-
Reduce to the MACs -- Privacy Friendly Generic Probe Requests
Authors:
Johanna Ansohn McDougall,
Alessandro Brighente,
Anne Kunstmann,
Niklas Zapatka,
Hannes Federrath
Abstract:
Abstract. Since the introduction of active discovery in Wi-Fi networks, users can be tracked via their probe requests. Although manufacturers typically try to conceal Media Access Control (MAC) addresses using MAC address randomisation, probe requests still contain Information Elements (IEs) that facilitate device identification. This paper introduces generic probe requests: By removing all unnece…
▽ More
Abstract. Since the introduction of active discovery in Wi-Fi networks, users can be tracked via their probe requests. Although manufacturers typically try to conceal Media Access Control (MAC) addresses using MAC address randomisation, probe requests still contain Information Elements (IEs) that facilitate device identification. This paper introduces generic probe requests: By removing all unnecessary information from IEs, the requests become indistinguishable from one another, letting single devices disappear in the largest possible anonymity set. Conducting a comprehensive evaluation, we demonstrate that a large IE set contained within undirected probe requests does not necessarily imply fast connection establishment. Furthermore, we show that minimising IEs to nothing but Supported Rates would enable 82.55% of the devices to share the same anonymity set. Our contributions provide a significant advancement in the pursuit of robust privacy solutions for wireless networks, paving the way for more user anonymity and less surveillance in wireless communication ecosystems.
△ Less
Submitted 15 May, 2024;
originally announced May 2024.
-
LoVe is in the Air -- Location Verification of ADS-B Signals using Distributed Public Sensors
Authors:
Johanna Ansohn McDougall,
Alessandro Brighente,
Willi Großmann,
Ben Ansohn McDougall,
Joshua Stock,
Hannes Federrath
Abstract:
The Automatic Dependant Surveillance-Broadcast (ADS-B) message scheme was designed without any authentication or encryption of messages in place. It is therefore easily possible to attack it, e.g., by injecting spoofed messages or modifying the transmitted Global Navigation Satellite System (GNSS) coordinates. In order to verify the integrity of the received information, various methods have been…
▽ More
The Automatic Dependant Surveillance-Broadcast (ADS-B) message scheme was designed without any authentication or encryption of messages in place. It is therefore easily possible to attack it, e.g., by injecting spoofed messages or modifying the transmitted Global Navigation Satellite System (GNSS) coordinates. In order to verify the integrity of the received information, various methods have been suggested, such as multilateration, the use of Kalman filters, group certification, and many others. However, solutions based on modifications of the standard may be difficult and too slow to be implemented due to legal and regulatory issues. A vantage far less explored is the location verification using public sensor data. In this paper, we propose LoVe, a lightweight message verification approach that uses a geospatial indexing scheme to evaluate the trustworthiness of publicly deployed sensors and the ADS-B messages they receive. With LoVe, new messages can be evaluated with respect to the plausibility of their reported coordinates in a location privacy-preserving manner, while using a data-driven and lightweight approach. By testing our approach on two open datasets, we show that LoVe achieves very low false positive rates (between 0 and 0.00106) and very low false negative rates (between 0.00065 and 0.00334) while providing a real-time compatible approach that scales well even with a large sensor set. Compared to currently existing approaches, LoVe neither requires a large number of sensors, nor for messages to be recorded by as many sensors as possible simultaneously in order to verify location claims. Furthermore, it can be directly applied to currently deployed systems thus being backward compatible.
△ Less
Submitted 29 August, 2023;
originally announced August 2023.
-
The Applicability of Federated Learning to Official Statistics
Authors:
Joshua Stock,
Oliver Hauke,
Julius Weißmann,
Hannes Federrath
Abstract:
This work investigates the potential of Federated Learning (FL) for official statistics and shows how well the performance of FL models can keep up with centralized learning methods.F L is particularly interesting for official statistics because its utilization can safeguard the privacy of data holders, thus facilitating access to a broader range of data. By simulating three different use cases, i…
▽ More
This work investigates the potential of Federated Learning (FL) for official statistics and shows how well the performance of FL models can keep up with centralized learning methods.F L is particularly interesting for official statistics because its utilization can safeguard the privacy of data holders, thus facilitating access to a broader range of data. By simulating three different use cases, important insights on the applicability of the technology are gained. The use cases are based on a medical insurance data set, a fine dust pollution data set and a mobile radio coverage data set - all of which are from domains close to official statistics. We provide a detailed analysis of the results, including a comparison of centralized and FL algorithm performances for each simulation. In all three use cases, we were able to train models via FL which reach a performance very close to the centralized model benchmarks. Our key observations and their implications for transferring the simulations into practice are summarized. We arrive at the conclusion that FL has the potential to emerge as a pivotal technology in future use cases of official statistics.
