Ev Even Turing Sho Shoul uld So Sometimes No Not Be Be Ab Able - - PowerPoint PPT Presentation

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ev Even Turing Sho Shoul uld So Sometimes No Not Be Be Ab Able To To Te Tell: Mi Mimicking Hu Humanoid Us Usage Be Behav avior

• r fo

for Ex Expl ploratory St Stud udies of

• f On

Online e Ser ervices es

Stephan Wiefling1, Nils Gruschka2, Luigi Lo Iacono1

1 TH Köln – University of Applied Sciences 2 University of Oslo

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Mo Motiva tivatio tion

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Mo Motiva tivatio tion

§ Algorithms impact our society § Technical aspects hidden behind user interfaces § Data availability needed for reliable research

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Mo Motiva tivatio tion

§ Most online services are black boxes § Lack of transparency hinders research § Reverse engineering needed

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Re Reve verse en engi gineer eering is is co complicat cated…

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Re Reve verse en engi gineer eering is is co complicat cated…

§ No unique path to conduct such an analysis § Services implement countermeasures

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Re Reve verse en engi gineer eering is is co complicat cated…

§ No unique path to conduct such an analysis § Services implement countermeasures àCamouflage measures needed

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

HOSIT

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Humanoid Online Service Inspection Tool

HOSIT

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ov Over erview ew

1.

• 1. Tool

Tool

• 2. Proof of Concept
• 3. Conclusion

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

In Insp spectio ion To Tool

§ Simulates human-like browsing behavior

• n online services

§ All actions have to be predefined by the researchers § Reliable and reproducible research § Based on Puppeteer API

HOSIT

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

In Insp spectio ion To Tool

Virtual Identities Training Procedures Inspection Procedures

Study Conductor

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Virtual Identities Training Procedures Inspection Procedures

Study Conductor

Vi Virtua ual Identities

§ Define properties § Typing, clicking behavior § Interests § …

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Virtual Identities Training Procedures Inspection Procedures

Study Conductor

Tr Training Pr Procedures

§ New accounts are considered suspicious § Need to create valid behavior first § Takes time

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Virtual Identities Training Procedures Inspection Procedures

Study Conductor

Tr Training Pr Procedures

§ Define activities to be performed on online service § and other online services (tracking) § Executed multiple times

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Virtual Identities Training Procedures Inspection Procedures

Study Conductor

Tr Training Pr Procedures

§ Let the service learn “normal” behavior § Get tracked on other websites by the service § Desired result: § Get labeled as “normal” user

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Virtual Identities Training Procedures Inspection Procedures

Study Conductor

In Insp spectio ion Pr Procedures

§ Create unusual behavior at online service § Analyze services’ reaction to unusual behavior

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

In Insp spectio ion To Tool

Log API

HOSIT Framework

Human User Imitation API Virtual Identities Training Procedures Inspection Procedures

Study Conductor

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

In Insp spectio ion To Tool

Log API

HOSIT Framework

Human User Imitation API Virtual Identities Training Procedures Inspection Procedures

Study Conductor

§ Executes the actions § Adds human-imitating behavior to function calls § Properties of virtual identity

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

In Insp spectio ion To Tool

Log API

HOSIT Framework

Human User Imitation API Virtual Identities Training Procedures Inspection Procedures

Study Conductor

§ Logs all actions with screenshots § Reproducibility

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

In Insp spectio ion To Tool

Log API Virtual Identities Training Procedures Inspection Procedures

HOSIT Framework Inspected Service

Human User Imitation API

Study Conductor

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Why do we need another browser automation tool?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Cl Click Be Behavio ior

Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT

* Komandur et al.: Relation between mouse button click duration and muscle contraction time. In: EMBC '08. (Aug 2008)

*

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Typ Typing Sp Speed

Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT t t Constant delay Randomized variations*

* Drury, C.G., Hoffmann, E.R.: A model for movement time on data-entry keyboards. Ergonomics 35(2) (Feb 1992)

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Bo Bot De Detection Pr Prote tectio tion

Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Br Browsin ing Be Behavio ior Cha Chang nges

Pe Persona A Pe Persona B

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Mo More Fu Func nctions

• ns

§ Common workflows integrated § Search query generator § CAPTCHA solving § Scrolling § Select tabs

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ex Examp mple Sc Scrip ipt

§ Opens a search engine § Clicks on image search § Types random search query covered in the media § Scrolls to bottom of results

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ex Examp mple Sc Scrip ipt

§ Video recorded at October 22nd, 2019

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ov Over erview ew

• 1. Tool

2.

• 2. Pr

Proof f of

• f Co

Concept ept

• 3. Conclusion

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Pr Proof f of

• f Co

Conc ncept pt

§ Study on Risk-based Authentication* § Required human-like behavior from clients

* Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ’19. (Jun 2019)

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Username Password

Risk estimation Low Medium High Risk: IP address User agent ...

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Username Password

IP: Aalborg, DK Chrome Windows 10 ...

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

„Same device as always“

Risk estimation Low risk

Username Password

IP: Aalborg, DK Chrome Windows 10 ...

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ...

Username Password

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

„There‘s something different here“

Risk estimation Medium risk Additional Authentication IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ...

Username Password

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

„There‘s something different here“

Risk estimation Medium risk Additional Authentication Proof for additional authentication IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ...

Username Password

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

IP: Ne New York, US* Ph PhantomJS Li Linux ...

Username Password

* Known spam IP address

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

„Very likely a hacker“

Risk estimation High risk

Username Password

* Known spam IP address

IP: Ne New York, US* Ph PhantomJS Li Linux ...

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ris Risk-ba based Au Authentic icatio ion

§ Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed à Black-box testing eight popular online services

* Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017)

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Pr Proof f of

• f Co

Conc ncept pt*

§ Trained services with human-like behavior § Triggered RBA with behavior

* Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ’19. (Jun 2019)

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Lo Login IP IP ad addre ress Us User Ag Agent ... ...

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ...

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ...

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ...

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ...

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

</>

Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ...

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... 21 Ot Other Co Country Chrome ...

</>

?

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... 21 Ot Other Co Country Chrome ...

</>

?

• r ?

,

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Identities 28x

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

HOSIT

Log

RBA Testing Human User Imitation

Identities 28x

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Inspected Services HOSIT

Log

RBA Testing Human User Imitation

Identities 28x 224 User Accounts

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Pr Proof f of

• f Co

Conc ncept pt*

* Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ’19. (Jun 2019)

HOSIT

Log

Te Human User Imitation

Identities 28x

§ Results: § Internal features used for RBA § Estimation of services’ RBA procedures § Would not have been possible without HOSIT

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Ov Over erview ew

• 1. Tool
• 2. Proof of Concept

3.

• 3. Co

Conclus usio ion

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Co Conc nclusion

§ HOSIT available as open source software* § Can be used for own studies of online services § Responsible service access for researchers?

* https://git.io/hosit

Aalborg, Denmark | NordSec 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono

Th Thank yo you

stephan.wiefling@th-koeln.de @swiefling riskbasedauthentication.org/hosit das.th-koeln.de