Authentication aura : a cooperative and distributed approach to user authentication on mobile devices

Hocking, Christopher George

January 2015

As information technology pervades our lives we have increasingly come to rely on these evermore sophisticated and ubiquitous items of equipment. Portability and the desire to be connected around the clock has driven the rapid growth in adoption of mobile devices that enable us to talk, message, tweet and inform at will, whilst providing a means to shop and administer bank accounts. These high value, high risk, desirable devices are increasingly the target of theft and improvement in their protection is actively sought by Governments and security agencies. Although forms of security are in place they are compromised by human reluctance and inability to administer them effectively. With typical users operating across multiple devices, including traditional desktop PCs, laptops, tablets and smartphones, they can regularly find themselves having a variety of devices open concurrently. Even if the most basic security is in place, there is a resultant need to repeatedly authenticate, representing a potential source of hindrance and frustration. This thesis explores the need for a novel approach to user authentication, which will reduce the authentication burden whilst providing a secure yet adaptive security mechanism; a so called Authentication Aura. It proposes that the latent security potential contained in surrounding devices and possessions in everyday life can be leveraged to augment security, and provides a framework for a distributed and cooperative approach. An experiment was performed to ascertain the technological infrastructure, devices and inert objects that surround individuals throughout the day. Using twenty volunteers, over a fourteen-day period a dataset of 1.57 million recorded observations was gathered, which confirmed that between 6am and 12pm a significant device or possession is in near proximity 97.84% of the time. Using the data provided by the experiment as the basis for a simulation of the framework, it suggests a reduction of up to 80.36% in the daily number of required authentications for a user operating a device once every 30 minutes, with a 10 minute screen lock in place. Examining the influence of location alone indicated a reduction of 50.74% in user interventions lowering the average from 32 to 15.76, the addition of the surroundings reducing this further to 13.00. The analysis also investigated how a user’s own authentication status could be used to negate the need to repeatedly manually authenticate and it was found that it delayed the process for up to 90 minutes for an individual user. Ultimately, it confirms that during device activation it is possible to remove the need to authenticate with the Authentication Aura providing sufficient assurance.

005.25

Multi-Vector Portable Intrusion Detection System

Moyers, Benjamin

18 August 2009

This research describes an intrusion detection system designed to fulfill the need for increased mobile device security. The Battery-Sensing Intrusion Protection System (B-SIPS) [1] initially took a non-conventional approach to intrusion detection by recognizing attacks based on anomalous Instantaneous Current (IC) drainage. An extension of B-SIPS, the Multi-Vector Portable Intrusion Detection System (MVP-IDS) validates the idea of recognizing attacks based on anomalous IC drain by correlating the detected anomalies with wireless attack traffic from both the Wi-Fi and Bluetooth mediums. To effectively monitor the Wi-Fi and Bluetooth mediums for malicious packet streams, the Snort-Based Wi-Fi and Bluetooth Attack Detection and Signature System (BADSS) modules were introduced. MVP-IDS illustrates that IC anomalies, representing attacks, can be correlated with wireless attack traffic through a collaborative and multi-module approach. Furthermore, MVP-IDS not only correlates wireless attacks, but mitigates them and defends its clients using an administrative response mechanism. This research also provides insight into the ramifications of battery exhaustion Denial of Service (DoS) attacks on battery-powered mobile devices. Several IEEE 802.11 Wi-Fi, IEEE 802.15.1 Bluetooth, and blended attacks are studied to understand their effects on device battery lifetimes. In the worst case, DoS attacks against mobile devices were found to accelerate battery depletion as much as 18.5%. However, if the MVP-IDS version of the B-SIPS client was allowed to run in the background during a BlueSYN flood attack, it could mitigate the attack and preserve as much as 16% of a mobile device's battery lifetime as compared with an unprotected device. / Master of Science

Intrusion Detection

Bluetooth Security

Wireless Security

Mobile Device Security

Experimental Analysis on the Feasibility of Voice Based Symmetric Key Generation for Embedded Devices

