THaW Project

In the Trustworthy Health and Wellness (THaW) project, which was a broad project involving multiple universities, my group was focused mostly wearable and portable devices for use in health monitoring and management, with an emphasis on the security and privacy issues that arise with these devices and their apps. We considered wearable, mobile, or home-based technologies being used by patients or clinical staff, and addressed issues of data integrity and authenticity, person identification and authentication, and usability.

What follows is a summary of THaW research by David Kotz and his students and postdocs. For more information about the THaW project, and a broader description of its contributions and publications (not just those including David Kotz and his students), see the THaW website and the annotated bibliography of all THaW work (through 2020) at [landwehr:thaw-tr].

Secure introductions: Wanda, SNAP, CloseTalker

Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. Tim Pierson's PhD thesis focused on simple and secure means for a person to introduce two Wi-Fi devices, and to securely transfer information between them, resulting in systems called Wanda, SNAP, and CloseTalker. [pierson:thesis]. Each is described below.

SNAP -- SiNgle Antenna Proximity -- allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our technique leverages the repeating nature Wi-Fi's preamble and the behavior of a signal in a transmitting antenna's near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm. [pierson:snap, pierson:snap-poster, pierson:snap-patent, pierson:s3, pierson:thesis].

CloseTalker allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key [pierson:closetalker, pierson:closetalker-patent, pierson:closetalker-patent2, pierson:thesis].

Secure introductions: VibeRing

In another approach for secure introductions, VibeRing automatically and transparently shares a secret between a user and a handheld smart device. VibeRing uses an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9% messages successfully [sen:vibering-poster, sen:vibering, sen:vibering-j].

Secure introductions: LightTouch

In another approach for secure introductions, LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting multiple displays in various ambient light conditions (98% success connection ratio), and secure against impersonation attacks [liang:lighttouch-patent, liang:jlighttouch, liang:lighttouch, liang:healthtech14.

Secure I/O: BASTION-SGX and VIA

BASTION-SGX presents work towards realizing architectural support for Bluetooth Trusted I/O on SGX-enabled platforms, with the goal of providing I/O data protection that does not rely on system software security. The paper describes our proof-of-concept work that extends existing over-the-air Bluetooth security all the way to an SGX enclave by securing user data between the Bluetooth Controller and an SGX enclave [peters:bastionsgx, peters:thesis].

VIA presents a method for detecting anomalous behavior in Bluetooth traffic, as observed by the central host -- with the goal of detecting malicious behavior by peripheral devices, or perhaps imposter peripherals that are spoofing legitimate peripherals; see Chapter 4 in Travis Peters' thesis [peters:thesis] and a WiSec'21 paper derived from that chapter [peters:via].

Authentication: CSAW

Seamless Authentication using Wristbands (SAW) is an authentication method for desktop computers that addresses the lack of 'intentionality' in prior proximity-based methods. In SAW, a user wears a wristband that acts as the user's identity token; to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user's proximity and correlating the received keyboard or mouse inputs with the user's wrist movement, as measured by the wristband [mare:saw, mare:thesis]. These ideas are patented and are available for license from Dartmouth [mare:saw-patent].

We then extended SAW to CSAW: Continuous Smartphone Authentication using Wristbands. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband's motion with the phone's motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). CSAW was able to conduct initial authentication with over 99% accuracy and continuous authentication with over 96.5% accuracy [mare:csaw19, molina-markham:patent9961547, mare:thesis].

We also explored a ring-based alternative to SAW. In AuthoRing an eligible desktop-computer user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer's AuthoRing system correlates hand-motion data received from the ring with the input data from the computer's window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user [liang:wearsys17].

Finally, related to CSAW, we also explored methods for continuous smartphone authentication based on the user's patterns of use of that smartphone [wang:auth].

Authentication: Vocal Resonance

For many wearable devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. We proposed the use of vocal resonance, that is, the sound of the person's voice as it travels through the person's body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. Our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification [liu:vocalresonance, liu:mobisys17, liu:wearsys17].

Close encounters and contact tracing: SPICE, ENACT

We developed SPICE, a crowdsourcing system that extends the capabilities of location-based applications and allows users to connect and exchange information with users in spatial and temporal proximity. We define this incident of spatio-temporal proximity as a close encounter. Typically, location-based application users store their information on a server, and trust the server to provide access only to authorized users, not misuse the data or disclose their location history. Our system, called SPICE, addresses these privacy issues by leveraging Wi-Fi access points to connect users and encrypt their information before it is exchanged, so only users in close encounters have access to the information. We present the design of the system and describe the challenges in implementing the protocol in a real-world application [prasad:spice, prasad:thesis].

In ENACT we explore the concept of close encounters in the context of privacy-preserving contact tracing, in which a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We addressed three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users [prasad:enact, prasad:thesis].

Privacy-preserving data sharing

In related work in the Amulet project, we explored the use of attribute-based access control and hash-chaining techniques to allow privacy-preserving data sharing... allowing the mHealth data subject to decide with whom, and when, their mHealth data will be shared [greene:sharehealth, greene:thesis]. This cloud-based data-sharing platform was meant to receive data securely from mHealth devices, and we developed an efficient crypographic protocol for mHealth devices to communicate through a smartphone and into the cloud [harmon:thesis].

In related work in the Amanuensis project, we expanded on that idea to support end-to-end data provenance, allowing data from mHealth devices to be secured at the source (the mHealth device), into cloud storage, through data-processing steps that may aggregate or transform the data, and limit access to authorized parties... wherein those data 'consumers' can validate the provenance of the resulting information through blockchain and trusted-hardware mechanisms [hardin:thesis].

Agenda/challenge papers

As part of our THaW research we took four opportunities to convey a broader sense of the state of the art, and the challenges ahead, in security and privacy for mobile health, healthcare information systems, cloud technology, and the emerging Internet of Things [kotz:agenda, kotz:frontiers, reza:nocloud, kotz:safethings].