△ Less
Submitted 29 September, 2023; v1 submitted 28 July, 2023;
originally announced July 2023.
-
Probing for Passwords -- Privacy Implications of SSIDs in Probe Requests
Authors:
Johanna Ansohn McDougall,
Christian Burkert,
Daniel Demmler,
Monina Schwarz,
Vincent Hubbe,
Hannes Federrath
Abstract:
Probe requests help mobile devices discover active Wi-Fi networks. They often contain a multitude of data that can be used to identify and track devices and thereby their users. The past years have been a cat-and-mouse game of improving fingerprinting and introducing countermeasures against fingerprinting. This paper analyses the content of probe requests sent by mobile devices and operating syste…
▽ More
Probe requests help mobile devices discover active Wi-Fi networks. They often contain a multitude of data that can be used to identify and track devices and thereby their users. The past years have been a cat-and-mouse game of improving fingerprinting and introducing countermeasures against fingerprinting. This paper analyses the content of probe requests sent by mobile devices and operating systems in a field experiment. In it, we discover that users (probably by accident) input a wealth of data into the SSID field and find passwords, e-mail addresses, names and holiday locations. With these findings we underline that probe requests should be considered sensitive data and be well protected. To preserve user privacy, we suggest and evaluate a privacy-friendly hash-based construction of probe requests and improved user controls.
△ Less
Submitted 6 July, 2022; v1 submitted 8 June, 2022;
originally announced June 2022.
-
PrivacyDates: A Framework for More Privacy-Preserving Timestamp Data Types
Authors:
Christian Burkert,
Jonathan Balack,
Hannes Federrath
Abstract:
Case studies of application software data models indicate that timestamps are excessively used in connection with user activity. This contradicts the principle of data minimisation which demands a limitation to data necessary for a given purpose. Prior work has also identified common purposes of timestamps that can be realised by more privacy-preserving alternatives like counters and dates with pu…
▽ More
Case studies of application software data models indicate that timestamps are excessively used in connection with user activity. This contradicts the principle of data minimisation which demands a limitation to data necessary for a given purpose. Prior work has also identified common purposes of timestamps that can be realised by more privacy-preserving alternatives like counters and dates with purpose-oriented precision. In this paper, we follow up by demonstrating the real-world applicability of those alternatives. We design and implement three timestamp alternatives for the popular web development framework Django and evaluate their practicality by replacing conventional timestamps in the project management application Taiga. We find that our alternatives could be adopted without impairing the functionality of Taiga.
△ Less
Submitted 7 June, 2022; v1 submitted 27 May, 2022;
originally announced May 2022.
-
Lessons Learned: Defending Against Property Inference Attacks
Authors:
Joshua Stock,
Jens Wettlaufer,
Daniel Demmler,
Hannes Federrath
Abstract:
This work investigates and evaluates multiple defense strategies against property inference attacks (PIAs), a privacy attack against machine learning models. Given a trained machine learning model, PIAs aim to extract statistical properties of its underlying training data, e.g., reveal the ratio of men and women in a medical training data set. While for other privacy attacks like membership infere…
▽ More
This work investigates and evaluates multiple defense strategies against property inference attacks (PIAs), a privacy attack against machine learning models. Given a trained machine learning model, PIAs aim to extract statistical properties of its underlying training data, e.g., reveal the ratio of men and women in a medical training data set. While for other privacy attacks like membership inference, a lot of research on defense mechanisms has been published, this is the first work focusing on defending against PIAs. With the primary goal of developing a generic mitigation strategy against white-box PIAs, we propose the novel approach property unlearning. Extensive experiments with property unlearning show that while it is very effective when defending target models against specific adversaries, property unlearning is not able to generalize, i.e., protect against a whole class of PIAs. To investigate the reasons behind this limitation, we present the results of experiments with the explainable AI tool LIME. They show how state-of-the-art property inference adversaries with the same objective focus on different parts of the target model. We further elaborate on this with a follow-up experiment, in which we use the visualization technique t-SNE to exhibit how severely statistical training data properties are manifested in machine learning models. Based on this, we develop the conjecture that post-training techniques like property unlearning might not suffice to provide the desirable generic protection against PIAs. As an alternative, we investigate the effects of simpler training data preprocessing methods like adding Gaussian noise to images of a training data set on the success rate of PIAs. We conclude with a discussion of the different defense approaches, summarize the lessons learned and provide directions for future work.