Kamineni, Surya Bharat

05 June 2017

In this thesis, we present results of an experimental study in order to generate a secure cryptographic key from the user’s voice which is to be shared between two mobile devices. We identified two security threats related to this problem, discussed the challenges to design the key generation/sharing mechanism, and proposed a new protocol based on bloom filters that overcomes the two main attacks by the intruder. One is when the attacker places its device in the close vicinity of the location where the user attempts to generate/share the key in order to derive the key from eavesdropping on communication messages. The second is when the attacker visually observes the experiment being performed and it tries to replicate the same experiment to reproduce the key. We present several results that demonstrate the practicality of our proposed technique in the context of communications between smart-phone

Key generation from voice

Mobile device security

Key sharing

Computer Sciences

Towards Seamless and Secure Mobile Authentication

January 2014

abstract: With the rise of mobile technology, the personal lives and sensitive information of everyday citizens are carried about without a thought to the risks involved. Despite this high possibility of harm, many fail to use simple security to protect themselves because they feel the benefits of securing their devices do not outweigh the cost to usability. The main issue is that beyond initial authentication, sessions are maintained using optional timeout mechanisms where a session will end if a user is inactive for a period of time. This interruption-based form of continuous authentication requires constant user intervention leading to frustration, which discourages its use. No solution currently exists that provides an implementation beyond the insecure and low usability of simple timeout and re-authentication. This work identifies the flaws of current mobile authentication techniques and provides a new solution that is not limiting to the user, has a system for secure, active continuous authentication, and increases the usability and security over current methods. / Dissertation/Thesis / Masters Thesis Computer Science 2014

Computer science

continuous mobile authentication

evaluation framework

mobile computing

mobile device security

physical smart key

usable security

Empirical Assessment of Mobile Device Users’ Information Security Behavior towards Data Breach: Leveraging Protection Motivation Theory

Giwah, Anthony Duke

01 January 2019

User information security behavior has been an area of growing demand in information systems (IS) research. Unfortunately, most of the previous research done in user information security behavior have been in broad contexts, therefore creating a gap in the literature of similar research that focuses on specific emerging technologies and trends. With the growing reliance on mobile devices to increase the flexibility, speed and efficiency in how we work, communicate, shop, seek information and entertain ourselves, it is obvious that these devices have become data warehouses and platform for data in transit. This study was an empirical and quantitative study that gathered data leveraging a web-survey. Prior to conducting the survey for the main data collection, a Delphi study and pilot study were conducted. Convenience sampling was the category of nonprobability sampling design used to gather data. The 7-Point Likert Scale was used on all survey items. Pre-analysis data screening was conducted prior to data analysis. The Partial Least Square Structural Equation Modeling (PLS-SEM) was used to analyze the data gathered from a total of 390 responses received. The results of this study showed that perceived threat severity has a negative effect on protection motivation, while perceived threat susceptibility has a positive effect on protection motivation. Contrarily, the results from this study did not show that perceived response cost influences protection motivation. Response efficacy and mobile self-efficacy had a significant positive influence on protection motivation. Mobile device security usage showed to be significantly influenced positively by protection motivation. This study brings additional insight and theoretical implications to the existing literature. The findings reveal the PMT’s capacity to predict user behavior based on threat and coping appraisals within the context of mobile device security usage. Additionally, the extension of the PMT for the research model of this study implies that mobile devices users also can take recommended responses to protect their devices from security threats.

data breach

mobile device security

mobile device user

protection motivation theory

user information security behavior

Computer Sciences

Investigations and Development in the Area of Automated Security Evaluation of Android Devices with Focus on Bluetooth