Education

In a THaW team effort we developed an educational module in which high-school students were introduced to mHealth, security, privacy, and computing careers, through a short hands-on experience with FitBit exercise trackers. [carrigan:fitbit].

People

The following people were co-authors on one or more of the papers cited here: José Camacho, Joseph Carrigan, Cory Cornelius, Kevin Fu, Carl Gunter, David Kotz, Santosh Kumar, Reshma Lal, Carl Landwehr, Xiaohui Liang, Rui Liu, Shrirang Mare, Varun Mishra, Andrés Molina-Markham, Pradeep Pappachan, Travis Peters, Ron Peterson, Timothy Pierson, Aarathi Prasad, Reza Rawassizadeh, Avi Rubin, Sougata Sen, Srikanth Varadarajan, Bingyue Wang, Jonathan Weiner, and Tianlong Yun.

Funding and acknowledgements

THaW was primarily funded by the US National Science Foundation (Secure and Trustworthy Computing, SaTC) under award 1329686. Some projects or authors had additional sources of funding, noted in the acknowledgement section of individual papers.

The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).

Papers (tagged 'thaw')

This list includes only those including David Kotz as co-author or thesis advisor. For a complete list of THaW papers, see the THaW website.

Papers are listed in reverse-chronological order; click an entry to pop up the abstract. For full information and pdf, please click Details link. Follow updates with RSS.

2024:

Timothy J. Pierson, Ronald Peterson, and David F. Kotz. Apparatuses, methods, and software for secure short-range wireless communication. U.S. Patent 11,894,920, February 6, 2024. Continuation of 11,153,026. Priority date 2017-09-06 to US17/477,718; WO filed 2018-09-06, US filed 2020-02-26; published 2022-01-06 as US20220006557A1; issued 2024-02-06. [Details]

Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.

Timothy J. Pierson, Ronald Peterson, and David F. Kotz. System and method for proximity detection with single-antenna device. U.S. Patent 11,871,233; International Patent Application WO2019210201A1, January 9, 2024. Priority date 2018-04-27 to US17/050,764; filed 2019-04-26; published 2021-07-29 as US20210235273A1; issued 2024-01-09. [Details]

A single-antenna device includes a single antenna, at least one processor, and at least one memory. The single-antenna device is operable to receive a signal including at least one frame. Each of said frame includes a repeating portion. The single-antenna device determines a difference of phase and amplitude of the repeating portion and further determines whether the signal is transmitted from a trusted source based at least in part on the difference of phase and amplitude of the repeating portion.

2023:

Timothy J. Pierson, Xiaohui Liang, Ronald Peterson, and David Kotz. Apparatus for securely configuring a target device. U.S. Patent 11,683,071, June 20, 2023. Continuation of U.S. Patent 10,574,298. Priority date 2015-06-23 to US16/747,451; filed 2020-01-20; published 2020-05-28 as US20200169295A1allowed 2023-02-10; issued 2023-06-20. [Details]

Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.

Shrirang Mare, David Kotz, and Ronald Peterson. Effortless authentication for desktop computers using wrist wearable tokens. U.S. Patent 11,574,039, February 7, 2023. Priority date 2018-07-20 to US17/261,691; world application filed 2019-07-19; US filed 2021-01-20; published 2021-08-26 as US20210264012A1; issued 2023-02-07. [Details]

A system and method for authenticating users of a digital device includes an authentication device attached to an authorized user. The authentication device includes one or more motion sensors and acts as a user identity token. To authenticate with a digital device, the user performs one or more interactions with the digital device using the hand associated with the authentication device. The digital device correlates the inputs received due to the interactions with the user's hand and/or wrist movement, as measured by the authentication device. Access to the digital device is allowed if the inputs and movements are correlated.

2022:

Taylor Hardin. Information Provenance for Mobile Health Data. PhD thesis, May 2022. [Details]

Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Many believe that combining the data produced by these mHealth apps and devices may give healthcare-related service providers and researchers a more holistic view of an individual's health, increase the quality of service, and reduce operating costs. For such mHealth data to be considered useful though, data consumers need to be assured that the authenticity and the integrity of the data has remained intact — especially for data that may have been created through a series of aggregations and transformations on many input data sets. In other words, information provenance should be one of the main focuses for any system that wishes to facilitate the sharing of sensitive mHealth data. Creating such a trusted and secure data sharing ecosystem for mHealth apps and devices is difficult, however, as they are implemented with different technologies and managed by different organizations. Furthermore, many mHealth devices use ultra-low-power micro-controllers, which lack the kinds of sophisticated Memory Management Units (MMUs) required to sufficiently isolate sensitive application code and data.

In this thesis, we present an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. To this end, we devise a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. Then we address the security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) with our health-data system, Amanuensis, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. Finally, we look at identity privacy and data freshness issues introduced by the use of blockchain and TEEs. Namely, we present a privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain.

2021:

Sougata Sen and David Kotz. VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys. Journal of Pervasive and Mobile Computing. December 2021. [Details]

Many Internet of Things (IoT) devices are capable of sensing their environment, communicating with other devices, and actuating on their environment. Some of these IoT devices, herein known as “smartThings”, collect meaningful information from raw data when they are in use and in physical contact with their user (e.g., a blood-glucose monitor); the smartThing’s wireless connectivity allows it to transfer that data to its user’s trusted device, such as a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user.

To address this problem, in this paper, we investigate the use of vibration, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call VibeRing. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques. Overall, we successfully exchange a secret between a smartRing and various smartThings, at least 85.9% of the time. We show that VibeRing can perform this exchange at 12.5 bits/second at a bit error rate of less than 2.5%. We also show that VibeRing is robust to the smartThing’s constituent material as well as the holding style. Finally, we demonstrate that a nearby adversary cannot decode or modify the message exchanged between the trusted devices.