△ Less
Submitted 9 October, 2023; v1 submitted 18 May, 2022;
originally announced May 2022.
-
A Structured Analysis of Information Security Incidents in the Maritime Sector
Authors:
Monina Schwarz,
Matthias Marx,
Hannes Federrath
Abstract:
Cyber attacks in the maritime sector can have a major impact on world economy. However, the severity of this threat can be underestimated because many attacks remain unknown or unnoticed. We present an overview about publicly known cyber incidents in the maritime sector from the past 20 years. In total, we found 90 publicly reported attacks and 15 proof of concepts. Furthermore, we interviewed fiv…
▽ More
Cyber attacks in the maritime sector can have a major impact on world economy. However, the severity of this threat can be underestimated because many attacks remain unknown or unnoticed. We present an overview about publicly known cyber incidents in the maritime sector from the past 20 years. In total, we found 90 publicly reported attacks and 15 proof of concepts. Furthermore, we interviewed five IT security experts from the maritime sector. The interviews put the results of our research in perspective and confirm that our view is comprehensive. However, the interviewees highlight that there is a high dark figure of unreported incidents and argue that threat information sharing may potentially be helpful for attack prevention. From these results, we extract threats for players in the maritime sector.
△ Less
Submitted 13 December, 2021;
originally announced December 2021.
-
Operating Tor Relays at Universities: Experiences and Considerations
Authors:
Christoph Döpmann,
Matthias Marx,
Hannes Federrath,
Florian Tschorsch
Abstract:
In today's digital society, the Tor network has become an indispensable tool for individuals to protect their privacy on the Internet. Operated by volunteers, relay servers constitute the core component of Tor and are used to geographically escape surveillance. It is therefore essential to have a large, yet diverse set of relays. In this work, we analyze the contribution of educational institution…
▽ More
In today's digital society, the Tor network has become an indispensable tool for individuals to protect their privacy on the Internet. Operated by volunteers, relay servers constitute the core component of Tor and are used to geographically escape surveillance. It is therefore essential to have a large, yet diverse set of relays. In this work, we analyze the contribution of educational institutions to the Tor network and report on our experience of operating exit relays at a university. Taking Germany as an example (but arguing that the global situation is similar), we carry out a quantitative study and find that universities contribute negligible amounts of relays and bandwidth. Since many universities all over the world have excellent conditions that render them perfect places to host Tor (exit) relays, we encourage other interested people and institutions to join. To this end, we discuss and resolve common concerns and provide lessons learned.
△ Less
Submitted 9 June, 2021; v1 submitted 8 June, 2021;
originally announced June 2021.
-
PEEPLL: Privacy-Enhanced Event Pseudonymisation with Limited Linkability
Authors:
Ephraim Zimmer,
Christian Burkert,
Tom Petersen,
Hannes Federrath
Abstract:
Pseudonymisation provides the means to reduce the privacy impact of monitoring, auditing, intrusion detection, and data collection in general on individual subjects. Its application on data records, especially in an environment with additional constraints, like re-identification in the course of incident response, implies assumptions and privacy issues, which contradict the achievement of the desi…
▽ More
Pseudonymisation provides the means to reduce the privacy impact of monitoring, auditing, intrusion detection, and data collection in general on individual subjects. Its application on data records, especially in an environment with additional constraints, like re-identification in the course of incident response, implies assumptions and privacy issues, which contradict the achievement of the desirable privacy level. Proceeding from two real-world scenarios, where personal and identifying data needs to be processed, we identify requirements as well as a system model for pseudonymisation and explicitly state the sustained privacy threats, even when pseudonymisation is applied. With this system and threat model, we derive privacy protection goals together with possible technical realisations, which are implemented and integrated into our event pseudonymisation framework PEEPLL for the context of event processing, like monitoring and auditing of user, process, and network activities. Our framework provides privacy-friendly linkability in order to maintain the possibility for automatic event correlation and evaluation, while at the same time reduces the privacy impact on individuals. Additionally, the pseudonymisation framework is evaluated in order to provide some restrained insights on the impact of assigned paradigms and all necessary new mechanisms on the performance of monitoring and auditing. With this framework, privacy provided by event pseudonymisation can be enhanced by a more rigorous commitment to the concept of personal data minimisation, especially in the context of regulatory requirements like the European General Data Protection Regulation.
△ Less
Submitted 12 December, 2019;
originally announced December 2019.
