices to "sense" the user. To demonstrate our approach, we build a system, called Icelus. Our experiments with it show that it exhibits a smaller false-rejection rate than smartphone-based location-based authentication (LBA) and it rejects attackers with few errors (i.e., false acceptances).

References

[1]

Fingerprint hack. "http://www.instructables.com/id/How-To-Fool-a-Fingerprint-Security-System-As-Easy-/".

[2]

User perceptions of security, convenience and usability for ebanking authentication tokens. Computers & Security, 28(1--2):47 -- 62, 2009.

Digital Library

[3]

Google cloud messaging (GCM): An evaluation. Metadata Blogspot, November 2014. http://muratbuffalo.blogspot.com/2014/11/google-cloud-messaging-gcm-evaluation.html.

[4]

Find your phone, keys, anything. Tile, September 30 2016. https://www.thetileapp.com.

[5]

2015 LexisNexis Risk Solutions. Merchants contend with increasing fraud losses as remote channels prove especially challenging. True Cost of Fraud(SM) Study, September 2015. https://www.lexisnexis.com/risk/downloads/assets/true-cost-of-fraud-2015-study.pdf.

[6]

J. Al-Muhtadi, A. Ranganathan, R. Campbell, and M. D. Mickunas. Cerberus: a context-aware security scheme for smart spaces. In Proceedings of the IEEE International Conference on Pervasive Computing and Communications (PerCom), pages 489--496, 2003.

Digital Library

[7]

D. Ashbrook and T. Starner. Using GPS to learn significant locations and predict movement across multiple users. Personal and Ubiquitous Computing, 7(5):275--286, 2003.

Digital Library

[8]

P. Bahl and V. N. Padmanabhan. RADAR: an in-building RF-based user location and tracking system. In Proceedings of IEEE INFOCOM, March 2000.

[9]

P. Baumann, W. Kleiminger, and S. Santini. The influence of temporal and spatial features on the performance of next-place prediction algorithms. In Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp '13, pages 449--458, New York, NY, USA, 2013. ACM.

Digital Library

[10]

M. Bellare, A. Boldyreva, and S. Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. In B. Preneel, editor, Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14--18, 2000, Proceeding, volume 1807 of Lecture Notes in Computer Science, pages 259--274. Springer, 2000.

Digital Library

[11]

J. Bonneau, S. Preibusch, and R. Anderson. A birthday present every eleven wallets? the security of customer-chosen banking PINs. In Proceedings of the International Conference on Financial Cryptography and Data Security (FC), pages 25--40, 2012.

[12]

Chaos Computer Club (CCC). Chaos Computer Club breaks Apple TouchID. http://ccc.de/en/updates/2013/ccc-breaks-apple-touchid, September 2013.

[13]

Y. Chon, H. Shin, E. Talipov, and H. Cha. Evaluating mobility models for temporal prediction with high-granularity mobility data. In IEEE International Conference on Pervasive Computing and Communications (PerCom), pages 206--212, 2012.

[14]

B. Cooley. Cadillac rolls out in-car Internet access. c|net, 2009. http://www.cnet.com/news/cadillac-rolls-out-in-car-internet-access/.

[15]

N. T. Courtois. The dark side of security by obscurity and cloning MiFare Classic rail and building passes anywhere, anytime. In Proceedings of the International Conference on Security and Cryptography (SECRYPT), July 2009.

[16]

I. Damgård, M. Geisler, and M. Krøigaard. Efficient and secure comparison for on-line auctions. In J. Pieprzyk, H. Ghodosi, and E. Dawson, editors, Information Security and Privacy, 12th Australasian Conference, ACISP 2007, Townsville, Australia, July 2--4, 2007, Proceedings, volume 4586 of Lecture Notes in Computer Science, pages 416--430. Springer, 2007.

Digital Library

[17]

D. E. Denning and P. F. MacDoran. Location-based authentication: Grounding cyberspace for better security. Computer Fraud & Security, 1996(2):12 -- 16, 1996.