Timothy J. Pierson, Ronald Peterson, and David F. Kotz. Apparatuses, methods, and software for secure short-range wireless communication. U.S. Patent 11,153,026, October 19, 2021. Priority date 2017-09-06 to US16/642,160; WO filed 2018-09-06, US filed 2020-02-26; published 2020-11-12 as US20200358550A1; US amendment filed 2021-01-29; issued 2021-10-19. [Details]

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021). June 2021. [Details]

Although user authentication has been well explored, device-to-device authentication – specifically in Bluetooth networks – has not seen the same attention. We propose Verification of Interaction Authenticity (VIA) – a recurring authentication scheme based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. To evaluate our approach we produced a new dataset consisting of more than 300 Bluetooth network traces collected from 20 Bluetooth-enabled smart-health and smart-home devices. In our evaluation, we found that devices can be correctly verified at a variety of granularities, achieving an F1-score of 0.86 or better in most cases.

David Kotz and Guoliang Xing. Introduction to the Special Issue on the Wearable Technologies for Smart Health, Part 2. ACM Transactions on Healthcare. January 2021. [Details]

Wearable health-tracking consumer products are gaining popularity, including smart watches, fitness trackers, smart clothing, and head-mounted devices. These wearable devices promise new opportunities for the study of health-related behavior, for tracking of chronic conditions, and for innovative interventions in support of health and wellness. Next-generation wearable technologies have the potential to transform today's hospital-centered healthcare practices into proactive, individualized care. Although it seems new technologies enter the marketplace every week, there is still a great need for research on the development of sensors, sensor-data analytics, wearable interaction modalities, and more.

In this special issue, we sought to assemble a set of articles addressing novel computational research related to any aspect of the design or use of wearables in medicine and health, including wearable hardware design, AI and data analytics algorithms, human-device interaction, security/privacy, and novel applications. Here, in Part 2 of a two-part collection of articles on this topic, we are pleased to share four articles about the use of wearables for skill assessment, activity recognition, mood recognition, and deep learning.

2020:

Carl Landwehr and David Kotz. THaW publications. Technical Report, December 2020. [Details]

In 2013, the National Science Foundation's Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions, led by Dartmouth College, to enable trustworthy cybersystems for health and wellness. As of this writing, the Trustworthy Health and Wellness (THaW) project's bibliography includes more than 130 significant publications produced with support from the THaW grant; these publications document the progress made on many fronts by the THaW research team. The collection includes dissertations, theses, journal papers, conference papers, workshop contributions and more. The bibliography is organized as a Zotero library, which provides ready access to citation materials and abstracts and associates each work with a URL where it may be found, cluster (category), several content tags, and a brief annotation summarizing the work's contribution. For more information about THaW, visit thaw.org.

David Kotz and Guoliang Xing. Introduction to the Special Issue on the Wearable Technologies for Smart Health, Part 1. ACM Transactions on Healthcare. October 2020. [Details]

Wearable health-tracking consumer products are gaining popularity, including smartwatches, fitness trackers, smart clothing, and head-mounted devices. These wearable devices promise new opportunities for the study of health-related behavior, for tracking of chronic conditions, and for innovative interventions in support of health and wellness. Next-generation wearable technologies have the potential to transform today’s hospital- centered healthcare practices into proactive, individualized care. Although it seems new technologies enter the marketplace every week, there is still a great need for research on the development of sensors, sensor-data analytics, wearable interaction modalities, and more.

In this special issue, we sought to assemble a set of articles addressing novel computational research related to any aspect of the design or use of wearables in medicine and health, including wearable hardware design, AI and data analytics algorithms, human-device interaction, security/privacy, and novel applications. Here, in Part 1 of a two-part collection of articles on this topic, we are pleased to share seven articles about the use of wearables for emotion sensing, physiotherapy, virtual reality, automated meal detection, a human data model, and a survey of physical-activity tracking.

Sougata Sen and David Kotz. VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys. Proceedings of the International Conference on the Internet of Things (IoT). October 2020. [Details]

With the rapid growth in the number of IoT devices that have wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this paper, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smart ring, to share a secret with a smart IoT device. This exchanged secret can be used to bootstrap a secure wireless channel over which the devices can communicate. We believe that in future IoT devices can use such a technique to seamlessly connect with authorized devices with minimal user interaction overhead. In this paper, we specifically investigate (a) the feasibility of using vibration generated by a custom wearable for communication, (b) the effect of various parameters on this communication channel, and (c) the possibility of information manipulation by an adversary or information leakage to an adversary. For this investigation, we conducted a controlled study as well as a user study with 12 participants. In the controlled study, we could successfully share messages through vibrations with a bit error rate of less than 2.5%. Additionally, through the user study we demonstrate that it is possible to share messages with various types of objects accurately, quickly and securely as compared to several existing techniques. Overall, we find that in the best case we can exchange 85.9% messages successfully with a smart device.

Travis Peters. Trustworthy Wireless Personal Area Networks. PhD thesis, August 2020. Available as Dartmouth Computer Science Technical Report TR2020-878. [Details]

In the Internet of Things (IoT), everyday objects are equipped with the ability to compute and communicate. These smart things have invaded the lives of everyday people, being constantly carried or worn on our bodies, and entering into our homes, our healthcare, and beyond. This has given rise to wireless networks of smart, connected, always-on, personal things that are constantly around us, and have unfettered access to our most personal data as well as all of the other devices that we own and encounter throughout our day. It should, therefore, come as no surprise that our personal devices and data are frequent targets of ever-present threats. Securing these devices and networks, however, is challenging. In this dissertation, we outline three critical problems in the context of Wireless Personal Area Networks (WPANs) and present our solutions to these problems.

