Protecting Location-Data Against Inference Attacks Using Pre-Defined Personas

Chini Foroushan, Amir Hossein

January 2011

Usage of locational data is getting more popular day by day. Location-aware application, context aware application and Ubiquities applications are some of the major categories of applications which are based on locational data. One of the most concerning issues regarding such applications is how to protect user’s privacy against malicious attackers. Failing in this task would result in a total failure for the project, considering how privacy concerns are getting more and more important for the end users. In this project, we will propose a theoretical solution for protecting user privacy in location-based application against inference attacks. Our solution is based on categorizing target users into pre-defined groups (a. k. a. Personas) and utilizing their common characteristics in order to synthesize access control rules for the collected data.

Location-based application

User Privacy

Inference Attacks

Access Control

Engineering and Technology

Teknik och teknologier

Side-Channel Attacks on Encrypted 5G/4G Voice Calls

Shaan Shekhar (18463575)

01 May 2024

<p dir="ltr">5G/4G voice calls are encrypted for the purpose of confidentiality, secrecy and privacy. Although protected by well-examined security measures we unveil several vulnerabilities previously unreported in the 5G/4G voice calls that unintentionally leak 5G/4G call state information despite encryption protection and device proof of concept attacks in this thesis. Unlike existing attacks, these new attacks are significantly more threatening because they are completely contactless without requiring any malware, access or compromise on the victim's phones, the 5G/4G network and the other call party. Instead, the attacker only needs to deploy a radio sniffer to eavesdrop on 5G/4G communication and infer confidential call information.</p><p dir="ltr">Interestingly, such confidentiality breaches are technically feasible due to recent 5G/4G call enhancement technologies standardized in the 3GPP specifications and adopted by mobile network operators. While effective in enhancing 5G/4G call quality and efficiency, they, unfortunately, expose extra call information, which can be exploited to infer call states and launch side-channel attacks precisely. Another major contributor to this attack is the IVR technology, which uses a computer-operated telephone system to help companies answer customer calls. In this thesis, we focus on snooping Pay-over-the-Phone transactions done over IVR calls and optionally inferring the company involved in the transaction. The attacks exploit technologies designed to enhance the call quality and efficiency and develop several attack modules to (1) detect voice calls over encrypted 5G/4G traffic, (2) infer the use of IVR over limited call information leaked in the air, and (3) spy on sensitive payment transactions in real-time. We have implemented this proof-of-concept attack using an SDR-based sniffer only. We have validated its effectiveness and assessed damages in various experiments with 5G operators in the US. Lastly, we have discussed the lessons learned from the attacks and the future work that can be done to improve the efficiency of the attacks and make them more threatening.</p>

System and network security

Voice Call Security

Phone Call Security

Side Channel Attacks

Inference Attacks