Florian Schaub

Pseudonym Schemes in Vehicular Networks: A Survey

Safety-critical applications in cooperative vehicular networks require authentication of nodes and messages. Yet, privacy of individual vehicles and drivers must be maintained. Pseudonymity can satisfy both security and privacy requirements. Thus, a large body of work emerged in recent years, proposing pseudonym solutions tailored to vehicular networks. In this survey, we detail the challenges and requirements for such pseudonym mechanisms, propose an abstract pseudonym lifecycle, and give an extensive overview and categorization of the state of the art in this research area. Specifically, this survey covers pseudonym schemes based on public key and identity-based cryptography, group signatures and symmetric authentication. We compare the different approaches, give an overview of the current state of standardization, and identify open research challenges.

A VANET-based emergency vehicle warning system

One often cited use case for vehicular networks are applications that relate to emergency vehicles. In addition to the traditional siren, they could use radio communication to warn other vehicles or to preempt traffic lights. Such an application can reduce accident risks during emergency response trips and also help save valuable time. We outline a comprehensive design of such an emergency vehicle warning system that makes full use of inter-vehicle communication, but also encompasses roadside infrastructure like traffic lights. In our system, other vehicles are not simply warned of an approaching emergency vehicle; they also receive detailed route information. Based on this information, timely and appropriate reaction of other drivers is possible. A prototype of our system has been tested in a traffic environment including emergency vehicles and traffic lights. To identify requirements and evaluate our system, we also conducted a detailed analysis of videos from emergency response trips and an expert survey among members of a local emergency response organization.

Password entry usability and shoulder surfing susceptibility on different smartphone platforms

Virtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in usability as well as shoulder surfing susceptibility, i.e., the risk of a bystander observing what is being typed. In our work, we investigate the impact of both aspects on the security of text-based password entry on mobile devices. In a between subjects study with 80 participants, we analyzed usability and shoulder surfing susceptibility of password entry on different mobile platforms (iOS, Android, Windows Phone, Symbian, MeeGo). Our results show significant differences in the usability of password entry (required password entry time, typing accuracy) and susceptibility to shoulder surfing. Our results provide insights for security-aware design of on-screen keyboards and for password composition strategies tailored to entry on smartphones.

Exploring the design space of graphical passwords on smartphones

Smartphones have emerged as a likely application area for graphical passwords, because they are easier to input on touchscreens than text passwords. Extensive research on graphical passwords and the capabilities of modern smartphones result in a complex design space for graphical password schemes on smartphones. We analyze and describe this design space in detail. In the process, we identify and highlight interrelations between usability and security characteristics, available design features, and smartphone capabilities. We further show the expressiveness and utility of the design space in the development of graphical passwords schemes by implementing five different existing graphical password schemes on one smartphone platform. We performed usability and shoulder surfing experiments with the implemented schemes to validate identified relations in the design space. From our results, we derive a number of helpful insights and guidelines for the design of graphical passwords.

Privacy Requirements in Vehicular Communication Systems

A primary goal of vehicular communication systems is the enhancement of traffic safety by equipping vehicles with wireless communication units to facilitate cooperative awareness. Privacy issues arise from the frequent broadcasting of real-time positioning information. Thus privacy protection becomes a key factor for enabling widespread deployment. At the same time, stakeholders demand accountability due to the safety-critical nature of many applications. Earlier works on privacy requirements for vehicular networks often discussed them as a part of security. Therefore many aspects of privacy requirements have been overlooked. In this paper, we identify a structured and comprehensive set of privacy-related requirements for vehicular communication systems, andanalyze the complex inter-relations among them. Our results enable system designers to better understand privacy issues in vehicular networks and properly address privacy requirements during the system design process. We further show that our requirements set facilitates the comparison and evaluation of different privacy approaches for vehicular communication systems.