First, I present our Trusted I/O solution (BASTION-SGX) for protecting sensitive user data transferred between wirelessly connected (Bluetooth) devices. This work shows how in-transit data can be protected from privileged threats, such as a compromised OS, on commodity systems. I present insights into the Bluetooth architecture, Intel’s Software Guard Extensions (SGX), and how a Trusted I/O solution can be engineered on commodity devices equipped with SGX.

Second, I present our work on AMULET and how we successfully built a wearable health hub that can run multiple health applications, provide strong security properties, and operate on a single charge for weeks or even months at a time. I present the design and evaluation of our highly efficient event-driven programming model, the design of our low-power operating system, and developer tools for profiling ultra-low-power applications at compile time.

Third, I present a new approach (VIA) that helps devices at the center of WPANs (e.g., smartphones) to verify the authenticity of interactions with other devices. This work builds on past work in anomaly detection techniques and shows how these techniques can be applied to Bluetooth network traffic. Specifically, we show how to create normality models based on fine- and course-grained insights from network traffic, which can be used to verify the authenticity of future interactions.

Xiaohui Liang, Ronald Peterson, and David Kotz. Securely Connecting Wearables to Ambient Displays with User Intent. IEEE Transactions on Dependable and Secure Computing. July 2020. [Details]

Wearables are often small and have limited user interfaces, hence they often wirelessly interface with a personal smartphone or a personal computer to relay information from the wearable for display. In this paper, we envision a new method LightTouch by which a wearable can establish a secure connection to an ambient display, such as a television or computer monitor, based on the user's intention to connect to the display. Such connections must be secure to prevent impersonation attacks, must work with unmodified display hardware, and must be easy to establish. LightTouch uses standard RF methods for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting displays (98 percent success connection ratio), and secure against impersonation attacks.

Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz. Secure System For Coupling Wearable Devices To Computerized Devices with Displays. U.S. Patent 10,581,606, March 3, 2020. Priority date 2014-08-18, Filed 2015-08-18; Issued 2020-03-03. [Details]

A system has a first electronic device with optical sensor, digital radio transceiver, and processor with firmware; this device is typically portable or wearable. The system also has a computerized device with a display, a second digital radio transceiver, and a second processor with firmware. The first and computerized devices are configured to set up a digital radio link when in radio range. The second processor uses a spot on the display to optically transmit a digital message including a secret such as an encryption key or subkey and/or an authentication code adapted for authenticating an encrypting the radio link. The first device receives the digital message via its optical sensor, and uses the digital message to validate and establish encryption on the radio link. In embodiments, the system determines a location of the first device on the display and positions the transmission spot at the determined location.

Timothy J. Pierson, Xiaohui Liang, Ronald Peterson, and David Kotz. Apparatus for securely configuring a target device and associated methods. U.S. Patent 10,574,298, February 25, 2020. Priority date 2015-06-23 to US15/739,122; filed 2016-06-23; published 2018-07-05 as US20180191403A1; issued 2020-02-25. [Details]

2019:

Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz. Proximity Detection with Single-Antenna IoT Devices. Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom). October 2019. [Details]

Providing secure communications between wireless devices that encounter each other on an ad-hoc basis is a challenge that has not yet been fully addressed. In these cases, close physical proximity among devices that have never shared a secret key is sometimes used as a basis of trust; devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user’s device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques.

We present theoretical and practical evaluation of a method called SNAP -- SiNgle Antenna Proximity -- that allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our proximity detection technique leverages the repeating nature Wi-Fi’s preamble and the behavior of a signal in a transmitting antenna’s near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm.

Sougata Sen, Varun Mishra, and David Kotz. Using vibrations from a SmartRing as an out-of-band channel for sharing secret keys. Adjunct Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp). September 2019. [Details]

With the rapid growth in the number of Internet of Things (IoT) devices with wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this work, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9% messages successfully. Our technique demonstrates the possibility of sharing messages accurately, quickly and securely as compared to several existing techniques.

Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz. CloseTalker: Secure, Short-Range Ad Hoc Wireless Communication. Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2019. [Details]

Secure communication is difficult to arrange between devices that have not previously shared a secret. Previous solutions to the problem are susceptible to man-in-the-middle attacks, require additional hardware for out-of-band communication, or require an extensive public-key infrastructure. Furthermore, as the number of wireless devices explodes with the advent of the Internet of Things, it will be impractical to manually configure each device to communicate with its neighbors.

Our system, CloseTalker, allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker does not require any specialized hardware or sensors in the devices, does not require complex algorithms or cryptography libraries, occurs only when intended by the user, and can transmit a short burst of data or an address and key that can be used to establish long-term or long-range communications at full bandwidth.

In this paper we present a theoretical and practical evaluation of CloseTalker, which exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key.

Emily Greene, Patrick Proctor, and David Kotz. Secure Sharing of mHealth Data Streams through Cryptographically-Enforced Access Control. Journal of Smart Health. April 2019. [Details]

Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareHealth, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design and prototype implementation of this system make three contributions: (1) they apply cryptographically-enforced access-control measures to stream-based (specifically mHealth) data, (2) they recognize the temporal nature of mHealth data streams and support revocation of access to part or all of a data stream, and (3) they depart from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.

Shrirang Mare, Reza Rawassizadeh, Ronald Peterson, and David Kotz. Continuous Smartphone Authentication using Wristbands. Proceedings of the Workshop on Usable Security (USEC). February 2019. [Details]

Many users find current smartphone authentication methods (PINs, swipe patterns) to be burdensome, leading them to weaken or disable the authentication. Although some phones support methods to ease the burden (such as fingerprint readers), these methods require active participation by the user and do not verify the user’s identity after the phone is unlocked. We propose CSAW, a continuous smartphone authentication method that leverages wristbands to verify that the phone is in the hands of its owner. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband’s motion with the phone’s motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). Through two user studies (N=27,11) we evaluated CSAW’s accuracy, usability, and security. Our experimental evaluation demonstrates that CSAW was able to conduct initial authentication with over 99% accuracy and continuous authentication with over 96.5% accuracy.