-
Accelerating QUIC's Connection Establishment on High-Latency Access Networks
Authors:
Erik Sy,
Tobias Mueller,
Moritz Moennich,
Hannes Federrath
Abstract:
A significant amount of connection establishments on the web require a prior domain name resolution by the client. Especially on high-latency access networks, these DNS lookups cause a significant delay on the client's connection establishment with a server. To reduce the overhead of QUIC's connection establishment with prior DNS lookup on these networks, we propose a novel QuicSocks proxy. Basica…
▽ More
A significant amount of connection establishments on the web require a prior domain name resolution by the client. Especially on high-latency access networks, these DNS lookups cause a significant delay on the client's connection establishment with a server. To reduce the overhead of QUIC's connection establishment with prior DNS lookup on these networks, we propose a novel QuicSocks proxy. Basically, the client delegates the domain name resolution towards the QuicSocks proxy. Our results indicate, that colocating our proxy with real-world ISP-provided DNS resolvers provides great performance gains. For example, 10% of our 474 sample nodes distributed across ISP's in Germany would save at least 30ms per QUIC connection establishment. The design of our proposal aims to be readily deployable on the Internet by avoiding IP address spoofing, anticipating Network Address Translators and using the standard DNS and QUIC protocols. In summary, our proposal fosters a faster establishment of QUIC connections for clients on high-latency access networks.
△ Less
Submitted 2 July, 2019;
originally announced July 2019.
-
Enhanced Performance and Privacy for TLS over TCP Fast Open
Authors:
Erik Sy,
Tobias Mueller,
Christian Burkert,
Hannes Federrath,
Mathias Fischer
Abstract:
Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake induces significant delay overhead. The TCP Fast Open (TFO) protocol can significantly decrease this delay via zero round-trip time (0-RTT) handshakes for all TCP handshakes that follow a full initial handshake to the same host. However, this comes at the cost of privacy limitations and also has some performan…
▽ More
Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake induces significant delay overhead. The TCP Fast Open (TFO) protocol can significantly decrease this delay via zero round-trip time (0-RTT) handshakes for all TCP handshakes that follow a full initial handshake to the same host. However, this comes at the cost of privacy limitations and also has some performance limitations. In this paper, we investigate the TFP deployment on popular websites and browsers. We found that a client revisiting a web site for the first time fails to use an abbreviated TFO handshake in 40% of all cases due to web server load-balancing using multiple IP addresses. Our analysis further reveals significant privacy problems of the protocol design and implementation. Network-based attackers and online trackers can exploit TFO to track the online activities of users. As a countermeasure, we introduce a novel protocol called TCP Fast Open Privacy (FOP). TCP FOP prevents tracking by network attackers and impedes third-party tracking, while still allowing 0-RTT handshakes as in TFO. As a proof-of-concept, we have implemented the proposed protocol for the Linux kernel and a TLS library. Our measurements indicate that TCP FOP outperforms TLS over TFO when websites are served from multiple IP addresses.
△ Less
Submitted 12 November, 2019; v1 submitted 9 May, 2019;
originally announced May 2019.
-
QUICker connection establishment with out-of-band validation tokens
Authors:
Erik Sy,
Christian Burkert,
Tobias Mueller,
Hannes Federrath,
Mathias Fischer
Abstract:
QUIC is a secure transport protocol that improves the performance of HTTPS. An initial QUIC handshake that enforces a strict validation of the client's source address requires two round-trips. In this work, we extend QUIC's address validation mechanism by an out-of-band validation token to save one round-trip time during the initial handshake. The proposed token allows sharing an address validatio…
▽ More
QUIC is a secure transport protocol that improves the performance of HTTPS. An initial QUIC handshake that enforces a strict validation of the client's source address requires two round-trips. In this work, we extend QUIC's address validation mechanism by an out-of-band validation token to save one round-trip time during the initial handshake. The proposed token allows sharing an address validation between the QUIC server and trusted entities issuing these tokens. This saves a round-trip time for the address validation. Furthermore, we propose distribution mechanisms for these tokens using DNS resolvers and QUIC connections to other hostnames. Our proposal can save up to 50% of the delay overhead of an initial QUIC handshake. Furthermore, our analytical results indicate that 363.6ms in total can be saved for all connections required to retrieve an average website, if a round-trip time of 90ms is assumed.
△ Less
Submitted 3 May, 2019; v1 submitted 12 April, 2019;
originally announced April 2019.
