Wenyuan Xu

DolphinAttack: Inaudible Voice Commands

Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems (VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though hidden, are nonetheless audible. In this work, we design a totally inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low-frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validated DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions, and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.

On Code Execution Tracking via Power Side-Channel

With the proliferation of Internet of Things, there is a growing interest in embedded system attacks, e.g., key extraction attacks and firmware modification attacks. Code execution tracking, as the first step to locate vulnerable instruction pieces for key extraction attacks and to conduct control-flow integrity checking against firmware modification attacks, is therefore of great value. Because embedded systems, especially legacy embedded systems, have limited resources and may not support software or hardware update, it is important to design low-cost code execution tracking methods that require as little system modification as possible. In this work, we propose a non-intrusive code execution tracking solution via power-side channel, wherein we represent the code execution and its power consumption with a revised hidden Markov model and recover the most likely executed instruction sequence with a revised Viterbi algorithm. By observing the power consumption of the microcontroller unit during execution, we are able to recover the program execution flow with a high accuracy and detect abnormal code execution behavior even when only a single instruction is modified.

Pido: Predictive Delay Optimization for Intertidal Wireless Sensor Networks

Intertidal habitats are among the harshest environments on the planet, and have emerged as a model system for exploring the ecological impacts of global climate change. Deploying reliable instrumentation to measure environmental conditions such as temperature is challenging in this environment. The application of wireless sensor networks (WSNs) shows considerable promise as a means of optimizing continuous data collection, but poor link quality and unstable connections between nodes, caused by harsh physical environmental conditions, bring about a delay problem. In this paper, we model and analyze the components of delays in an intertidal wireless sensor network system (IT-WSN). We show that, by properly selecting routing pathways, it is feasible to improve delay. To this end, we propose a Predictive Delay Optimization (Pido) framework, which provides a new metric for routing path selection. Pido incorporates delay introduced by both link quality and node conditions, and designs a classifier to predict future conditions of nodes, i.e., the likely time of aerial exposure at low tide in this case. We evaluate the performance of Pido in both a real IT-WSN system and a large-scale simulation, the result demonstrates that Pido decreases up to 73% of delays on average with limited overhead.

LESS: Link Estimation with Sparse Sampling in Intertidal WSNs

Deploying wireless sensor networks (WSN) in the intertidal area is an effective approach for environmental monitoring. To sustain reliable data delivery in such a dynamic environment, a link quality estimation mechanism is crucial. However, our observations in two real WSN systems deployed in the intertidal areas reveal that link update in routing protocols often suffers from energy and bandwidth waste due to the frequent link quality measurement and updates. In this paper, we carefully investigate the network dynamics using real-world sensor network data and find it feasible to achieve accurate estimation of link quality using sparse sampling. We design and implement a compressive-sensing-based link quality estimation protocol, LESS, which incorporates both spatial and temporal characteristics of the system to aid the link update in routing protocols. We evaluate LESS in both real WSN systems and a large-scale simulation, and the results show that LESS can reduce energy and bandwidth consumption by up to 50% while still achieving more than 90% link quality estimation accuracy.

iCare: Automatic and User-friendly Child Identification on Smartphones

With the proliferation of smartphones, children often use the same smartphones of their parents to play games or surf Internet, and can potentially access kid-unfriendly content from the Internet jungle. It is critical to employ parent patrol mechanisms such that children are limited to child-friendly contents only. A successful parent patrol strategy has to be user-friendly and privacy-aware. The apps that require explicit actions from parents may not be effective when parents forget to enable them, and the ones that use built-in cameras to detect children may impose privacy violations. In this paper, we propose iCare, which can identify child users automatically and seamlessly as users operate smartphones. In particular, iCare investigates the intrinsic differences of screen-touch patterns between child and adult users. We discover that users touch behaviors depend on a users age. Thus, iCare records the touch behaviors and extracts hand-geometry and finger dexterity features that capture the age information. We conducted experiments on 31 people including 17 elementary school kids (3 to 11 years old) and 14 adults (22 to 60). Results show that iCare can achieve 84% accuracy for child identification using only a single swipe on the screen, and the accuracy becomes 97% with 8 consecutive swipes.