2018:

Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz. Poster: Proximity Detection with Single-Antenna IoT Devices. Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom). October 2018. [Details]

Close physical proximity among wireless devices that have never shared a secret key is sometimes used as a basis of trust. In these cases, devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user’s device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. We investigate a method for a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our approach leverages the repeating nature Wi-Fi’s preamble and the characteristics of a transmitting antenna’s near field to detect proximity with high probability. Our method never falsely declares proximity at ranges longer than 14 cm.

Shrirang Mare, Reza Rawassizadeh, Ronald Peterson, and David Kotz. SAW: Wristband-based authentication for desktop computers. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (Ubicomp). September 2018. [Details]

Token-based proximity authentication methods that authenticate users based on physical proximity are effortless, but lack explicit user intentionality, which may result in accidental logins. For example, a user may get logged in when she is near a computer or just passing by, even if she does not intend to use that computer. Lack of user intentionality in proximity-based methods makes them less suitable for multi-user shared computer environments, despite their desired usability benefits over passwords.

We present an authentication method for desktops called Seamless Authentication using Wristbands (SAW), which addresses the lack of intentionality limitation of proximity-based methods. SAW uses a low-effort user input step for explicitly conveying user intentionality, while keeping the overall usability of the method better than password-based methods. In SAW, a user wears a wristband that acts as the user’s identity token, and to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user’s proximity and correlating the received keyboard or mouse inputs with the user’s wrist movement, as measured by the wristband. In our feasibility user study (n=17), SAW proved quick to authenticate (within two seconds), with a low false-negative rate of 2.5% and worst-case false-positive rate of 1.8%. In our user perception study (n=16), a majority of the participants rated it as more usable than passwords.

Travis Peters, Reshma Lal, Srikanth Varadarajan, Pradeep Pappachan, and David Kotz. BASTION-SGX: Bluetooth and Architectural Support for Trusted I/O on SGX. Proceedings of the International Workshop on Hardware and Architectural Support for Security and Privacy (HASP). June 2018. [Details]

This paper presents work towards realizing architectural support for Bluetooth Trusted I/O on SGX-enabled platforms, with the goal of providing I/O data protection that does not rely on system software security. Indeed, we are primarily concerned with protecting I/O from all software adversaries, including privileged software. In this paper we describe the challenges in designing and implementing Trusted I/O at the architectural level for Bluetooth. We propose solutions to these challenges. In addition, we describe our proof-of-concept work that extends existing over-the-air Bluetooth security all the way to an SGX enclave by securing user data between the Bluetooth Controller and an SGX enclave.

Timothy J. Pierson. Secure Short-range Communications. PhD thesis, June 2018. Available as Dartmouth Computer Science Technical Report TR2018-845. [Details]

Analysts predict billions of everyday objects will soon become “smart” after designers add wireless communication capabilities. Collectively known as the Internet of Things (IoT), these newly communication-enabled devices are envisioned to collect and share data among themselves, with new devices entering and exiting a particular environment frequently. People and the devices they wear or carry may soon encounter dozens, possibly hundreds, of devices each day. Many of these devices will be encountered for the first time. Additionally, some of the information the devices share may have privacy or security implications. Furthermore, many of these devices will have limited or non-existent user interfaces, making manual configuration cumbersome. This situation suggests that devices that have never met, nor shared a secret, but that are in the same physical area, must have a way to securely communicate that requires minimal manual intervention. In this dissertation we present novel approaches to solve these short-range communication issues. Our techniques are simple to use, secure, and consistent with user intent. We first present a technique called Wanda that uses radio strength as a communication channel to securely impart information onto nearby devices. We focus on using Wanda to introduce new devices into an environment, but Wanda could be used to impart any type of information onto wireless devices, regardless of device type or manufacturer. Next we describe SNAP, a method for a single-antenna wireless device to determine when it is in close physical proximity to another wireless device. Because radio waves are invisible, a user may believe transmissions are coming from a nearby device when in fact the transmissions are coming from a distant adversary attempting to trick the user into accepting a malicious payload. Our approach significantly raises the bar for an adversary attempting such a trick. Finally, we present a solution called JamFi that exploits MIMO antennas and the Inverse-Square Law to securely transfer data between nearby devices while denying more distant adversaries the ability to recover the data. We find JamFi is able to facilitate reliable and secure communication between two devices in close physical proximity, even though they have never met nor shared a key.

Andrés D. Molina-Markham, Shrirang Mare, Ronald Peterson, Jr., and David Kotz. Continuous seamless mobile device authentication using a separate electronic wearable apparatus. U.S. Patent 9,961,547, May 1, 2018. Priority date 2016-09-30 to US15/281,694; filed 2016-09-30; published 2018-05-01 US9961547B1; issued 2018-05-01. [Details]

A technique performs a security operation. The technique includes receiving first activity data from a mobile device, the first activity data identifying activity by a user that is currently using the mobile device. The technique further includes receiving second activity data from an electronic wearable apparatus, the second activity data identifying physical activity by a wearer that is currently wearing the electronic wearable apparatus. The technique further includes, based on the first activity data received from the mobile device and the second activity data received from the electronic wearable apparatus, performing an assessment operation that provides an assessment result indicating whether the user that is currently using the mobile device and the wearer that is currently wearing the electronic wearable apparatus are the same person. With such a technique, authentication may be continuous but without burdening the user to repeatedly re-enter a password.

Rui Liu, Cory Cornelius, Reza Rawassizadeh, Ronald Peterson, and David Kotz. Vocal Resonance: Using Internal Body Voice for Wearable Authentication. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (UbiComp). March 2018. [Details]

We observe the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. For many devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. In this paper we propose the use of vocal resonance, that is, the sound of the person’s voice as it travels through the person’s body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. We explore two machine-learning approaches that analyze voice samples from a small throat-mounted microphone and allow the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone-enabled device is physically on the speaker’s body. We collected data from 29 subjects, demonstrate the feasibility of a prototype, and show that our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification.