Holmquist, Robin

January 2023

Bluetooth is a technology that has been implemented in over 5 billion devices and therefore has a considerable impact. It is the dominant technology for shortrange wireless communication. Modern society relies heavily on information technology (IT), and this has introduced a significant threat to society and companies in the form of hackers whether they be state-sponsored, political activists, or part of organized crime. This has introduced the need for companies and organizations that strive to make devices more secure, as well as standards that can be used for evaluating how secure a device is. Common Criteria (CC) is an internationally recognized set of guidelines and standards that can be used for security evaluation. There is a growing demand for enhanced efficiency in the field of security evaluation, especially considering the move to agile methodologies in information and communication technology (ICT) product development. Historically, security evaluation has been tailored to each individual product. The current trends in the certification and global ICT evaluation industry indicate a move in the direction of a greater reliance on predefined test cases. In this thesis, I describe how I designed, developed, and evaluated a toolkit that automates the evaluation of Android devices concerning a selection of security requirements that concern Bluetooth from the Mobile Device Fundamentals Protection Profile in CC. This involved a literature study, examination of the Bluetooth Core Specification, software development, and evaluation of the toolkit. My results from evaluating the toolkit found that it only reports non-compliance with a security requirement if the target of evaluation (TOE) is non-compliant. Additionally, every time the toolkit reported compliance with a security requirement, manual evaluation verified that the TOE truly complied with the security requirement. Finally, during the development phase, I discovered a vulnerability that had not been discovered during manual evaluation. It has been confirmed by the developer to be a vulnerability and a patch is currently being developed. My evaluation indicates that the toolkit I have developed is reliable and that it could therefore be used in the security industry. By finding a vulnerability by using automation, I have shown that automation could potentially be a useful approach for vulnerability research. Similarly to fuzzing, automation can be used to expose a system to behavior that it does not expect and therefore potentially reveal vulnerabilities. / Bluetooth är en teknologi som har implementerats i över 5 miljarder enheter och har därför stor inverkan. Det är den dominerande teknologin för trädlös kommunikation med kort räckvidd. Det moderna samhället är starkt beroende av informationsteknologi (IT), och detta har introducerat ett betydande hot mot samhället och företag i form av hackare oavsett om de är statligt sponsrade, politiska aktivister, eller en del av organiserad brottslighet. Detta har introducerat ett behov av företag och organisationer som strävar efter att göra enheter säkrare, såväl som standarder som kan användas för att utvärdera hur säker en enhet är. Common Criteria (CC) är en internationellt erkänd uppsättning riktlinjer och standarder som kan användas för säkerhetsutvärdering. Det finns en växande efterfrågan på ökad effektivitet inom området för säkerhetsutvärdering, särskilt med tanke på övergången till agila metoder för produktutveckling inom information- och kommunikations-teknologi. Historiskt sett har säkerhetsutvärdering skräddarsytts för varje enskild produkt. De nuvarande trenderna i certifieringsindustrin och globala ICT-utvärderingsindustrin indikerar en förflyttning i riktning mot ett mer frekvent användande av fördefinierade testfall. I denna uppsats beskriver jag hur jag designade, utvecklade och utvärderade ett verktyg som automatiserar utvärderingen av Android-enheter gällande ett urval av säkerhetskrav som rör Bluetooth från Mobile Device Fundamentals Protection Profile i CC. Detta innebar en litteraturstudie, granskning av Bluetooth Core Specification, mjukvaruutveckling och utvärdering av verktyget. Mina resultat från utvärderingen av verktyget visade att den bara rapporterar bristande efterlevnad med ett säkerhetskrav om målet för utvärdering (TOE) inte efterlever säkerhetskravet i fråga. Dessutom, varje gång verktyget rapporterade överensstämmelse med ett säkerhetskrav, verifierade manuell utvärdering att TOE:n verkligen efterlevde säkerhetskravet i fråga. Slutligen, under utvecklingsfasen upptäckte jag en sårbarhet som inte upptäckts under manuell utvärdering. Sårbarhet har bekräftats av utvecklaren och en patch håller på att utvecklas. Min utvärdering visar att det verktyg som jag har utvecklat är tillförlitlig och att den därför skulle kunna användas i säkerhetsbranschen. Genom att hitta en sårbarhet genom automatisering har jag visat att automatisering skulle kunna vara en användbar metod för sårbarhetsforskning. På samma sätt som fuzzing kan automatisering används för att utsätta ett system för beteenden som det inte förväntar sig och därför potentiellt avslöja sårbarheter.

Bluetooth

Android

Common Criteria

Automated dynamic security evaluation

Mobile device security

Bluetooth

Android

Common Criteria

S¨akerhet f¨or mobila enheter

Computer and Information Sciences

Data- och informationsvetenskap