Cynthia Kuo

Know your enemy: the risk of unauthorized access in smartphones by insiders

Smartphones store large amounts of sensitive data, such as SMS messages, photos, or email. In this paper, we report the results of a study investigating users concerns about unauthorized data access on their smartphones (22 interviewed and 724 surveyed subjects). We found that users are generally concerned about insiders (e.g., friends) accessing their data on smartphones. Furthermore, we present the first evidence that the insider threat is a real problem impacting smartphone users. In particular, 12% of subjects reported a negative experience with unauthorized access. We also found that younger users are at higher risk of experiencing unauthorized access. Based on our results, we propose a stronger adversarial model that incorporates the insider threat. To better reflect users concerns and risks, a stronger adversarial model must be considered during the design and evaluation of data protection systems and authentication methods for smartphones.

Short paper: smartphones: not smart enough?

Todays mobile devices are packed with sensors that are capable of gathering rich contextual information, such as location, wireless device signatures, ambient noise, and photographs. This paper exhorts the security community to re-design authentication mechanisms for users on mobile devices. Instead of relying on one simplistic, worst-case threat model, we should use contextual information to develop more nuanced models that assess the risk level of the users current environment. This would allow us to decrease or eliminate the level of user interaction required to authenticate in some situations, improving usability without any effective impact on security. Ideally, authentication mechanisms will scale up or down to match users own mental threat models of their environments. We sketch out several scenarios demonstrating how contextual information can be used to assess risks and adapt authentication mechanisms. This is a research-rich area, and we outline future research directions for developing and evaluating dynamic security mechanisms using contextual information.

Towards designing better map interfaces for the mobile: experiences from example

Creating user friendly map interfaces for the mobile platform presents several challenges that are uniquely different from those of their desktop counterparts. High resolution, photo realistic maps can now be displayed on mobile phones. While these graphics are visually pleasing, they do impact the users cognitive load. Further, small displays and limited interaction capabilities often make mobile map-based systems difficult to design and frustrating to use. In this paper, we discuss lessons learnt from designing and implementing mobile map interfaces through two examples: tourist maps and traffic maps. In particular, we discuss the rendering, user interaction, and system adaptations required for these mobile map interfaces.

SAFE: Secure authentication with Face and Eyes

Face authentication is commonly offered as an alternative to passwords for device unlock. However, available face authentication systems are vulnerable to simple spoofing attacks. We demonstrate the impact of image quality on spoofing, using low resolution photo representative of those commonly posted online. We also show that videos and slideshows of images at different angles, and crude 3D avatars are effective. To defend against these vulnerabilities, we propose a face authentication system that includes a secrecy challenge. We present SAFE (Secure Authentication with Face and Eyes1), an improved face authentication method that uses a commodity gaze tracker to input a secret. During authentication, the user must not only show her face but also gaze at a secret icon that moves across the screen. Using a novel method for estimating the noise level in the gaze tracking data, SAFE adapts the systems parameters to enable secure, hands-free authentication.

MARS: a muscle activity recognition system enabling self-configuring musculoskeletal sensor networks

Poor posture and incorrect muscle usage are a leading cause of many injuries in sports and fitness. For this reason, non-invasive, fine-grained sensing and monitoring of human motion and muscles is important for mitigating injury and improving fitness efficacy. Current sensing systems either depend on invasive techniques or unscalable approaches whose accuracy is highly dependent on body sensor placement. As a result these systems are not suitable for use in active sports or fitness training where sensing needs to be scalable, accurate and un-inhibitive to the activity being performed. We present MARS, a system that detects both body motion and individual muscle group activity during physical human activity by only using unobtrusive, non-invasive inertial sensors. MARS not only accurately senses and recreates human motion down to the muscles, but also allows for fast personalized system setup by determining the individual identities of the instrumented muscles, obtained with minimal system training. In a real world human study conducted to evaluate MARS, the system achieves greater than 95% accuracy in identifying muscle groups.

Designing user studies for security applications: a case study with wireless network configuration

Spontaneous interactions between end users and devices are generally secured by human actions. Evaluating whether end users are able to perform these actions correctly can be challenging. Basic, textbook-style user study methods make assumptions that may not hold for security applications. In this piece, we outline five major user study assumptions. Using 802.11 network configuration as a case study, we also show how to adapt existing user study methods for evaluating security applications. We model how security experts might approach the configuration of their own home networks. Next, we combine several methods to design a study that pinpoints where end users encounter difficulties during configuration. Finally, we discuss the findings from our user study.

Usable mobile security

We make the case for usable mobile security by outlining why usable security in mobile devices is important and why it is hard to achieve. We describe a number of current problems in mobile devices that need usable and secure solutions. Finally, we discuss the characteristics of mobile devices that can actually help in designing usable solutions to mobile security problems.

MARS: a muscle activity recognition system using inertial sensors

We present MARS, a muscle activity recognition system that uses inertial sensors to capture the vibrations of active mus-cles. Specifically, we show how accelerometer data capturing these vibrations in the quadriceps, hamstrings and calf muscles of the human leg, can be leveraged to create muscle vibration signatures. We finally show that these vibration signatures can be used to distinguish these muscles from each other with greater than 85% precision and recall.

Poster abstract: MARS: A muscle activity recognition system using inertial sensors

We present MARS, a muscle activity recognition system that uses inertial sensors to capture the vibrations of active mus-cles. Specifically, we show how accelerometer data capturing these vibrations in the quadriceps, hamstrings and calf muscles of the human leg, can be leveraged to create muscle vibration signatures. We finally show that these vibration signatures can be used to distinguish these muscles from each other with greater than 85% precision and recall.