Reza Rawassizadeh, Timothy J. Pierson, Ronald Peterson, and David Kotz. NoCloud: Exploring Network Disconnection through On-Device Data Analysis. IEEE Pervasive Computing. March 2018. [Details]

Application developers often advocate uploading data to the cloud for analysis or storage, primarily due to concerns about the limited computational capability of ubiquitous devices. Today, however, many such devices can still effectively operate and execute complex algorithms without reliance on the cloud. The authors recommend prioritizing on-device analysis over uploading the data to another host, and if on-device analysis is not possible, favoring local network services over a cloud service.

Joseph Carrigan, David Kotz, and Aviel Rubin. STEM Outreach Activity with Fitbit Wearable Devices. Technical Report, February 2018. [Details]

This document provides a toolkit for an STEM outreach activity based on Fitbit wearable fitness devices. The activity is targeted toward high-school students. This document provides guidance preparing for and executing the activity and measuring outcomes. This document contains templates that can be used as is or altered to suit your specific needs.

2017:

David Kotz and Travis Peters. Challenges to ensuring human safety throughout the life-cycle of Smart Environments. Proceedings of the ACM Workshop on the Internet of Safe Things (SafeThings). November 2017. [Details]

The homes, offices, and vehicles of tomorrow will be embedded with numerous “Smart Things,” networked with each other and with the Internet. Many of these Things are embedded in the physical infrastructure, and like the infrastructure they are designed to last for decades -- far longer than is normal with today’s electronic devices. What happens then, when an occupant moves out or transfers ownership of her Smart Environment? This paper outlines the critical challenges required for the safe long-term operation of Smart Environments. How does an occupant identify and decommission all the Things in an environment before she moves out? How does a new occupant discover, identify, validate, and configure all the Things in the environment he adopts? When a person moves from smart home to smart office to smart hotel, how is a new environment vetted for safety and security, how are personal settings migrated, and how are they securely deleted on departure? When the original vendor of a Thing (or the service behind it) disappears, how can that Thing (and its data, and its configuration) be transferred to a new service provider? What interface can enable lay people to manage these complex challenges, and be assured of their privacy, security, and safety? We present a list of key research questions to address these important challenges.

Aarathi Prasad, Xiaohui Liang, and David Kotz. SPICE: Secure Proximity-based Infrastructure for Close Encounters. Proceedings of the ACM Workshop on Mobile Crowdsensing Systems and Applications (CrowdSense). November 2017. [Details]

We present a crowdsourcing system that extends the capabilities of location-based applications and allows users to connect and exchange information with users in spatial and temporal proximity. We define this incident of spatio-temporal proximity as a close encounter. Typically, location-based application users store their information on a server, and trust the server to provide access only to authorized users, not misuse the data or disclose their location history. Our system, called SPICE, addresses these privacy issues by leveraging Wi-Fi access points to connect users and encrypt their information before it is exchanged, so only users in close encounters have access to the information. We present the design of the system and describe the challenges in implementing the protocol in a real-world application.

Timothy J. Pierson, Reza Rawassizadeh, Ronald Peterson, and David Kotz. Secure Information Transfer Between Nearby Wireless Devices. Proceedings of the ACM Workshop on Wireless of the Students, by the Students, and for the Students (S3). October 2017. [Details]

Securely transferring data between two devices that have never previously met nor shared a secret is a difficult task. Previous solutions to the problem are susceptible to well-known attacks or may require extensive infrastructure that may not be suitable for wireless devices such as Internet of Things sensors that do not have advanced computational capabilities.

We propose a new approach: using jamming to thwart adversaries located more than a few centimeters away, while still allowing devices in close physical proximity to securely share data. To accomplish this secure data transfer we exploit MIMO antennas and the Inverse-Square Law.

Emily Greene. ShareABEL: Secure Sharing of mHealth Data through Cryptographically-Enforced Access Control. Technical Report, July 2017. [Details]

Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareABEL, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design (and prototype implementation) of this system makes three contributions: (1) it applies cryptographically-enforced access-control measures to wearable healthcare data, which pose different challenges than Electronic Medical Records (EMRs), (2) it recognizes the temporal nature of mHealth data streams and supports revocation of access to part or all of a data stream, and (3) it departs from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.

David Kotz. Challenges and Opportunities in Wearable Systems. Proceedings of the Workshop on Wearable Systems and Applications (WearSys). June 2017. [Details]

Wearable systems offer great promise in application domains as varied as healthcare, eldercare, augmented work, education, athletics, entertainment, parenting, travel, and personal productivity. In this keynote lecture I outline some of these opportunities and identify some of the many challenges we face in developing wearable technology that realize those opportunities. Notably, I anticipate wearable technology raising significant security risks and privacy issues--challenges we must address as we design and develop wearable devices, systems, and applications if we hope to see this technology widely accepted and adopted. Strong (and usable) security mechanisms are essential for safety-critical applications; meaningful privacy protections are essential for systems that accompany us through our private and public life. By raising these concerns today, I seek to ensure the wearable systems of tomorrow will have strong and usable security and privacy properties.

Xiaohui Liang and David Kotz. AuthoRing: Wearable User-presence Authentication. Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys). June 2017. [Details]

A common log-in process at computers involves the entry of username and password; log out depends on the user to remember to log out, or a timeout to expire the user session. Once logged in, user sessions may be vulnerable to imposter attacks in which an impostor steps up to the user’s unattended computer and inherits the user’s access privilege. We propose a ring-based authentication system called “AuthoRing”, which restricts the imposter attackers from generating new inputs at the computer’s mouse and keyboard. During the log-in process, an eligible AuthoRing user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer’s AuthoRing system correlates hand-motion data received from the ring with the input data from the computer’s window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user.