V-Tokens for Conditional Pseudonymity in VANETs

Privacy is an important requirement in vehicle networks, because vehicles broadcast detailed location information. Also of importance is accountability due to safety critical applications. Conditional pseudonymity, i.e., usage of resolvable pseudonyms, is a common approach to address both. Often, resolvability of pseudonyms is achieved by authorities maintaining pseudonym- identity mappings. However, these mappings are privacy sensitive and require strong protection to prevent abuse or leakage. We present a new approach that does not rely on pseudonym-identity mappings to be stored by any party. Resolution information is directly embedded in pseudonyms and can only be accessed when multiple authorities cooperate. Our privacy-preserving pseudonym issuance protocol ensures that pseudonyms contain valid resolution information but prevents issuing authorities from creating pseudonym-identity mappings.

Modeling in-network aggregation in VANETs

The multitude of applications envisioned for vehicular ad hoc networks requires efficient communication and dissemination mechanisms to prevent network congestion. In-network data aggregation promises to reduce bandwidth requirements and enable scalability in large vehicular networks. However, most existing aggregation schemes are tailored to specific applications and types of data. Proper comparative evaluation of different aggregation schemes is difficult. Yet, comparability is essential to properly measure accuracy, performance, and efficiency. We outline a modeling approach for VANET aggregation schemes to achieve objective comparability. Our modeling approach consists of three models, which provide different perspectives on an aggregation scheme. The generalized architecture model facilitates categorization of aggregation schemes. The aggregation information flow model supports analysis of where information is aggregated by a scheme. The aggregation state graph models how knowledge about the road network and its environment is represented by a scheme. Furthermore, it facilitates error estimation with respect to the ground truth. We apply each modeling approach to existing aggregation schemes from the literature and highlight strengths, as well as weaknesses, that can be used as a starting point for designing a more generic aggregation scheme.

Channel switch and quiet attack: New DoS attacks exploiting the 802.11 standard

Network communication using unprotected air as a medium leads to unique challenges ensuring confidentiality, integrity and availability. While newer amendments of IEEE 802.11 provide acceptable confidentiality and integrity, availability is still questionable despite broad usage of Wi-Fi technologies for tasks where availability is critical. We will present new security weaknesses that we have identified in the 802.11 standard and especially the 802.11h amendment. Our results are underlined by an extensive analysis of attacks addressing the quiet information element and channel switch announcement in management frames. For some stations a complete DoS effect can be achieved with a single packet for more than one minute. This shows that the newly identified attacks are more efficient than earlier approaches like a deauthentication attack. Tests were performed with a large variety of network interface cards, mobile devices, and operating systems.

Territorial privacy in ubiquitous computing

Smartphones define a trend towards increasing combination and integration of sensing capabilities with almost ubiquitous inter-connectivity. Resulting location-based services and context-aware applications will benefit users by adapting better to the user application needs. However, there is a lack of effective means for controlling privacy in such systems which will likely increase further with future ubiquitous computing systems. Territorial privacy is a concept that moves away from the information-centric view in traditional systems to a context-centric approach. In this paper, we define and model territorial privacy in the context of ubiquitous computing. We further discuss potential observers and disturbers in our model and provide an overview on how territorial privacy can be controlled in different environments, ranging from personal to public.

Device Names in the Wild: Investigating Privacy Risks of Zero Configuration Networking

Zero configuration networking aims to support users in seamlessly connecting devices and services. However, in public networks associated service announcements pose substantial privacy risks. A major issue is the inclusion of identifying information in device names, often automatically set or suggested by devices upon initial configuration. Focusing on mDNS, we assess this issue by studying its actual extent, awareness about the problem, and potential consequences for privacy. We collected a one-week dataset of mDNS announcements in a semi-public Wi-Fi network at a university. Of 2,957 unique device names, 59% contained real names of users, with 17.6% containing first and last name. An online survey (n=137) revealed that 29% of the participants did not know the current device name of their smartphone, but that the vast majority considered periodic announcement of their full names worrisome. We further discuss specific potential privacy threats and attack scenarios stemming from mDNS device names.