[18]

A. K. Dey, K. Wac, D. Ferreira, K. Tassini, J.-H. Hong, and J. Ramos. Getting closer: An empirical investigation of the proximity of user to their smart phones. In Proceedings of the 13th International Conference on Ubiquitous Computing (UbiComp), pages 163--172, 2011.

Digital Library

[19]

A. Dmitrienko, C. Liebchen, C. Rossow, and A.-R. Sadeghi. When more becomes less: On the (in)security of mobile two-factor authentication. In Proceedings of Financial Cryptography and Data Security (FC), March 2014.

[20]

T. M. T. Do and D. Gatica-Perez. Where and what: Using smartphones to predict next locations and applications in daily life. Pervasive and Mobile Computing, 12:79--91, 2014.

[21]

Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and T. Toft. Privacy-preserving face recognition. In I. Goldberg and M. J. Atallah, editors, Privacy Enhancing Technologies, 9th International Symposium, PETS 2009, Seattle, WA, USA, August 5--7, 2009. Proceedings, volume 5672 of Lecture Notes in Computer Science, pages 235--253. Springer, 2009.

Digital Library

[22]

P. Fourez and Mastercard International Inc. Location controls on payment card transactions, patent no. WO/2011/022062. http://patentscope.wipo.int/search/en/WO2011022062, 2011.

[23]

A. Francillon, B. Danev, and S. Capkun. Relay attacks on passive keyless entry and start systems in modern cars. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2011.

[24]

A. Ghosh. Fraudsters steal $13m from over 1,400 ATMs in Japan in less than three hours. International Business Times, May 2016. http://www.ibtimes.co.uk/hacker-group-steals-13m-over-1400-atms-japan-less-three-hours-1561435.

[25]

O. Goldreich. The Foundations of Cryptography - Volume 2, Basic Applications. Cambridge University Press, 2004.

Digital Library

[26]

P. A. Hallgren, M. Ochoa, and A. Sabelfeld. Innercircle: A parallelizable decentralized privacy-preserving location proximity protocol. In A. A. Ghorbani, V. Torra, H. Hisil, A. Miri, A. Koltuksuz, J. Zhang, M. Sensoy, J. García-Alfaro, and I. Zincir, editors, 13th Annual Conference on Privacy, Security and Trust, PST 2015, Izmir, Turkey, July 21--23, 2015, pages 1--6. IEEE, 2015.

[27]

J. Hightower and G. Borriello. Location systems for ubiquitous computing. Computer, 34(8):57--66, August 2001.

Digital Library

[28]

J. Huang. 60% still have old credit cards as oct. 1 EMV card deadline looms. USA TODAY, September 30 2015. http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/.

[29]

IDC. Always connected - how smartphones and social keep us engaged. IDC Research Report, Sponsored By Facebook. http://www.nu.nl/files/IDC-Facebook%20Always%20Connected%20%281%29.pdf.

[30]

Insteon. Insteon hub. http://www.insteon.com/insteon-hub/.

[31]

M. Jakobsson, E. Shi, P. Golle, and R. Chow. Implicit authentication for mobile devices. In Proceedings of the 4th USENIX Conference on Hot Topics in Security (HotSec), 2009.

Digital Library

[32]

A. Kalamandeen, A. Scannell, E. de Lara, A. Sheth, and A. LaMarca. Ensemble: cooperative proximity-based authentication. In Proceedings of the 8th international conference on Mobile systems, applications, and services, pages 331--344. ACM, 2010.

Digital Library

[33]

H. Khan, A. Atwater, and U. Hengartner. A comparative evaluation of implicit authentication schemes. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID), pages 255--275, 2014.

[34]

H. Khan, A. Atwater, and U. Hengartner. Itus: An implicit authentication framework for Android. In Proceedings of the 20th Annual International Conference on Mobile Computing and Networking (MobiCom), pages 507--518, 2014.