Rui Liu, Cory Cornelius, Reza Rawassizadeh, Ron Peterson, and David Kotz. Poster: Vocal Resonance as a Passive Biometric. Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2017. [Details]

We present a novel, unobtrusive biometric measurement that can support user identification in wearable body-mounted devices: vocal resonance, that is, the sound of the person’s voice as it travels through the person’s body.

Rui Liu, Reza Rawassizadeh, and David Kotz. Toward Accurate and Efficient Feature Selection for Speaker Recognition on Wearables. Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys). June 2017. [Details]

Due to the user-interface limitations of wearable devices, voice-based interfaces are becoming more common; speaker recognition may then address the authentication requirements of wearable applications. Wearable devices have small form factor, limited energy budget and limited computational capacity. In this paper, we examine the challenge of computing speaker recognition on small wearable platforms, and specifically, reducing resource use (energy use, response time) by trimming the input through careful feature selections. For our experiments, we analyze four different feature-selection algorithms and three different feature sets for speaker identification and speaker verification. Our results show that Principal Component Analysis (PCA) with frequency-domain features had the highest accuracy, Pearson Correlation (PC) with time-domain features had the lowest energy use, and recursive feature elimination (RFE) with frequency-domain features had the least latency. Our results can guide developers to choose feature sets and configurations for speaker-authentication algorithms on wearable platforms.

Aarathi Prasad and David Kotz. ENACT: Encounter-based Architecture for Contact Tracing. Proceedings of the ACM Workshop on Physical Analytics (WPA). June 2017. [Details]

Location-based sharing services allow people to connect with others who are near them, or with whom they shared a past encounter. Suppose it were also possible to connect with people who were at the same location but at a different time -- we define this scenario as a close encounter, i.e., an incident of spatial and temporal proximity. By detecting close encounters, a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We address three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users. Finally, we also consider the challenges of a real-world deployment.

Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz. LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent. Proceedings of the IEEE Conference on Computer Communications (INFOCOM). May 2017. [Details]

Wearables are small and have limited user interfaces, so they often wirelessly interface with a personal smartphone/computer to relay information from the wearable for display or other interactions. In this paper, we envision a new method, LightTouch, by which a wearable can establish a secure connection to an ambient display, such as a television or a computer monitor, while ensuring the user’s intention to connect to the display. LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped via the visible-light communication (the brightness channel) from the display to the low-cost, low-power, ambient light sensor of a wearable. A screen ‘touch’ gesture is adopted by users to ensure that the modulation of screen brightness can be securely captured by the ambient light sensor with minimized noise. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments and a preliminary user study we demonstrate that LightTouch is compatible with current display and wearable designs, is easy to use (about 6 seconds to connect), is reliable (up to 98% success connection ratio), and is secure against attacks.

David B. Harmon. Cryptographic transfer of sensor data from the Amulet to a smartphone. Technical Report, May 2017. [Details]

The authenticity, confidentiality, and integrity of data streams from wearable healthcare devices are critical to patients, researchers, physicians, and others who depend on this data to measure the effectiveness of treatment plans and clinical trials. Many forms of mHealth data are highly sensitive; in the hands of unintended parties such data may reveal indicators of a patient’s disorder, disability, or identity. Furthermore, if a malicious party tampers with the data, it can affect the diagnosis or treatment of patients, or the results of a research study. Although existing network protocols leverage encryption for confidentiality and integrity, network-level encryption does not provide end-to-end security from the device, through the smartphone and database, to downstream data consumers. In this thesis we provide a new open protocol that provides end-to-end authentication, confidentiality, and integrity for healthcare data in such a pipeline.

We present and evaluate a prototype implementation to demonstrate this protocol’s feasibility on low-power wearable devices, and present a case for the system’s ability to meet critical security properties under a specific adversary model and trust assumptions.

2016:

David Kotz, Carl A. Gunter, Santosh Kumar, and Jonathan P. Weiner. Privacy and Security in Mobile Health: A Research Agenda. Computer. June 2016. [Details]

Mobile health technology has great potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health. However, mHealth also raises significant privacy and security challenges.

Timothy J. Pierson, Xiaohui Liang, Ronald Peterson, and David Kotz. Demo: Wanda, securely introducing mobile devices. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2016. [Details]

Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We developed Wanda -- a ‘magic wand’ that accomplishes all three of the above goals -- and will demonstrate a prototype implementation.

Shrirang Mare. Seamless Authentication for Ubiquitous Devices. PhD thesis, May 2016. Available as Dartmouth Computer Science Technical Report TR2016-793. [Details]

User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform -- an interruption in our workflow. In this dissertation, we study people’s authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users.

First, we present the findings of a user study we conducted to understand people’s authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants’ lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it.

Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user’s wristband and the user’s phone) share their knowledge (e.g., about user’s interaction with the phone) to verify the user’s identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method’s usability and security from the system and the user’s perspective. Based on the evaluation, our authentication method shows promise for reducing users’ authentication burden for desktops and smartphones.

Aarathi Prasad. Privacy-preserving controls for sharing mHealth data. PhD thesis, May 2016. Available as Dartmouth Computer Science Technical Report TR2016-794. [Details]

Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. In this dissertation, we present our findings about factors that affect people’s sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus.

Timothy J. Pierson, Xiaohui Liang, Ronald Peterson, and David Kotz. Wanda: securely introducing mobile devices. Proceedings of the IEEE Conference on Computer Communications (INFOCOM). April 2016. [Details]

Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda -- a ‘magic wand’ that accomplishes all three of the above goals -- and evaluate a prototype implementation.

