SLIDE 1
Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices
Pavel Lifshits, Roni Forte , Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein
Power to peep-all: Inference Attacks by Malicious Batteries on - - PowerPoint PPT Presentation
Power to peep-all: Inference Attacks by Malicious Batteries on - - PowerPoint PPT Presentation
Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits, Roni Forte , Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein Speaker: Pavel Lifshits SMART BATTERY
SLIDE 2
SLIDE 3
SLIDE 4
SLIDE 5
SMART BATTERY
- Programmability
- Sensors: current, voltage, temperature
Why? Safety overheating, over/under voltage Extend battery life Performance
SLIDE 6
SMART BATTERY - PROGRAMMABILITY Software defined battery (SOSP ‘15)
By Microsoft & Tesla
Smart battery System
See spec. http://sbs-forum.org/specs/
SLIDE 7
INSIDE SMARTPHONE BATTERY Btemp NFC antenna BSI (battery size/status/system indicator)
SLIDE 8
INSIDE SMARTPHONE BATTERY Your phone batteries are getting smarter!
SLIDE 9
Do the smart batteries create a new privacy threat?
SLIDE 10
Do the smart batteries create a new privacy threat?
SLIDE 11
IF THE ATTACKER GETS ON YOUR BATTERY
- Browsing History
SLIDE 12
IF THE ATTACKER GETS ON YOUR BATTERY
- Browsing History
- Applications
SLIDE 13
IF THE ATTACKER GETS ON YOUR BATTERY
- Browsing History
- Applications
- Typing
SLIDE 14
IF THE ATTACKER GETS ON YOUR BATTERY
- Browsing History
- Applications
- Typing
- Photo shot
SLIDE 15
IF THE ATTACKER GETS ON YOUR BATTERY
- Browsing History
- Applications
- Typing
- Photo shot
- Communication profile –Phone calls
SLIDE 16
AGENDA
- General scheme for malicious battery attacks
- Examples:
Keystroke inference Combination of multiple attacks
- Data exfiltration mechanism via browser
SLIDE 17
METHODOLOGY
SLIDE 18
METHODOLOGY
SLIDE 19
METHODOLOGY
SLIDE 20
METHODOLOGY
SLIDE 21
App-specific Classifier
Known Event?
Classifier
Label
Novelty Detector
Ignore Classify Device Active?
Activity Detector
Ignore
APP SPECIFIC PIPELINE
SLIDE 22
App-specific Classifier
Known Webpage?
Webpage Classifier
Webpage
Novelty Detector
Ignore Classify Webpage Device Active?
Activity Detector
Ignore
BROWSING HISTORY ATTACK PIPELINE
SLIDE 23
App-specific Classifier
Known Webpage?
Webpage Classifier
Webpage
Novelty Detector
Ignore Classify Webpage Device Active?
Activity Detector
Ignore
BROWSING HISTORY ATTACK PIPELINE
SLIDE 24
CONSTRAINT - FIT INSIDE THE BATTERY
Power requirements - <70 mA phone at rest
- Computational complexity
- Signal sample rate
Storage
SLIDE 25
CONSTRAINT - FIT INSIDE THE BATTERY
Power requirements - <70 mA phone at rest
- Computational complexity
- Signal sample rate
Storage
SLIDE 26
KEYSTROKE INFERENCE
SLIDE 27
KEYSTROKE INFERENCE
000000000000000000000001110110000001110001110011110111000111000000000000000000000000000000000000000000000000000000000000
SLIDE 28
KEYSTROKE INFERENCE 'C'
Convolutional Neural Network
SLIDE 29
KEYSTROKE INFERENCE 'C'
Convolutional Neural Network
SLIDE 30
KEYSTROKE INFERENCE - RESULTS
SLIDE 31
COMBINATION OF ATTACKS Top 1 – 18% Top 2 – 30% Top 3 – 40% Top 5 – 50%
SLIDE 32
EXFILTRATION
Wifi / Bluetooth Manipulate voltage
App Battery Status API
SLIDE 33
EXFILTRATION
Victim
SLIDE 34
EXFILTRATION
Attacker Malicious Battery Victim
SLIDE 35
SEE PAPER FOR -
- Attacks – (Sections 6 & 7)
- Web fingerprinting (open-world, Alexa top 100%)
- Keystroke
- Camera
- Incoming calls
- Robustness analysis -
(Section 8)
- Network conditions
- Sample rate
- Browsers
- Phones
- Users
- Why Power channel leaks data? (Section 10)
- Defenses & Mitigation (Section 11)
SLIDE 36
THEORETICAL?!
SLIDE 37
THEORETICAL?!
SLIDE 38
THEORETICAL?!
SLIDE 39
QUESTIONS?
Mark Silberstein, mark@ee.technion.ac.il Pavel Lifshits, pavell@ef.technion.ac.il