Exploiting Social Navigation MEITAL BEN SINAI NIMROD PARTUSH SHIR - - PowerPoint PPT Presentation

exploiting social
SMART_READER_LITE
LIVE PREVIEW

Exploiting Social Navigation MEITAL BEN SINAI NIMROD PARTUSH SHIR - - PowerPoint PPT Presentation

Feb 25, 2023 23 likes •375 views

Exploiting Social Navigation MEITAL BEN SINAI NIMROD PARTUSH SHIR YADID ERAN YAHAV Technion, Israel Outline Intro Goals & Motivation Attacks (+Demos (^o^) ) Defense Summary & Conclusions Exploiting Social

slide-1
SLIDE 1

Exploiting Social Navigation

MEITAL BEN SINAI NIMROD PARTUSH SHIR YADID ERAN YAHAV

Technion, Israel

slide-2
SLIDE 2

Outline

  • Intro
  • Goals & Motivation
  • Attacks (+Demos \(^o^)/)
  • Defense
  • Summary & Conclusions

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

2

slide-3
SLIDE 3

Intro

  • Navigation (like most content) is becoming social
  • Waze has over 50 Million Users
  • The data is being crowdsourced
  • But the crowd is oblivious to consequences
  • What kind of attacks can be applied in this

context?

  • Can the crowdsourcing process be exploited?
  • How to mitigate?

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

3

slide-4
SLIDE 4

How did this happen?

  • while driving out of congested Jerusalem

with Waze on, on a Thursday afternoon. As a joke, called and told my adviser He took it too seriously.. Enter undergrads*! + =

4

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

slide-5
SLIDE 5

5

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

slide-6
SLIDE 6

Research Goal

  • Successfully apply a Sybil Attack to a social

navigation system

  • And explore what can be gained

“In a Sybil attack the attacker subverts the reputation system of a peer-to-peer network by creating a large number of pseudonymous identities, using them to gain a disproportionately large influence”

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

6

slide-7
SLIDE 7

Motivation

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

8

slide-8
SLIDE 8

Attacks

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav 10

slide-9
SLIDE 9

Attack #1: Creating False Congestion & Affecting Routing

  • (Insert Demo Here)

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

11

slide-10
SLIDE 10

Navigation

slide-11
SLIDE 11

Successful Attack

slide-12
SLIDE 12

Navigation has Changed!

slide-13
SLIDE 13

Spoof Attack: Responses

  • "These students may be in an "excellence program" but
  • bviously they, and more so the academic adviser, have

lost their moral compass which is far more important for providing direction than Waze. Even if the project was done as a prank or as an academic exercise, the results

are no different than physically going out and blocking a major roadway, something that presumably would not

be tolerated by the legal system. And to then go and brag about it? Why are they not swiftly being

investigated by the police.."

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

19

slide-14
SLIDE 14

Spoof Attack: Disclosure

  • We notified Waze of the attack 2 months before

publishing

  • We saw a change in the registration process

roughly 6 months after publishing (+8 months)

  • 6 months later, the attack seemed to have been

patched

  • At least in the small setting of our experiment

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

20

slide-15
SLIDE 15

Spoof Attack: Implications

  • National
  • Render the system useless
  • Waste time & fuel (& pollution) of users
  • Private Financial
  • Congest (free) roads near toll roads
  • Make people drive by my restaurant\sign
  • Create congestion near the competition
  • Criminal
  • Lead a target down an attacker controlled path
  • Personal
  • Clear roads to save time
  • Get people out (or in?) of your neighborhood

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

21

slide-16
SLIDE 16

Attack #2: Tracking Users

  • (Insert Demo Here)

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

22

slide-17
SLIDE 17

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

23

slide-18
SLIDE 18

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

24

slide-19
SLIDE 19

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

25

slide-20
SLIDE 20

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

26

slide-21
SLIDE 21

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

27

(:

You're Never Fully Dressed Without A Smile

slide-22
SLIDE 22

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

28

slide-23
SLIDE 23

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

29

slide-24
SLIDE 24

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

30

slide-25
SLIDE 25

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

31

slide-26
SLIDE 26

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

32

slide-27
SLIDE 27

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

33

slide-28
SLIDE 28

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

34

Hectororrantia

52724 385646

  • ne year ago
slide-29
SLIDE 29

Exploiting Social Navigation - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

35

slide-30
SLIDE 30
slide-31
SLIDE 31

Privacy Attack: Implications

  • 2-way street
  • Track location from identity
  • Spy on people
  • Know if a target is near you
  • Infer identity from location
  • Infer persons of interest from location
  • Attack can be focused
  • R\W
  • Tracking is read, Spoofing is write

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

37

slide-32
SLIDE 32

Mitigating Attacks

  • Tracking attack: Waze allows you to opt out of the

‘Live map’

  • But this is not the default option
  • Spoofing attack: Can be mitigated by using carrier

information

  • Waze started doing this after the attack became pubic

  • Read more in the white paper!

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

39

slide-33
SLIDE 33

Summary

  • A Sybil attack on Social navigation is possible
  • We demonstrated a spoofing & tracking attack
  • Attacks requires no RE-ing, uses the Waze mechanism

against itself

  • Tracked thousands of users
  • Successfully created false congestion reports
  • Reproducible
  • Routing affected
  • Vast implications
  • Suggested mitigation
  • Adapted by Waze (??)

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

48

slide-34
SLIDE 34

Conclusions

  • Users should beware of blindly trusting social

applications

  • Even in reliable applications such as Waze
  • Applications with millions of users can and should

put more effort into security

  • Undergrads* can be useful

Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav

49

slide-35
SLIDE 35

Questions?

50 Exploiting Social Navigation - Black Hat Asia 2015 - Meital Ben Sinai, Nimrod Partush, Shir Yadid, Eran Yahav