Bingyue Wang. Learning Device Usage in Context: A Continuous and Hierarchical Smartphone Authentication Scheme. Technical Report, March 2016. [Details]

Popular smartphone authentication schemes, such as PIN-based or biometrics-based authentication methods, require only an initial login at the start of a usage session to authorize the user to use all the apps on the phone during the entire session. Those schemes fail to provide continuous protection of the smartphone after the initial login. They also fail to meet the hierarchy of security requirements for different apps under different contexts. In this study, we propose a continuous and hierarchical authentication scheme. We believe that a user’s app-usage patterns depend on his location context. As such, our scheme relies on app-usage patterns in different location context to continuously establish the log probability density (LPD) of the authenticity of the current user. Based on different LPD thresholds corresponding to different security requirements, the current user either has a LPD higher than the threshold, which grants him continuous access to the phone or the app, or he has a LPD lower than the threshold, which locks him out of the phone or the app immediately. We test our scheme on 4,600 subjects from the Device Analyzer Dataset. We found that our scheme could correctly identify the authenticity of the majority of the subjects. However, app-usage patterns with or without location context yielded similar performances, indicating that user contexts did not contribute further information to establish user behavioral patterns. Based on our scheme, we propose a hypothetical Android app which would provide continuous and hierarchical authentication for the smartphone users.

Timothy J. Pierson, Xiaohui Liang, Ronald Peterson, and David Kotz. Wanda: securely introducing mobile devices (Extended version). Technical Report, February 2016. Expanded version of the INFOCOM 2016 paper by the same title. [Details]

Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda -- a ‘magic wand’ that accomplishes all three of the above goals -- and evaluate a prototype implementation. This Tech Report contains supplemental information to our INFOCOM 2016 paper titled, “Wanda: securely introducing mobile devices.” Much of the additional information is in Section II, III, and VI.

2015:

David Kotz, Kevin Fu, Carl Gunter, and Avi Rubin. Security for Mobile and Cloud Frontiers in Healthcare. Communications of the ACM. August 2015. [Details]

Designers and developers of healthcare information technologies must address preexisting security vulnerabilities and undiagnosed future threats.

2014:

Xiaohui Liang and David Kotz. Securely Connecting Wearable Health Devices to External Displays. Proceedings of the USENIX Summit on Health Information Technologies (HealthTech). August 2014. No paper -- workshop presentation only. [Details]

Wearable health technology is becoming a hot commodity as it has the potential to help both patients and clinicians continuously monitor vital signs and symptoms. One popular type of wearable devices are worn on human wrist and are equipped with sensors to passively perform sensing tasks. Their constrained user interface, however, is ineffective to display the sensory data for users. We envision connecting a wrist-worn device to a display device, such as a television, so the user is able to view the sensory data. Such connections must be secure to prevent the sensory data from being eavesdropped by other devices, must be made only when the user intends, and must be easy even when a new display is encountered (such as in a medical clinic, or a hotel room). In this presentation, we will discuss the secure wearable/display connection problem by revisiting existing methods and hardware designs of wrist-worn devices and display devices. We then present possible solutions that leverage the built-in hardware components of wrist-worn devices to implement, secure, intentional, easy connections to ambient display devices.

Aarathi Prasad, Xiaohui Liang, and David Kotz. Poster: Balancing Disclosure and Utility of Personal Information. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2014. [Details]

The ubiquity of smartphones and mobile and wearable devices allow people to collect information about their health, wellness and lifestyle and share with others. If it is not clear what they need to share to receive benefits, subjects (people whose information is collected) might share too much, thus disclosing unnecessary private information. On the other hand, concerned about disclosing personal information, subjects might share less than what the recipient needs and lose the opportunity to enjoy the benefits. This balance of disclosure and utility is important when the subject wants to receive some benefits, but is concerned about disclosing private information.

We address this problem of balancing disclosure and utility of personal information collected by mobile technologies. We believe subjects can decide how best to share their information if they are aware of the benefits and risks of sharing. We developed ShareBuddy, a privacy-aware architecture that allows recipients to request information and specify the benefits the subjects will receive for sharing each piece of requested information; the architecture displays these benefits and warns subjects about the risks of sharing. We describe the ShareBuddy architecture in this poster.

2013:

David Kotz, Michael Bailey, Roy Campbell, Steve Checkoway, Kevin Fu, Carl Gunter, Peter Honeyman, Eric Johnson, Darren Lacey, Carl Landwehr, Lisa Marsch, Klara Nahrstedt, Avi Rubin, and Jonathan Weiner. Five trends in healthcare IT – and their implications for security. Blog post on thaw.org, July 17, 2013. [Details]

In the previous post we described the current landscape for healthcare information technology. In this post, we note how healthcare information systems increasingly face daunting security challenges due to five economic and technological trends. First, the locus of care is shifting, as the healthcare system seeks more efficient and less-expensive ways to care for patients, particularly outpatients with chronic conditions. Second, strong economic incentives are pushing health providers to innovate by rewarding providers for keeping their patient population healthy, rather than paying only to fix patients when they are ill. Third, the treatment of chronic conditions and the implementation of prevention plans entail more continuous patient monitoring, outside of the clinical setting. Fourth, mobile consumer devices (smartphones and tablets) are quickly being adopted for health & wellness applications, both by caregivers and patients, in addition to their many other uses – making it difficult to protect sensitive health-related data and functions from the risks posed by a general-purpose Internet device. Finally, significant emerging threats are targeting healthcare information systems, while new regulations strive to protect medical integrity and patient privacy.

David Kotz, Michael Bailey, Roy Campbell, Steve Checkoway, Kevin Fu, Carl Gunter, Peter Honeyman, Eric Johnson, Darren Lacey, Carl Landwehr, Lisa Marsch, Klara Nahrstedt, Avi Rubin, and Jonathan Weiner. The healthcare IT landscape. Blog post on thaw.org, July 10, 2013. [Details]

The dynamic healthcare ecosystem and rapid technology evolution lead to new challenges in securing tomorrow’s healthcare information infrastructure.

THaW: Trustworthy Health and Wellness (2013-2020)

Summary