Digital Library

[35]

J. Krumm. A survey of computational location privacy. Personal and Ubiquitous Computing, 13(6):391--399, 2009.

Digital Library

[36]

J. Krumm and E. Horvitz. Predestination: Inferring destinations from partial trajectories. In UbiComp 2006: Ubiquitous Computing, pages 243--260. Springer, 2006.

Digital Library

[37]

S. L. Lau and K. David. Movement recognition using the accelerometer in smartphones. In Future Network and Mobile Summit, pages 1--9, June 2010.

[38]

L. Liao, D. J. Patterson, D. Fox, and H. Kautz. Learning and inferring transportation routines. Artificial Intelligence, 171(5):311--331, 2007.

Digital Library

[39]

Y. Lindell and B. Pinkas. Secure multiparty computation for privacy-preserving data mining. IACR Cryptology ePrint Archive, 2008:197, 2008.

[40]

S. Mare, A. Molina-Markham, C. Cornelius, R. Peterson, and D. Kotz. ZEBRA: Zero-effort bilateral recurring authentication. In Proceedings of IEEE Symposium on Security and Privacy, May 2012.

Digital Library

[41]

C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun. Smartphones as practical and secure location verification tokens for payments. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014.

[42]

Microsoft. Event hubs. Microsoft Azure. http://azure.microsoft.com/en-us/services/event-hubs/.

[43]

D. Naccache, R. Géraud, H. Ferradi, and A. Tria. When organized crime applies academic results: a forensic analysis of an in-card listening device. Journal of Cryptographic Engineering, pages 1--11, Oct 2015.

[44]

P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In J. Stern, editor, Advances in Cryptology - EUROCRYPT '99, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2--6, 1999, Proceeding, volume 1592 of Lecture Notes in Computer Science, pages 223--238. Springer, 1999.

Digital Library

[45]

V. Pappas, V. P. Kemerlis, A. Zavou, M. Polychronakis, and A. D. Keromytis. CloudFence: Data flow tracking as a cloud service. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID), October 2013.

Digital Library

[46]

F. Park, C. Gangakhedkar, and P. Traynor. Leveraging cellular infrastructure to improve fraud prevention. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 350--359, December 2009.

Digital Library

[47]

N. B. Priyantha. The Cricket Indoor Location System. PhD thesis, MIT, 2005.

Digital Library

[48]

K. B. Rasmussen, M. Roeschlin, I. Martinovic, and G. Tsudik. Authentication using pulse-response biometrics. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2014.

[49]

I. Rhee, M. Shin, S. Hong, K. Lee, S. J. Kim, and S. Chong. On the levy-walk nature of human mobility. IEEE/ACM transactions on networking (TON), 19(3):630--643, 2011.

Digital Library

[50]

O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos. Progressive authentication: Deciding when to authenticate on mobile phones. In Proceedings of the 21st USENIX Security Symposium, pages 301--316, 2012.

Digital Library

[51]

R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and privacy homomorphisms. Foundations of secure computation, 32(4):169--178, 1978.

[52]

V. Roth, K. Richter, and R. Freidinger. A PIN-entry method resilient against shoulder surfing. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 236--245, 2004.

Digital Library

[53]

S. Scellato, M. Musolesi, C. Mascolo, V. Latora, and A. T. Campbell. Nextplace: a spatio-temporal prediction framework for pervasive systems. In Pervasive computing, pages 152--169. Springer, 2011.

Digital Library

[54]

F. Schuster, M. Costa, C. Fournet, C. M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: Trustworthy data analytics in the cloud using SGX. In Proceedings of the IEEE Symposium on Security and Privacy, May 2015.

Digital Library

[55]

S. F. Shahandashti, R. Safavi-Naini, and N. A. Safa. Reconciling user privacy and implicit authentication for mobile devices. Comput. Secur., 53(C):215--233, Sept. 2015.