DeWiCam: Detecting Hidden Wireless Cameras via Smartphones

Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing an increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam, a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets. Yet, DeWiCam overcomes the difficulty and can detect nearby wireless cameras reliably. To further identify whether a camera is in an interested room, we propose a human-assisted identification model. We implement DeWiCam on the Android platform and evaluate it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99% within 2.7 s.

HlcAuth: Key-free and Secure Communications via Home-Limited Channel

Nowadays most IoT devices in smart homes rely on radio frequency channels for communication, making them exposed to various attacks. Existing methods using encryption keys may be inapplicable on these resource-constrained devices that cannot afford the computationally expensive encryption operations. Thus, in this paper we design a key-free communication method for such devices. In particular, we introduce the Home-limited Channel (HLC) that can be accessed only within a house yet inaccessible for an outside-house attacker. Utilizing HLCs, we propose a challenge-response mechanism to authenticate the communications inside a house. The advantages of the HlcAuth protocol are low cost, lightweight as well as key-free, and requiring no human intervention. We show that HlcAuth can defeat replay attacks, message-forgery attacks, and man-in-the-middle (MiTM) attacks, among others. HlcAuth achieves 100% true positive rate (TPR) within 4.2m for in-house devices while 0% false positive rate (FPR) for outside attackers.

FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting

Fake base station (FBS) crime is a type of wireless communication crime that has appeared recently. The key to enforcing the laws on regulating FBS based crime is not only to arrest but also to convict criminals effectively. Much work on FBS discovering, localization, and tracking can assist the arresting, but the problem of collecting evidence accurately to support a proper conviction has not been addressed yet. To fill in the gap of enforcing the laws on FBS crimes, we design FBSleuth, an FBS crime forensics framework utilizing radio frequency (RF) fingerprints, e.g., the unique characteristics of the FBS transmitters embedded in the electromagnetic signals. Essentially, such fingerprints stem from the imperfections in hardware manufacturing and thus represent a consistent bond between an individual FBS device and its committed crime. We model the RF fingerprint from the subtle variance of the modulation errors, instantaneous frequency, and phases of the RF signals. Our validation of FBSleuth on six FBSes from four cities over more than 5 months shows that FBSleuth can achieve over 99% precision, 96.4% recall, and 97.94% F1 score in a dynamic wild environment.

User Presence Inference via Encrypted Traffic of Wireless Camera in Smart Homes

Wireless cameras are widely deployed in smart homes for security guarding, baby monitoring, fall detection, and so on. Those security cameras, which are supposed to protect users, however, may in turn leak a user’s personal privacy. In this paper, we reveal that attackers are able to infer whether users are at home or not, that is, the user presence, by eavesdropping the traffic of wireless cameras from distance. We propose HomeSpy , a system that infers user presence by inspecting the intrinsic pattern of the wireless camera traffic. To infer the user presence, HomeSpy first eavesdrops the wireless traffic around the target house and detects the existence of wireless cameras with a Long Short-Term Memory (LSTM) network. Then, HomeSpy infers the user presence using the bitrate variation of the wireless camera traffic based on a cumulative sum control chart (CUSUM) algorithm. We implement HomeSpy on the Android platform and validate it on 20 cameras. The evaluation results show that HomeSpy can achieve a successful attack rate of 97.2%.

A robust backup routing protocol for neighbor area network in the smart grid

To satisfy requirements from various applications in the smart grid, transmitting data robustly and reliably has become one of the most crucial tasks. However, existing routing protocols like CTP, LEACH, HWMP cannot be directly applied to the smart grid system. In this paper, we propose RH-HWMP, which provides robust data transmission for the neighbor area network (NAN) in the smart grid. The main idea of RH-HWMP is to utilize a greedy path selection algorithm to select backup paths with minimum fault dependence based on the reliability history of links. Once the first priority path fails, the node switches to the backup path immediately, which can efficiently improve robustness and fault tolerance of the network. We simulate RH-HWMP with NS-3, and the results demonstrate that RH-HWMP can improve the robustness of the network with limited overhead compared with traditional routing protocol HWMP.