-
Enhanced Performance for the encrypted Web through TLS Resumption across Hostnames
Authors:
Erik Sy,
Moritz Moennich,
Tobias Mueller,
Hannes Federrath,
Mathias Fischer
Abstract:
TLS can resume previous connections via abbreviated resumption handshakes that significantly decrease the delay and save expensive cryptographic operations. For that, cryptographic TLS state from previous connections is reused. TLS version 1.3 recommends to avoid resumption handshakes, and thus the reuse of cryptographic state, when connecting to a different hostname. In this work, we reassess thi…
▽ More
TLS can resume previous connections via abbreviated resumption handshakes that significantly decrease the delay and save expensive cryptographic operations. For that, cryptographic TLS state from previous connections is reused. TLS version 1.3 recommends to avoid resumption handshakes, and thus the reuse of cryptographic state, when connecting to a different hostname. In this work, we reassess this recommendation, as we find that sharing cryptographic TLS state across hostnames is a common practice on the web. We propose a TLS extension that allows the server to inform the client about TLS state sharing with other hostnames. This information enables the client to efficiently resume TLS sessions across hostnames. Our evaluation indicates that our TLS extension provides huge performance gains for the web. For example, about 58.7% of the 20.24 full TLS handshakes that are required to retrieve an average website on the web can be converted to resumed connection establishments. This yields to a reduction of 44% of the CPU time consumed for TLS connection establishments. Furthermore, our TLS extension accelerates the connection establishment with an average website by up to 30.6% for TLS 1.3. Thus, our proposal significantly reduces the (energy) costs and the delay overhead in the encrypted web.
△ Less
Submitted 7 February, 2019;
originally announced February 2019.
-
Tracking Users across the Web via TLS Session Resumption
Authors:
Erik Sy,
Christian Burkert,
Hannes Federrath,
Mathias Fischer
Abstract:
User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the…
▽ More
User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.
△ Less
Submitted 16 October, 2018;
originally announced October 2018.
-
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure
Authors:
David Harborth,
Dominik Herrmann,
Stefan Köpsell,
Sebastian Pape,
Christian Roth,
Hannes Federrath,
Dogan Kesdogan,
Kai Rannenberg
Abstract:
The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet's infrastructure and establish them in the consumer mass market.
The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. A crucial success factor will be the…
▽ More
The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet's infrastructure and establish them in the consumer mass market.
The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. A crucial success factor will be the viable adjustment and development of standards, business models and pricing strategies for those new technologies.
△ Less
Submitted 20 November, 2017;
originally announced November 2017.
-
Evaluating the Security of a DNS Query Obfuscation Scheme for Private Web Surfing
Authors:
Dominik Herrmann,
Max Maaß,
Hannes Federrath
Abstract:
The Domain Name System (DNS) does not provide query privacy. Query obfuscation schemes have been proposed to overcome this limitation, but, so far, they have not been evaluated in a realistic setting. In this paper we evaluate the security of a random set range query scheme in a real-world web surfing scenario. We demonstrate that the scheme does not sufficiently obfuscate characteristic query pat…
▽ More
The Domain Name System (DNS) does not provide query privacy. Query obfuscation schemes have been proposed to overcome this limitation, but, so far, they have not been evaluated in a realistic setting. In this paper we evaluate the security of a random set range query scheme in a real-world web surfing scenario. We demonstrate that the scheme does not sufficiently obfuscate characteristic query patterns, which can be used by an adversary to determine the visited websites. We also illustrate how to thwart the attack and discuss practical challenges. Our results suggest that previously published evaluations of range queries may give a false sense of the attainable security, because they do not account for any interdependencies between queries.
△ Less
Submitted 21 March, 2016;
originally announced March 2016.
-
IPv6 Prefix Alteration: An Opportunity to Improve Online Privacy
Authors:
Dominik Herrmann,
Christine Arndt,
Hannes Federrath
Abstract:
This paper is focused on privacy issues related to the prefix part of IPv6 addresses. Long-lived prefixes may introduce additional tracking opportunities for communication partners and third parties. We outline a number of prefix alteration schemes that may be deployed to maintain the unlinkability of users' activities. While none of the schemes will solve all privacy problems on the Internet on t…
▽ More
This paper is focused on privacy issues related to the prefix part of IPv6 addresses. Long-lived prefixes may introduce additional tracking opportunities for communication partners and third parties. We outline a number of prefix alteration schemes that may be deployed to maintain the unlinkability of users' activities. While none of the schemes will solve all privacy problems on the Internet on their own, we argue that the development of practical prefix alteration techniques constitutes a worthwile avenue to pursue: They would allow Internet Service Providers to increase the attainable privacy level well above the status quo in today's IPv4 networks.
△ Less
Submitted 20 November, 2012;
originally announced November 2012.