Digital Library

[56]

A. Shamir. How to share a secret. Commun. ACM, 22(11):612--613, 1979.

Digital Library

[57]

E. Shi, Y. Niu, M. Jakobsson, and R. Chow. Implicit authentication through learning user behavior. In Proceedings of the International Conference on Information Security (ISC), pages 99--113, 2011.

Digital Library

[58]

starbug. Fingerprint biometrics hacked again. Chaos Communication Congress (31C3), December 2014. http://www.ccc.de/en/updates/2014/ursel.

[59]

M. Terrovitis. Privacy preservation in the dissemination of location data. SIGKDD Explorations, 13(1):6--18, 2011.

Digital Library

[60]

The Telegraph - UK. Three quarters of cars stolen in France 'electronically hacked'. http://www.telegraph.co.uk/news/worldnews/europe/france/11964140/Three-quarters-of-cars-stolen-in-France-electronically-hacked.html, October 2015.

[61]

US AirForce. GPS Accuracy. "http://www.gps.gov/systems/gps/performance/accuracy/".

[62]

M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. IACR Cryptology ePrint Archive, 2009:616, 2009.

[63]

R. Verdult, F. D. Garcia, and B. Ege. Dismantling Megamos crypto: Wirelessly lockpicking a vehicle immobilizer. In Supplement to the 22nd USENIX Security Symposium (USENIX Security 13), pages 703--718, Washington, D.C., 2015.

[64]

R. Want, A. Hopper, V. Falcão, and J. Gibbons. The active badge location system. ACM Trans. Inf. Syst., 10(1):91--102, January 1992.

Digital Library

[65]

A. C. Yao. How to generate and exchange secrets (extended abstract). In 27th Annual Symposium on Foundations of Computer Science, Toronto, Canada, 27--29 October 1986, pages 162--167. IEEE Computer Society, 1986.

Digital Library

[66]

G. Zhong, I. Goldberg, and U. Hengartner. Louis, lester and pierre: Three protocols for location privacy. In N. Borisov and P. Golle, editors, Privacy Enhancing Technologies, 7th International Symposium, PET 2007 Ottawa, Canada, June 20-22, 2007, Revised Selected Papers, volume 4776 of Lecture Notes in Computer Science, pages 62--76. Springer, 2007.

Digital Library

Cited By

Shafei HTan C(2024)A Closer Look at Access Control in Multi-User Voice SystemsIEEE Access10.1109/ACCESS.2024.337914112(40933-40946)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3379141
Luo HTang JWang AWen HHan-Ho PChang S(2023)Design of Physical Layer secure communication for real wireless propagation environment2023 2nd International Conference on Sensing, Measurement, Communication and Internet of Things Technologies (SMC-IoT)10.1109/SMC-IoT62253.2023.00027(106-111)Online publication date: 29-Dec-2023
https://doi.org/10.1109/SMC-IoT62253.2023.00027
Luo HTang JWang AWen HHan-Ho PChang S(2023)Cracking Physical Layer Artificial Noise Secure Transmission by Bit-flipping2023 2nd International Conference on Computing, Communication, Perception and Quantum Technology (CCPQT)10.1109/CCPQT60491.2023.00045(229-234)Online publication date: 4-Aug-2023
https://doi.org/10.1109/CCPQT60491.2023.00045
Show More Cited By

Index Terms

Location-enhanced authentication using the IoT: because you cannot be in two places at once

Recommendations

A secure three-factor authentication scheme for IoT environments
Abstract
Today, many users' extensive use of the Internet of Things (IoT) has made authentication an inevitable issue in the IoT. The currently existing authentication methods are subjected to many challenges by various factors such as the ...
Highlights
- We have proposed a three-factor authentication protocol in IoT.
- We have used a ...
REST-ful CoAP Message Authentication
SIOT '15: Proceedings of the 2015 International Workshop on Secure Internet of Things

One core technology for implementing and integrating the architectural principles of REST into the Internet of Things (IoT) is CoAP, a REST-ful application protocol for constrained networks and devices. Since CoAP defaults to UDP as transport protocol, ...
Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems
Abstract
With the rapid increase in the number of Internet of Things (IoT) devices in recent years, massive amounts of sensitive IoT data are being generated and transmitted over the Internet. Despite its growing adoption in various fields, IoT ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

December 2016

614 pages

ISBN:9781450347716

DOI:10.1145/2991079

Conference Chair:
Stephen Schwab
USC Information Sciences Institute
,
Program Chairs:
Wil Robertson
Northeastern University
,
Davide Balzarotti
Eurecom

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '16

Sponsor:

ACSA

ACSAC '16: 2016 Annual Computer Security Applications Conference

December 5 - 8, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
566
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)1

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Shafei HTan C(2024)A Closer Look at Access Control in Multi-User Voice SystemsIEEE Access10.1109/ACCESS.2024.337914112(40933-40946)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3379141
Luo HTang JWang AWen HHan-Ho PChang S(2023)Design of Physical Layer secure communication for real wireless propagation environment2023 2nd International Conference on Sensing, Measurement, Communication and Internet of Things Technologies (SMC-IoT)10.1109/SMC-IoT62253.2023.00027(106-111)Online publication date: 29-Dec-2023
https://doi.org/10.1109/SMC-IoT62253.2023.00027
Luo HTang JWang AWen HHan-Ho PChang S(2023)Cracking Physical Layer Artificial Noise Secure Transmission by Bit-flipping2023 2nd International Conference on Computing, Communication, Perception and Quantum Technology (CCPQT)10.1109/CCPQT60491.2023.00045(229-234)Online publication date: 4-Aug-2023
https://doi.org/10.1109/CCPQT60491.2023.00045
Krishnan VSukumaran S(2022)Risk-Based AuthenticationHandbook of Research on Mathematical Modeling for Smart Healthcare Systems10.4018/978-1-6684-4580-8.ch009(154-179)Online publication date: 24-Jun-2022
https://doi.org/10.4018/978-1-6684-4580-8.ch009
Schwarz-Rüsch SBehlendorf MBecker MKudlek RMohamed HSchoenitz FJehl LKapitza RBellavista PZhang KGherbi ABagchi SPatiño MDi Modica GGascon-Samson J(2022)EventChainProceedings of the 23rd ACM/IFIP International Middleware Conference10.1145/3528535.3565243(174-187)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3528535.3565243
Alawami MVinay AKim H(2022)LocID: A Secure and Usable Location-Based Smartphone Unlocking Scheme Using Wi-Fi Signals and Light IntensityIEEE Internet of Things Journal10.1109/JIOT.2022.31893589:23(24357-24372)Online publication date: 1-Dec-2022
https://doi.org/10.1109/JIOT.2022.3189358
Cho GKwag SHuh JKim BLee CKim HChiasson S(2021)Towards usable and secure location-based smartphone authenticationProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563573(1-15)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563573
Bracciale LLoreti PPisa CShahidi A(2021)Secure Path: Block-Chaining IoT Information for Continuous Authentication in Smart SpacesIoT10.3390/iot20200172:2(326-340)Online publication date: 18-May-2021
https://doi.org/10.3390/iot2020017
Wang ZXie WWang BTao JWang E(2021)A Survey on Recent Advanced Research of CPS SecurityApplied Sciences10.3390/app1109375111:9(3751)Online publication date: 21-Apr-2021
https://doi.org/10.3390/app11093751
Zafar FKhan AAnjum AMaple CShah M(2020)Location Proof Systems for Smart Internet of Things: Requirements, Taxonomy, and Comparative AnalysisElectronics10.3390/electronics91117769:11(1776)Online publication date: 26-Oct-2020
https://doi.org/10.3390/electronics9111776
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents