BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @InProceedings{zegeye:icnet25, author = {Wondimu K. Zegeye and Ravindra Mangar and Jingyu Qian and Vinton Morris and Mounib Khanafer and Kevin Kornegay and Timothy J. Pierson and David Kotz}, title = {Comparing smart-home devices that use the Matter protocol}, booktitle = {Proceedings of the International Workshop on Intelligent Communication Network Technologies (ICNET'25)}, year = 2025, month = {January}, publisher = {IEEE}, copyright = {IEEE}, URL = {https://www.cs.dartmouth.edu/~kotz/research/zegeye-icnet25/index.html}, note = {Accepted for publication}, abstract = {This paper analyzes Google Home, Apple HomeKit, Samsung SmartThings, and Amazon Alexa platforms, focusing on their integration with the Matter protocol. Matter is a connectivity standard developed by the Connectivity Standards Alliance (CSA) for the smart-home industry. By examining key features and qualitative metrics, this study aims to provide valuable insights for consumers and industry professionals in making informed decisions about smart-home devices. We conducted (from May to August 2024) a comparative analysis to explore how Google Home Nest, Apple Homepod Mini, Samsung SmartThings station, and Amazon Echo Dot platforms leverage the power of Matter to provide seamless and integrated smart-home experiences.}, } @InProceedings{arguello:battery, author = {Cesar Arguello and Beatrice Perez and Timothy J. Pierson and David Kotz}, title = {Detecting Battery Cells with Harmonic Radar}, booktitle = {Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)}, year = 2024, month = {May}, pages = {231--236}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3643833.3656137}, URL = {https://www.cs.dartmouth.edu/~kotz/research/arguello-battery/index.html}, abstract = {Harmonic radar systems have been shown to be an effective method for detecting the presence of electronic devices, even if the devices are powered off. Prior work has focused on detecting specific non-linear electrical components (such as transistors and diodes) that are present in any electronic device. In this paper we show that harmonic radar is also capable of detecting the presence of batteries. We tested a proof-of-concept system on Alkaline, NiMH, Li-ion, and Li-metal batteries. With the exception of Li-metal coin cells, the prototype harmonic radar detected the presence of batteries in our experiments with 100\% accuracy.}, } @InProceedings{he:ci-survey, author = { Weijia He and Nathan Reitinger and Atheer Almogbil and Yi-Shyuan Chiang and Timothy J. Pierson and David Kotz }, title = {Contextualizing Interpersonal Data Sharing in Smart Homes}, booktitle = {Proceedings of the Privacy Enhancing Technologies Symposium (PETS)}, year = 2024, month = {July}, volume = 2024, number = 2, pages = {295--312}, copyright = {Creative Commons Attribution 4.0}, DOI = {10.56553/popets-2024-0051}, URL = {https://www.cs.dartmouth.edu/~kotz/research/he-ci-survey/index.html}, abstract = { A key feature of smart home devices is monitoring the environment and recording data. These devices provide security via motion-detection video alerts, cost-savings via thermostat usage history, and peace of mind via functions like auto-locking doors or water leak detectors. At the same time, the sharing of this information in interpersonal relationships---though necessary---is currently accomplished on an all-or-nothing basis. This can easily lead to oversharing in a multi-user environment. Although prior work has studied people's perceptions of information sharing with vendors or ISPs, the sharing of household data among users who interact personally is less well understood. Interpersonal situations make data sharing much more context-based and, thus, more complicated. In this paper, we use themes from the theory of contextual integrity in an online survey (n{$=$}1,992) to study how people perceive data sharing with others in smart homes and inform future designs and research. Our results show that data recipients in a smart home can be reduced to three major groups, and data types matter more than device types. We also found that the types of access control desired by users can vary from scenario to scenario. Depending on whom they are sharing data with and about what data, participants expressed varying levels of comfort when presented with different types of access control (e.g., explicit approval versus time-limited access). Taken together, this provides strong evidence that a more dynamic access control system is needed, and we can design it in a more usable way.}, } @InProceedings{jois:sigcse, author = {Tushar Jois and Tina Pavlovich and Brigid McCarron and David Kotz and Timothy Pierson}, title = {Smart Use of Smart Devices in Your Home: A Smart Home Security and Privacy Workshop for the General Public}, booktitle = {Proceedings of the ACM Technical Symposium on Computer Science Education (SIGCSE)}, year = 2024, month = {March}, pages = {611--617}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3626252.3630925}, URL = {https://www.cs.dartmouth.edu/~kotz/research/jois-sigcse/index.html}, abstract = {With 'smart' technology becoming more prevalent in homes, computing is increasingly embedded into everyday life. The benefits are well-advertised, but the risks associated with these technologies are not as clearly articulated. We aim to address this gap by educating community members on some of these risks, and providing actionable advice to mitigate risks. To this end, we describe our efforts to design and implement a hands-on workshop for the public on smart-home security and privacy. \par Our workshop curriculum centers on the smart-home device lifecycle: obtaining, installing, using, and removing devices in a home. For each phase of the lifecycle, we present possible vulnerabilities along with preventative measures relevant to a general audience. We integrate a hands-on activity for participants to put best-practices into action throughout the presentation. \par We ran our designed workshop at a science museum in June 2023, and used participant surveys to evaluate the effectiveness of our curriculum. Prior to the workshop, 38.8\% of survey responses did not meet learning objectives, 22.4\% partially met them, and 38.8\% fully met them. After the workshop, only 9.2\% of responses did not meet learning objectives, while 29.6\% partially met them and 61.2\% fully met them. Our experience shows that consumer-focused workshops can aid in bridging information gaps and are a promising form of outreach.}, } @InProceedings{khanafer:discovery, author = {Mounib Khanafer and Logan Kostick and Chixiang Wang and Wondimu Zegeye and Weijia He and Berkay Kaplan and Nurzaman Ahmed and Kevin Kornegay and David Kotz and Timothy Pierson}, title = {Device Discovery in the Smart Home Environment}, booktitle = {Proceedings of the IEEE/ACM Workshop on the Internet of Safe Things (SafeThings)}, year = 2024, month = {May}, pages = {298--304}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/SPW63631.2024.10705647}, URL = {https://www.cs.dartmouth.edu/~kotz/research/khanafer-discovery/index.html}, abstract = {With the availability of Internet of Things (IoT) devices offering varied services, smart home environments have seen widespread adoption in the last two decades. Protecting privacy in these environments becomes an important problem because IoT devices may collect information about the home's occupants without their knowledge or consent. Furthermore, a large number of devices in the home, each collecting small amounts of data, may, in aggregate, reveal non-obvious attributes about the home occupants. A first step towards addressing privacy is discovering what devices are present in the home. In this paper, we formally define device discovery in smart homes and identify the features that constitute discovery in that environment. Then, we propose an evaluative rubric that rates smart home technology initiatives on their device discovery capabilities and use it to evaluate four commonly deployed technologies. We find none cover all device discovery aspects. We conclude by proposing a combined technology solution that provides comprehensive device discovery tailored to smart homes.}, } @Article{mangar:framework, author = {Ravindra Mangar and Timothy J. Pierson and David Kotz}, title = {A framework for evaluating the security and privacy of smart-home devices, and its application to common platforms}, journal = {IEEE Pervasive Computing}, year = 2024, month = {July}, volume = 23, number = 3, pages = {7--19}, publisher = {IEEE}, copyright = {the authors}, DOI = {10.1109/MPRV.2024.3421668}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mangar-framework/index.html}, abstract = {In this article, we outline the challenges associated with the widespread adoption of smart devices in homes. These challenges are primarily driven by scale and device heterogeneity: a home may soon include dozens or hundreds of devices, across many device types, and may include multiple residents and other stakeholders. We develop a framework for reasoning about these challenges based on the deployment, operation, and decommissioning life cycle stages of smart devices within a smart home. We evaluate the challenges in each stage using the well-known CIA triad---Confidentiality, Integrity, and Availability. In addition, we highlight open research questions at each stage. Further, we evaluate solutions from Apple and Google using our framework and find notable shortcomings in these products. Finally, we sketch some preliminary thoughts on a solution for the smart home of the near future.}, } @InProceedings{mangar:testbed, author = {Ravindra Mangar and Jingyu Qian and Wondimu Zegeye and Mounib Khanafer and Abdulrahman AlRabah and Ben Civjan and Shalni Sundram and Sam Yuan and Carl Gunter and Kevin Kornegay and Timothy J. Pierson and David Kotz}, title = {Designing and Evaluating a Testbed for the Matter Protocol: Insights into User Experience}, booktitle = {Proceedings of the NDSS Workshop on Security and Privacy in Standardized IoT (SDIoTSec)}, year = 2024, month = {February}, publisher = {NDSS}, copyright = {the authors}, DOI = {10.14722/sdiotsec.2024.23012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mangar-testbed/index.html}, note = {Distinguished Paper Award}, abstract = {As the integration of smart devices into our daily environment accelerates, the vision of a fully integrated smart home is becoming more achievable through standards such as the Matter protocol. In response, this research paper explores the use of Matter in addressing the heterogeneity and interoperability problems of smart homes. We built a testbed and introduce a network utility device, designed to sniff network traffic and provide a wireless access point within IoT networks. This paper also presents experience of students using the testbed in an academic scenario.}, } @Article{pierson:inspector, author = {Timothy J. Pierson and Cesar Arguello and Beatrice Perez and Wondimu Zegeye and Kevin Kornegay and Carl Gunter and David Kotz}, title = {We need a ``building inspector for IoT'' when smart homes are sold}, journal = {IEEE Security \& Privacy}, year = 2024, month = {Nov-Dec.}, volume = 22, number = 6, pages = {75--84}, publisher = {IEEE}, copyright = {Open access}, DOI = {10.1109/MSEC.2024.3386467}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-inspector/index.html}, abstract = {Internet of Things (IoT) devices left behind when a home is sold create security and privacy concerns for both prior and new residents. We envision a specialized ``building inspector for IoT'' to help securely facilitate transfer of the home.}, } @Article{wang:insideout, author = {Chixiang Wang and Weijia He and Timothy Pierson and David Kotz}, title = {Moat: Adaptive Inside/Outside Detection System for Smart Homes}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT)}, year = 2024, month = {September}, volume = 8, number = 4, articleno = 157, numpages = 31, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3699751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-insideout/index.html}, abstract = {Smart-home technology is now pervasive, demanding increased attention to the security of the devices and the privacy of the home's residents. To assist residents in making security and privacy decisions - e.g., whether to allow a new device to connect to the network, or whether to be alarmed when an unknown device is discovered - it helps to know whether the device is inside the home, or outside. \par In this paper we present MOAT, a system that leverages Wi-Fi sniffers to analyze the physical properties of a device's wireless transmissions to infer whether that device is located inside or outside of a home. MOAT can adaptively self-update to accommodate changes in the home indoor environment to ensure robust long-term performance. Notably, MOAT does not require prior knowledge of the home's layout or cooperation from target devices, and is easy to install and configure. \par We evaluated MOAT in four different homes with 21 diverse commercial smart devices and achieved an overall balanced accuracy rate of up to 95.6\%. Our novel periodic adaptation technique allowed our approach to maintain high accuracy even after rearranging furniture in the home. MOAT is a practical and efficient first step for monitoring and managing devices in a smart home. }, } @InProceedings{wang:onboarding, author = {Chixiang Wang and Liam Cassidy and Weijia He and Timothy J. Pierson and David Kotz}, title = {Challenges and opportunities in onboarding smart-home devices}, booktitle = {Proceedings of the International Workshop on Mobile Computing Systems and Applications (HotMobile)}, year = 2024, month = {February}, pages = {60--65}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3638550.3641137}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-onboarding/index.html}, abstract = {Smart-home devices have become integral to daily routines, but their onboarding procedures - setting up a newly acquired smart device into operational mode - remain understudied. The heterogeneity of smart-home devices and their onboarding procedure can easily overwhelm users when they scale up their smart-home system. While Matter, the new IoT standard, aims to unify the smart-home ecosystem, it is still evolving, resulting in mixed compliance among devices. In this paper, we study the complexity of device onboarding from users' perspectives. We thus performed cognitive walkthroughs on 12 commercially available smart-home devices, documenting the commonality and distinctions of the onboarding process across these devices. We found that onboarding smart home devices can often be tedious and confusing. Users must devote significant time to creating an account, searching for the target device, and providing Wi-Fi credentials for each device they install. Matter-compatible devices are supposedly easier to manage, as they can be registered through one single hub independent of the vendor. Unfortunately, we found such a statement is not always true. Some devices still need their own companion apps and accounts to fully function. Based on our observations, we give recommendations about how to support a more user-friendly onboarding process.}, } @Misc{perez:scanner-patent, author = {Beatrice Perez and Timothy Pierson and Gregory Mazzaro and David Kotz}, title = {Harmonic Radar Scanner for Electronics}, howpublished = {Patent Application 18/749,826, published as US2024/0426974}, year = 2024, month = {December}, day = 26, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-scanner-patent/index.html}, note = {Priority date 6/21/23; filed 6/21/24; published 12/26/24}, abstract = {In an embodiment, a harmonic radar system for detecting an electronic device includes a signal generator that generates one or more transmit radio frequency (RF) signals, a transmitting antenna for sending the transmit RF signals into an environment, a receiving antenna for receiving signals re-radiated by the electronic device in the environment in response to the transmit RF signals, and a spectrum analyzer for identifying a harmonic frequency of the transmit RF signals in the filtered signals. \par In another embodiment, a harmonic radar system for detecting an electronic device including a signal generator that generates a transmit radio frequency (RF) signal, a coupler for receiving the transmit RF signal, an antenna for (i) transmitting the transmit RF signal from the coupler into an environment including the electronic device and (ii) receiving signals re-radiated by the electronic device in response to the transmit RF signals and sending them to the coupler, and a spectrum analyzer for identifying a harmonic frequency of the transmit RF signals in the received signals. \par A method of using a harmonic radar system for detecting an electronic device includes generating a transmit radio frequency (RF) signal, transmitting the transmit RF signal into an environment including the electronic device, receiving a signal re-radiated by the electronic device in response to the transmit RF signal, removing environmental and system-generated noise from received signal, and identifying a harmonic frequency of the transmit RF signal in the received signal.}, } @Misc{pierson:snap-patent, author = {Timothy J. Pierson and Ronald Peterson and David F. Kotz}, title = {System and method for proximity detection with single-antenna device}, howpublished = {U.S. Patent 11,871,233; International Patent Application WO2019210201A1}, year = 2024, month = {January}, day = 9, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-patent/index.html}, note = {Priority date 2018-04-27; Filed 2019-04-26; Published 2021-07-29, Issued 2024-01-09}, abstract = {A single-antenna device includes a single antenna, at least one processor, and at least one memory. The single-antenna device is operable to receive a signal including at least one frame. Each of said frame includes a repeating portion. The single-antenna device determines a difference of phase and amplitude of the repeating portion and further determines whether the signal is transmitted from a trusted source based at least in part on the difference of phase and amplitude of the repeating portion.}, } @Misc{pierson:closetalker-patent2, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}, howpublished = {U.S. Patent 11,894,920}, year = 2024, month = {February}, day = 6, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent2/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, Continuation of 11,153,026; Issued 2024-02-06}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @InProceedings{perez:identification, author = {Beatrice Perez and Timothy J. Pierson and Gregory Mazzaro and David Kotz}, title = {Identification and Classification of Electronic Devices Using Harmonic Radar}, booktitle = {Proceedings of the Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT)}, year = 2023, month = {June}, pages = {248--255}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/DCOSS-IoT58021.2023.00050}, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-identification/index.html}, abstract = { Smart home electronic devices invisibly collect, process, and exchange information with each other and with remote services, often without a home occupants' knowledge or consent. These devices may be mobile or fixed and may have wireless or wired network connections. Detecting and identifying all devices present in a home is a necessary first step to control the flow of data, but there exists no universal mechanism to detect and identify all electronic devices in a space. In this paper we present ICED (Identification and Classification of Electronic Devices), a system that can (i) identify devices from a known set of devices, and (ii) detect the presence of previously unseen devices. ICED, based on harmonic radar technology, collects measurements at the first harmonic of the radar's transmit frequency. We find that the harmonic response contains enough information to infer the type of device. It works when the device has no wireless network interface, is powered off, or attempts to evade detection. We evaluate performance on a collection of 17 devices and find that by transmitting a range of frequencies we correctly identify known devices with 97.6\% accuracy and identify previously unseen devices as `unknown' with 69.0\% balanced accuracy.}, } @InProceedings{perez:range, author = {Beatrice Perez and Cesar Arguello and Timothy J. Pierson and Gregory Mazzaro and David Kotz}, title = {Evaluating the practical range of harmonic radar to detect smart electronics}, booktitle = {Proceedings of the IEEE Military Communications Conference (MILCOM)}, year = 2023, month = {October}, pages = {528--535}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MILCOM58377.2023.10356371}, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-range/index.html}, abstract = {Prior research has found that harmonic radar systems are able to detect the presence of electronic devices, even if the devices are powered off. These systems could be a powerful tool to help mitigate privacy invasions. For example, in a rental property devices such as cameras or microphones may be surreptitiously placed by a landlord to monitor renters without their knowledge or consent. A mobile harmonic radar system may be able to quickly scan the property and locate all electronic devices. The effective range of these systems for detecting consumer-grade electronics, however, has not been quantified. We address that shortcoming in this paper and evaluate a prototype harmonic radar system. We find the system, a variation of what has been proposed in the literature, is able to reliably detect some devices at a range of about two meters. We discuss the effect of hardware on the range of detection and propose an algorithm for automated detection.}, } @Misc{pierson:wanda-patent2, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Apparatus for securely configuring a target device}, howpublished = {U.S. Patent 11,683,071}, year = 2023, month = {June}, day = 20, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent2/index.html}, note = {Continuation of U.S. Patent 10,574,298. Priority date 2015-06-23; Filed 2020-01-20; Allowed 2023-02-10; Issued 2023-06-20}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{mare:saw-patent, author = {Shrirang Mare and David Kotz and Ronald Peterson}, title = {Effortless authentication for desktop computers using wrist wearable tokens}, howpublished = {U.S. Patent 11,574,039}, year = 2023, month = {February}, day = 7, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw-patent/index.html}, note = {Priority date 2018-07-20; International application Filed 2019-07-19; National stage Filed 2021-01-20; Issued 2023-02-07}, abstract = {A system and method for authenticating users of a digital device includes an authentication device attached to an authorized user. The authentication device includes one or more motion sensors and acts as a user identity token. To authenticate with a digital device, the user performs one or more interactions with the digital device using the hand associated with the authentication device. The digital device correlates the inputs received due to the interactions with the user's hand and/or wrist movement, as measured by the authentication device. Access to the digital device is allowed if the inputs and movements are correlated.}, } @PhdThesis{hardin:thesis, author = {Taylor Hardin}, title = {Information Provenance for Mobile Health Data}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-thesis/index.html}, abstract = { Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Many believe that combining the data produced by these mHealth apps and devices may give healthcare-related service providers and researchers a more holistic view of an individual's health, increase the quality of service, and reduce operating costs. For such mHealth data to be considered useful though, data consumers need to be assured that the authenticity and the integrity of the data has remained intact --- especially for data that may have been created through a series of aggregations and transformations on many input data sets. In other words, \emph{information provenance} should be one of the main focuses for any system that wishes to facilitate the sharing of sensitive mHealth data. Creating such a trusted and secure data sharing ecosystem for mHealth apps and devices is difficult, however, as they are implemented with different technologies and managed by different organizations. Furthermore, many mHealth devices use ultra-low-power micro-controllers, which lack the kinds of sophisticated Memory Management Units (MMUs) required to sufficiently isolate sensitive application code and data. \par In this thesis, we present an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. To this end, we devise a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. Then we address the security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) with our health-data system, Amanuensis, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. Finally, we look at identity privacy and data freshness issues introduced by the use of blockchain and TEEs. Namely, we present a privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain. }, } @MastersThesis{malik:thesis, author = {Namya Malik}, title = {SPLICEcube Architecture: An Extensible Wi-Fi Monitoring Architecture for Smart-Home Networks}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/malik-thesis/index.html}, abstract = { The vision of smart homes is rapidly becoming a reality, as the Internet of Things and other smart devices are deployed widely. Although smart devices offer convenience, they also create a significant management problem for home residents. With a large number and variety of devices in the home, residents may find it difficult to monitor, or even locate, devices. A central controller that brings all the home's smart devices under secure management and a unified interface would help homeowners and residents track and manage their devices.\par We envision a solution called the SPLICEcube whose goal is to detect smart devices, locate them in three dimensions within the home, securely monitor their network traffic, and keep an inventory of devices and important device information throughout the device's lifecycle. The SPLICEcube system consists of the following components: 1) a main \emph{cube}, which is a centralized hub that incorporates and expands on the functionality of the home router, 2) a \emph{database} that holds network data, and 3) a set of support \emph{cubelets} that can be used to extend the range of the network and assist in gathering network data.\par To deliver this vision of identifying, securing, and managing smart devices, we introduce an architecture that facilitates intelligent research applications (such as network anomaly detection, intrusion detection, device localization, and device firmware updates) to be integrated into the SPLICEcube. In this thesis, we design a general-purpose Wi-Fi architecture that underpins the SPLICEcube. The architecture specifically showcases the functionality of the cubelets (Wi-Fi frame detection, Wi-Fi frame parsing, and transmission to cube), the functionality of the cube (routing, reception from cubelets, information storage, data disposal, and research application integration), and the functionality of the database (network data storage). We build and evaluate a prototype implementation to demonstrate our approach is \emph{scalable} to accommodate new devices and \emph{extensible} to support different applications. Specifically, we demonstrate a successful proof-of-concept use of the SPLICEcube architecture by integrating a security research application: an "Inside-Outside detection" system that classifies an observed Wi-Fi device as being inside or outside the home.}, } @Misc{vandenbussche:thesis, author = {Adam Vandenbussche}, title = {TorSH: Obfuscating consumer Internet-of-Things traffic with a collaborative smart-home router network}, school = {Dartmouth Computer Science}, year = 2022, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/vandenbussche-thesis/index.html}, note = {Undergraduate Thesis}, abstract = {When consumers install Internet-connected "smart devices" in their homes, metadata arising from the communications between these devices and their cloud-based service providers enables adversaries privy to this traffic to profile users, even when adequate encryption is used. Internet service providers (ISPs) are one potential adversary privy to users' incoming and outgoing Internet traffic and either currently use this insight to assemble and sell consumer advertising profiles or may in the future do so. With existing defenses against such profiling falling short of meeting user preferences and abilities, there is a need for a novel solution that empowers consumers to defend themselves against profiling by ISP-like actors and that is more in tune with their wishes. In this thesis, we present The Onion Router for Smart Homes (TorSH), a network of smart-home routers working collaboratively to defend smart-device traffic from analysis by ISP-like adversaries. We demonstrate that TorSH succeeds in deterring such profiling while preserving smart-device experiences and without encumbering latency-sensitive, non-smart-device experiences like web browsing.}, } @InProceedings{mazzaro:preliminary, author = {Gregory Mazzaro and Kyle Gallagher and Kelly Sherbondy and Alex Bouvy and Beatrice Perez and Timothy Pierson and David Kotz}, title = {Harmonic response vs. target orientation: a preliminary study of the effect of polarization on nonlinear junction detection}, booktitle = {Proceedings of the SPIE Radar Sensor Technology XXVI}, year = 2022, month = {May}, day = 27, volume = 12108, articleno = 1210803, numpages = 21, publisher = {Society of Photo-Optical Instrumentation Engineers}, copyright = {SPIE}, DOI = {10.1117/12.2617881}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mazzaro-preliminary/index.html}, abstract = {When an electromagnetically-nonlinear radar target is illuminated by a high-power stepped-frequency probe, a sequence of harmonics is unintentionally emitted by that target. Detection of the target is accomplished by receiving stimulated emissions somewhere in the sequence, while ranging is accomplished by processing amplitude and phase recorded at multiple harmonics across the sequence. The strength of the harmonics reflected from an electronic target depends greatly upon the orientation of that target (or equivalently, the orientation of the radar antennas). Data collected on handheld wireless devices reveals the harmonic angular-dependence of commercially-available electronics. Data collected on nonlinearly-terminated printed circuit boards implies the origin of this dependency. The results of this work suggest that electronic targets may be classified and ultimately identified by their unique harmonic-response-vs.-angle patterns.}, } @Article{spangler:privacy, author = { Spangler, Hillary B. and Driesse, Tiffany M. and Lynch, David H. and Liang, Xiaohui and Roth, Robert M. and Kotz, David and Fortuna, Karen and Batsis, John A. }, title = {Privacy Concerns of Older Adults Using Voice Assistant Systems}, journal = {Journal of the American Geriatrics Society}, year = 2022, month = {August}, day = 26, volume = 70, number = 12, pages = {3643--3647}, publisher = {Wiley}, copyright = {The American Geriatrics Society}, DOI = {10.1111/jgs.18009}, URL = {https://www.cs.dartmouth.edu/~kotz/research/spangler-privacy/index.html}, abstract = {Voice assistant systems (VAS) are software platforms that complete various tasks using voice commands. It is necessary to understand the juxtaposition of younger and older adults' VAS privacy concerns as younger adults may have different concerns impacting VAS acceptance. Therefore, we examined the differences in VAS related privacy concerns across the lifespan. }, } @InProceedings{peters:via, author = {Travis Peters and Timothy J. Pierson and Sougata Sen and Jos{\'{e}} Camacho and David Kotz}, title = {Recurring Verification of Interaction Authenticity Within Bluetooth Networks}, booktitle = {Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021)}, year = 2021, month = {June}, pages = {192--203}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3448300.3468287}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-via/index.html}, abstract = {Although user authentication has been well explored, device-to-device authentication -- specifically in Bluetooth networks -- has not seen the same attention. We propose Verification of Interaction Authenticity (VIA) -- a recurring authentication scheme based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. To evaluate our approach we produced a new dataset consisting of more than 300 Bluetooth network traces collected from 20 Bluetooth-enabled smart-health and smart-home devices. In our evaluation, we found that devices can be correctly verified at a variety of granularities, achieving an F1-score of 0.86 or better in most cases.}, } @Article{sen:vibering-j, author = {Sougata Sen and David Kotz}, title = {VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}, journal = {Journal of Pervasive and Mobile Computing}, year = 2021, month = {December}, volume = 78, articleno = 101505, numpages = 16, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2021.101505}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-j/index.html}, abstract = {Many Internet of Things (IoT) devices are capable of sensing their environment, communicating with other devices, and actuating on their environment. Some of these IoT devices, herein known as ``smartThings'', collect meaningful information from raw data when they are in use and in physical contact with their user (e.g., a blood-glucose monitor); the smartThing's wireless connectivity allows it to transfer that data to its user's trusted device, such as a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. \par To address this problem, in this paper, we investigate the use of \emph{vibration}, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call \emph{VibeRing}. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques. Overall, we successfully exchange a secret between a smartRing and various smartThings, at least 85.9\% of the time. We show that \emph{VibeRing} can perform this exchange at 12.5 bits/second at a bit error rate of less than 2.5\%. We also show that \emph{VibeRing} is robust to the smartThing's constituent material as well as the holding style. Finally, we demonstrate that a nearby adversary cannot decode or modify the message exchanged between the trusted devices. }, } @Misc{gralla:inside-outside, author = {Paul Gralla}, title = {An inside vs. outside classification system for Wi-Fi IoT devices}, school = {Dartmouth Computer Science}, year = 2021, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/gralla-inside-outside/index.html}, note = {Undergraduate Thesis}, abstract = {We are entering an era in which Smart Devices are increasingly integrated into our daily lives. Everyday objects are gaining computational power to interact with their environments and communicate with each other and the world via the Internet. While the integration of such devices offers many potential benefits to their users, it also gives rise to a unique set of challenges. One of those challenges is to detect whether a device belongs to one's own ecosystem, or to a neighbor -- or represents an unexpected adversary. An important part of determining whether a device is friend or adversary is to detect whether a device's location is within the physical boundaries of one's space (e.g. office, classroom, home). In this thesis we propose a system that is able to decide with 82\% accuracy whether the location of an IoT device is inside or outside of a defined space based on a small number of transmitted Wi- Fi frames. The classification is achieved by leveraging a machine-learning classifier trained and tested on RSSI data of Wi-Fi transmissions recorded by three or more observers. In an initialization phase the classifier is trained by the user on Wi-Fi transmissions of a variety of locations, inside (and outside). The system can be built with off-the-shelf Wi-Fi observing devices that do not require any special hardware modifications. With the exception of the training period, the system can accurately classify the indoor/outdoor state of target devices without any cooperation from the user or from the target devices.}, } @Misc{pierson:closetalker-patent, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}, howpublished = {U.S. Patent 11,153,026}, year = 2021, month = {October}, day = 19, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, US amendment filed 2021-01-29; Issued 2021-10-19}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @Article{liang:jlighttouch, author = {Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Securely Connecting Wearables to Ambient Displays with User Intent}, journal = {IEEE Transactions on Dependable and Secure Computing}, year = 2020, month = {July}, volume = 17, number = 4, pages = {676--690}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/TDSC.2018.2840979}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-jlighttouch/index.html}, abstract = {Wearables are often small and have limited user interfaces, hence they often wirelessly interface with a personal smartphone or a personal computer to relay information from the wearable for display. In this paper, we envision a new method LightTouch by which a wearable can establish a secure connection to an ambient display, such as a television or computer monitor, based on the user's intention to connect to the display. Such connections must be secure to prevent impersonation attacks, must work with unmodified display hardware, and must be easy to establish. LightTouch uses standard RF methods for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting displays (98 percent success connection ratio), and secure against impersonation attacks.}, } @InProceedings{sen:vibering, author = {Sougata Sen and David Kotz}, title = {VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}, booktitle = {Proceedings of the International Conference on the Internet of Things (IoT)}, year = 2020, month = {October}, articleno = 13, numpages = 8, publisher = {ACM}, copyright = {ACM}, ISBN13 = 9781450387583, DOI = {10.1145/3410992.3410995}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering/index.html}, abstract = {With the rapid growth in the number of IoT devices that have wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a \emph{secret}, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this paper, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smart ring, to share a secret with a smart IoT device. This exchanged secret can be used to bootstrap a secure wireless channel over which the devices can communicate. We believe that in future IoT devices can use such a technique to seamlessly connect with authorized devices with minimal user interaction overhead. In this paper, we specifically investigate (a) the feasibility of using vibration generated by a custom wearable for communication, (b) the effect of various parameters on this communication channel, and (c) the possibility of information manipulation by an adversary or information leakage to an adversary. For this investigation, we conducted a controlled study as well as a user study with 12 participants. In the controlled study, we could successfully share messages through vibrations with a bit error rate of less than 2.5\%. Additionally, through the user study we demonstrate that it is possible to share messages with various types of objects accurately, quickly and securely as compared to several existing techniques. Overall, we find that in the best case we can exchange 85.9\% messages successfully with a smart device.}, } @PhdThesis{peters:thesis, author = {Travis Peters}, title = {Trustworthy Wireless Personal Area Networks}, school = {Dartmouth Computer Science}, year = 2020, month = {August}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2020-878}, abstract = {\par In the Internet of Things (IoT), everyday objects are equipped with the ability to compute and communicate. These smart things have invaded the lives of everyday people, being constantly carried or worn on our bodies, and entering into our homes, our healthcare, and beyond. This has given rise to wireless networks of smart, connected, always-on, personal things that are constantly around us, and have unfettered access to our most personal data as well as all of the other devices that we own and encounter throughout our day. It should, therefore, come as no surprise that our personal devices and data are frequent targets of ever-present threats. Securing these devices and networks, however, is challenging. In this dissertation, we outline three critical problems in the context of Wireless Personal Area Networks (WPANs) and present our solutions to these problems. \par First, I present our Trusted I/O solution (BASTION-SGX) for protecting sensitive user data transferred between wirelessly connected (Bluetooth) devices. This work shows how in-transit data can be protected from privileged threats, such as a compromised OS, on commodity systems. I present insights into the Bluetooth architecture, Intel's Software Guard Extensions (SGX), and how a Trusted I/O solution can be engineered on commodity devices equipped with SGX. \par Second, I present our work on AMULET and how we successfully built a wearable health hub that can run multiple health applications, provide strong security properties, and operate on a single charge for weeks or even months at a time. I present the design and evaluation of our highly efficient event-driven programming model, the design of our low-power operating system, and developer tools for profiling ultra-low-power applications at compile time. \par Third, I present a new approach (VIA) that helps devices at the center of WPANs (e.g., smartphones) to verify the authenticity of interactions with other devices. This work builds on past work in anomaly detection techniques and shows how these techniques can be applied to Bluetooth network traffic. Specifically, we show how to create normality models based on fine- and course-grained insights from network traffic, which can be used to verify the authenticity of future interactions. }, } @Misc{pierson:wanda-patent, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Apparatus for Securely Configuring A Target Device and Associated Methods}, howpublished = {U.S. Patent 10,574,298}, year = 2020, month = {February}, day = 25, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent/index.html}, note = {Priority date 2015-06-23; Filed 2016-06-23; Issued 2020-02-25}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{liang:lighttouch-patent, author = {Xiaohui Liang and Tianlong Yun and Ron Peterson and David Kotz}, title = {Secure System For Coupling Wearable Devices To Computerized Devices with Displays}, howpublished = {U.S. Patent 10,581,606}, year = 2020, month = {March}, day = 3, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch-patent/index.html}, note = {Priority date 2014-08-18, Filed 2015-08-18; Issued 2020-03-03.}, abstract = {A system has a first electronic device with optical sensor, digital radio transceiver, and processor with firmware; this device is typically portable or wearable. The system also has a computerized device with a display, a second digital radio transceiver, and a second processor with firmware. The first and computerized devices are configured to set up a digital radio link when in radio range. The second processor uses a spot on the display to optically transmit a digital message including a secret such as an encryption key or subkey and/or an authentication code adapted for authenticating an encrypting the radio link. The first device receives the digital message via its optical sensor, and uses the digital message to validate and establish encryption on the radio link. In embodiments, the system determines a location of the first device on the display and positions the transmission spot at the determined location.}, } @Article{greene:sharehealth, author = {Emily Greene and Patrick Proctor and David Kotz}, title = {Secure Sharing of mHealth Data Streams through Cryptographically-Enforced Access Control}, journal = {Journal of Smart Health}, year = 2019, month = {April}, volume = 12, pages = {49--65}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.smhl.2018.01.003}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-sharehealth/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareHealth, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design and prototype implementation of this system make three contributions: (1) they apply cryptographically-enforced access-control measures to stream-based (specifically mHealth) data, (2) they recognize the temporal nature of mHealth data streams and support revocation of access to part or all of a data stream, and (3) they depart from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @InProceedings{mare:csaw19, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {Continuous Smartphone Authentication using Wristbands}, booktitle = {Proceedings of the Workshop on Usable Security (USEC)}, year = 2019, month = {February}, numpages = 12, publisher = {Internet Society}, copyright = {the authors}, DOI = {10.14722/usec.2019.23013}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-csaw19/index.html}, abstract = {Many users find current smartphone authentication methods (PINs, swipe patterns) to be burdensome, leading them to weaken or disable the authentication. Although some phones support methods to ease the burden (such as fingerprint readers), these methods require active participation by the user and do not verify the user's identity after the phone is unlocked. We propose CSAW, a continuous smartphone authentication method that leverages wristbands to verify that the phone is in the hands of its owner. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband's motion with the phone's motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). Through two user studies (N{$=$}27,11) we evaluated CSAW's accuracy, usability, and security. Our experimental evaluation demonstrates that CSAW was able to conduct initial authentication with over 99\% accuracy and continuous authentication with over 96.5\% accuracy.}, } @InProceedings{pierson:closetalker, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {CloseTalker: secure, short-range ad hoc wireless communication}, booktitle = {Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2019, month = {June}, pages = {340--352}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3307334.3326100}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker/index.html}, abstract = {Secure communication is difficult to arrange between devices that have not previously shared a secret. Previous solutions to the problem are susceptible to man-in-the-middle attacks, require additional hardware for out-of-band communication, or require an extensive public-key infrastructure. Furthermore, as the number of wireless devices explodes with the advent of the Internet of Things, it will be impractical to manually configure each device to communicate with its neighbors. \par Our system, CloseTalker, allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker does not require any specialized hardware or sensors in the devices, does not require complex algorithms or cryptography libraries, occurs only when intended by the user, and can transmit a short burst of data or an address and key that can be used to establish long-term or long-range communications at full bandwidth. \par In this paper we present a theoretical and practical evaluation of CloseTalker, which exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key.}, } @InProceedings{pierson:snap, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {Proximity Detection with Single-Antenna IoT Devices}, booktitle = {Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}, year = 2019, month = {October}, articleno = 21, numpages = 15, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3300061.3300120}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap/index.html}, abstract = {Providing secure communications between wireless devices that encounter each other on an ad-hoc basis is a challenge that has not yet been fully addressed. In these cases, close physical proximity among devices that have never shared a secret key is sometimes used as a basis of trust; devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. \par We present theoretical and practical evaluation of a method called SNAP -- SiNgle Antenna Proximity -- that allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our proximity detection technique leverages the repeating nature Wi-Fi's preamble and the behavior of a signal in a transmitting antenna's near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm.}, } @InProceedings{sen:vibering-poster, author = {Sougata Sen and Varun Mishra and David Kotz}, title = {Using vibrations from a SmartRing as an out-of-band channel for sharing secret keys}, booktitle = {Adjunct Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp)}, year = 2019, month = {September}, pages = {198--201}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/3341162.3343818}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-poster/index.html}, abstract = {With the rapid growth in the number of Internet of Things (IoT) devices with wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this work, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9\% messages successfully. Our technique demonstrates the possibility of sharing messages accurately, quickly and securely as compared to several existing techniques.}, } @InProceedings{hardin:mpu, author = {Taylor Hardin and Ryan Scott and Patrick Proctor and Josiah Hester and Jacob Sorber and David Kotz}, title = {Application Memory Isolation on Ultra-Low-Power MCUs}, booktitle = {Proceedings of the USENIX Annual Technical Conference (USENIX ATC)}, year = 2018, month = {July}, pages = {127--132}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-mpu/index.html}, abstract = {The proliferation of applications that handle sensitive user data on wearable platforms generates a critical need for embedded systems that offer strong security without sacrificing flexibility and long battery life. To secure sensitive information, such as health data, ultra-low-power wearables must isolate applications from each other and protect the underlying system from errant or malicious application code. These platforms typically use microcontrollers that lack sophisticated Memory Management Units (MMU). Some include a Memory Protection Unit (MPU), but current MPUs are inadequate to the task, leading platform developers to software-based memory-protection solutions. In this paper, we present our memory isolation technique, which leverages compiler inserted code and MPU-hardware support to achieve better runtime performance than software-only counterparts.}, } @Article{liu:vocalresonance, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {Vocal Resonance: Using Internal Body Voice for Wearable Authentication}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (UbiComp)}, year = 2018, month = {March}, volume = 2, number = 1, articleno = 19, numpages = 23, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3191751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-vocalresonance/index.html}, abstract = {We observe the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. For many devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. In this paper we propose the use of vocal resonance, that is, the sound of the person's voice as it travels through the person's body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. We explore two machine-learning approaches that analyze voice samples from a small throat-mounted microphone and allow the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone-enabled device is physically on the speaker's body. We collected data from 29 subjects, demonstrate the feasibility of a prototype, and show that our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification.}, } @Article{mare:saw, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {SAW: Wristband-based authentication for desktop computers}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (Ubicomp)}, year = 2018, month = {September}, volume = 2, number = 3, articleno = 125, numpages = 29, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3264935}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw/index.html}, abstract = {Token-based proximity authentication methods that authenticate users based on physical proximity are effortless, but lack explicit user intentionality, which may result in accidental logins. For example, a user may get logged in when she is near a computer or just passing by, even if she does not intend to use that computer. Lack of user intentionality in proximity-based methods makes them less suitable for multi-user shared computer environments, despite their desired usability benefits over passwords. \par We present an authentication method for desktops called Seamless Authentication using Wristbands (SAW), which addresses the lack of intentionality limitation of proximity-based methods. SAW uses a low-effort user input step for explicitly conveying user intentionality, while keeping the overall usability of the method better than password-based methods. In SAW, a user wears a wristband that acts as the user's identity token, and to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user's proximity and correlating the received keyboard or mouse inputs with the user's wrist movement, as measured by the wristband. In our feasibility user study (n{$=$}17), SAW proved quick to authenticate (within two seconds), with a low false-negative rate of 2.5\% and worst-case false-positive rate of 1.8\%. In our user perception study (n{$=$}16), a majority of the participants rated it as more usable than passwords.}, } @InProceedings{pierson:snap-poster, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {Poster: Proximity Detection with Single-Antenna IoT Devices}, booktitle = {Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}, year = 2018, month = {October}, pages = {663--665}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3241539.3267751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-poster/index.html}, abstract = {Close physical proximity among wireless devices that have never shared a secret key is sometimes used as a basis of trust. In these cases, devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. We investigate a method for a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our approach leverages the repeating nature Wi-Fi's preamble and the characteristics of a transmitting antenna's near field to detect proximity with high probability. Our method never falsely declares proximity at ranges longer than 14 cm.}, } @Article{reza:nocloud, author = {Reza Rawassizadeh and Timothy Pierson and Ronald Peterson and David Kotz}, title = {NoCloud: Experimenting with Network Disconnection by Design}, journal = {IEEE Pervasive Computing}, year = 2018, month = {January}, volume = 17, number = 1, pages = {64--74}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MPRV.2018.011591063}, URL = {https://www.cs.dartmouth.edu/~kotz/research/reza-nocloud/index.html}, abstract = {Application developers often advocate uploading data to the cloud for analysis or storage, primarily due to concerns about the limited computational capability of ubiquitous devices. Today, however, many such devices can still effectively operate and execute complex algorithms without reliance on the cloud. The authors recommend prioritizing on-device analysis over uploading the data to another host, and if on-device analysis is not possible, favoring local network services over a cloud service.}, } @PhdThesis{pierson:thesis, author = {Timothy J. Pierson}, title = {Secure Short-range Communications}, school = {Dartmouth Computer Science}, year = 2018, month = {June}, copyright = {Timothy J. Peterson}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2018-845}, abstract = {Analysts predict billions of everyday objects will soon become ``smart'' after designers add wireless communication capabilities. Collectively known as the Internet of Things (IoT), these newly communication-enabled devices are envisioned to collect and share data among themselves, with new devices entering and exiting a particular environment frequently. People and the devices they wear or carry may soon encounter dozens, possibly hundreds, of devices each day. Many of these devices will be encountered for the first time. Additionally, some of the information the devices share may have privacy or security implications. Furthermore, many of these devices will have limited or non-existent user interfaces, making manual configuration cumbersome. This situation suggests that devices that have never met, nor shared a secret, but that are in the same physical area, must have a way to securely communicate that requires minimal manual intervention. In this dissertation we present novel approaches to solve these short-range communication issues. Our techniques are simple to use, secure, and consistent with user intent. We first present a technique called Wanda that uses radio strength as a communication channel to securely impart information onto nearby devices. We focus on using Wanda to introduce new devices into an environment, but Wanda could be used to impart any type of information onto wireless devices, regardless of device type or manufacturer. Next we describe SNAP, a method for a single-antenna wireless device to determine when it is in close physical proximity to another wireless device. Because radio waves are invisible, a user may believe transmissions are coming from a nearby device when in fact the transmissions are coming from a distant adversary attempting to trick the user into accepting a malicious payload. Our approach significantly raises the bar for an adversary attempting such a trick. Finally, we present a solution called JamFi that exploits MIMO antennas and the Inverse-Square Law to securely transfer data between nearby devices while denying more distant adversaries the ability to recover the data. We find JamFi is able to facilitate reliable and secure communication between two devices in close physical proximity, even though they have never met nor shared a key.}, } @Misc{kotz:patent9936877, author = {David Kotz and Ryan Halter and Cory Cornelius and Jacob Sorber and Minho Shin and Ronald Peterson and Shrirang Mare and Aarathi Prasad and Joseph Skinner and Andr{\'{e}}s Molina-Markham}, title = {Wearable computing device for secure control of physiological sensors and medical devices, with secure storage of medical records, and bioimpedance biometric}, howpublished = {U.S. Patent 9,936,877; International Patent Application WO2013096954A1}, year = 2018, month = {April}, day = 10, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-patent9936877/index.html}, note = {This patent adds claims to its predecessor; Priority date 2011-12-23; Filed 2017-02-07; Issued 2018-04-10}, abstract = {A wearable master electronic device (Amulet) has a processor with memory, the processor coupled to a body-area network (BAN) radio and uplink radio. The device has firmware for BAN communications with wearable nodes to receive data, and in an embodiment, send configuration data. The device has firmware for using the uplink radio to download apps and configurations, and upload data to a server. An embodiment has accelerometers in Amulet and wearable node, and firmware for using accelerometer readings to determine if node and Amulet are worn by the same subject. Other embodiments use pulse sensors or microphones in the Amulet and node to both identify a subject and verify the Amulet and node are worn by the same subject. Another embodiment uses a bioimpedance sensor to identify the subject. The wearable node may be an insulin pump, chemotherapy pump, TENS unit, cardiac monitor, or other device.}, } @Misc{molina-markham:patent9961547, author = {Andr{\'{e}}s D. Molina-Markham and Shrirang Mare and Ronald Peterson and David Kotz}, title = {Continuous seamless mobile device authentication using a separate electronic wearable apparatus}, howpublished = {U.S. Patent 9,961,547}, year = 2018, month = {May}, day = 1, URL = {https://www.cs.dartmouth.edu/~kotz/research/molina-markham-patent9961547/index.html}, note = {Priority date 2016-09-30, Filed 2016-09-30; Issued 2018-05-01}, abstract = {A technique performs a security operation. The technique includes receiving first activity data from a mobile device, the first activity data identifying activity by a user that is currently using the mobile device. The technique further includes receiving second activity data from an electronic wearable apparatus, the second activity data identifying physical activity by a wearer that is currently wearing the electronic wearable apparatus. The technique further includes, based on the first activity data received from the mobile device and the second activity data received from the electronic wearable apparatus, performing an assessment operation that provides an assessment result indicating whether the user that is currently using the mobile device and the wearer that is currently wearing the electronic wearable apparatus are the same person. With such a technique, authentication may be continuous but without burdening the user to repeatedly re-enter a password.}, } @InProceedings{hardin:mobisys17, author = {Taylor Hardin and Josiah Hester and Patrick Proctor and Jacob Sorber and David Kotz}, title = {Poster: Memory Protection in Ultra-Low-Power Multi-Application Wearables}, booktitle = {Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2017, month = {June}, pages = 170, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081333.3089314}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-mobisys17/index.html}, abstract = {Ultra-low-power microcontrollers have historically not offered MPUs; only recently have MPUs become more prevalent, but many lack the functionality for sufficient memory management and protection. Thus, those who develop multi-application, multi-tenant platforms isolate applications using compile-time or run-time software sandboxing (e.g., AmuletOS), imposing limits on application developers and adding time/space overhead to running applications. We have developed methods, however, to leverage the limited MPUs and thereby reduce overhead cost by narrowing the use of software-based approaches.}, } @InProceedings{kotz:safethings, author = {David Kotz and Travis Peters}, title = {Challenges to ensuring human safety throughout the life-cycle of Smart Environments}, booktitle = {Proceedings of the ACM Workshop on the Internet of Safe Things (SafeThings)}, year = 2017, month = {November}, pages = {1--7}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3137003.3137012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-safethings/index.html}, abstract = {The homes, offices, and vehicles of tomorrow will be embedded with numerous ``Smart Things,'' networked with each other and with the Internet. Many of these Things are embedded in the physical infrastructure, and like the infrastructure they are designed to last for decades -- far longer than is normal with today's electronic devices. What happens then, when an occupant moves out or transfers ownership of her Smart Environment? This paper outlines the critical challenges required for the safe long-term operation of Smart Environments. How does an occupant identify and decommission all the Things in an environment before she moves out? How does a new occupant discover, identify, validate, and configure all the Things in the environment he adopts? When a person moves from smart home to smart office to smart hotel, how is a new environment vetted for safety and security, how are personal settings migrated, and how are they securely deleted on departure? When the original vendor of a Thing (or the service behind it) disappears, how can that Thing (and its data, and its configuration) be transferred to a new service provider? What interface can enable lay people to manage these complex challenges, and be assured of their privacy, security, and safety? We present a list of key research questions to address these important challenges.}, } @InProceedings{liang:lighttouch, author = {Xiaohui Liang and Tianlong Yun and Ronald Peterson and David Kotz}, title = {LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent}, booktitle = {Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}, year = 2017, month = {May}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2017.8057210}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch/index.html}, abstract = {Wearables are small and have limited user interfaces, so they often wirelessly interface with a personal smartphone/computer to relay information from the wearable for display or other interactions. In this paper, we envision a new method, LightTouch, by which a wearable can establish a secure connection to an ambient display, such as a television or a computer monitor, while ensuring the user's intention to connect to the display. LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped via the visible-light communication (the brightness channel) from the display to the low-cost, low-power, ambient light sensor of a wearable. A screen `touch' gesture is adopted by users to ensure that the modulation of screen brightness can be securely captured by the ambient light sensor with minimized noise. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments and a preliminary user study we demonstrate that LightTouch is compatible with current display and wearable designs, is easy to use (about 6 seconds to connect), is reliable (up to 98\% success connection ratio), and is secure against attacks.}, } @InProceedings{liang:wearsys17, author = {Xiaohui Liang and David Kotz}, title = {AuthoRing: Wearable User-presence Authentication}, booktitle = {Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}, year = 2017, month = {June}, pages = {5--10}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089357}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-wearsys17/index.html}, abstract = {A common log-in process at computers involves the entry of username and password; log out depends on the user to remember to log out, or a timeout to expire the user session. Once logged in, user sessions may be vulnerable to imposter attacks in which an impostor steps up to the user's unattended computer and inherits the user's access privilege. We propose a ring-based authentication system called ``AuthoRing'', which restricts the imposter attackers from generating new inputs at the computer's mouse and keyboard. During the log-in process, an eligible AuthoRing user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer's AuthoRing system correlates hand-motion data received from the ring with the input data from the computer's window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user.}, } @InProceedings{liu:mobisys17, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {Poster: Vocal Resonance as a Passive Biometric}, booktitle = {Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2017, month = {June}, pages = 160, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081333.3089304}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-mobisys17/index.html}, abstract = {We present a novel, unobtrusive biometric measurement that can support user identification in wearable body-mounted devices: \emph{vocal resonance}, that is, the sound of the person's voice as it travels through the person's body.}, } @InProceedings{pierson:s3, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {Secure Information Transfer Between Nearby Wireless Devices}, booktitle = {Proceedings of the Mobicom S3 workshop}, year = 2017, month = {October}, pages = {11--13}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3131348.3131355}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-s3/index.html}, abstract = {Securely transferring data between two devices that have never previously met nor shared a secret is a difficult task. Previous solutions to the problem are susceptible to well-known attacks or may require extensive infrastructure that may not be suitable for wireless devices such as Internet of Things sensors that do not have advanced computational capabilities. \par We propose a new approach: using jamming to thwart adversaries located more than a few centimeters away, while still allowing devices in close physical proximity to securely share data. To accomplish this secure data transfer we exploit MIMO antennas and the Inverse-Square Law.}, } @Article{rawassizadeh:datasets, author = {Reza Rawassizadeh and David Kotz}, title = {Datasets for Mobile, Wearable and IoT Research}, journal = {GetMobile: Mobile Computing and Communications}, year = 2017, month = {April}, volume = 20, number = 4, pages = {5--7}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081016.3081018}, URL = {https://www.cs.dartmouth.edu/~kotz/research/rawassizadeh-datasets/index.html}, abstract = {The advent of affordable devices with sensors and communication capabilities has led to the proliferation of computing paradigms, such as the Internet of Things (IoT), mobile devices, and wearable technologies. For the sake of simplicity, we use the umbrella term ``small devices'' for these technologies. At the same time, in the past decade, the increasing availability of large datasets has shifted scientists' attention toward data science, and defined new trends in computation. Even some scientists call it an evolutionary shift that has changed the pace of scientific progress, i.e., the ``fourth paradigm''.}, } @TechReport{greene:thesis, author = {Emily Greene}, title = {ShareABEL: Secure Sharing of mHealth Data through Cryptographically-Enforced Access Control}, institution = {Dartmouth College, Computer Science}, year = 2017, month = {July}, number = {TR2017-827}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-thesis/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareABEL, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design (and prototype implementation) of this system makes three contributions: (1) it applies cryptographically-enforced access-control measures to wearable healthcare data, which pose different challenges than Electronic Medical Records (EMRs), (2) it recognizes the temporal nature of mHealth data streams and supports revocation of access to part or all of a data stream, and (3) it departs from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @Misc{mare:patent9832206, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Ronald Peterson and David Kotz}, title = {System, Method and Authorization Device for Biometric Access Control to Digital Devices}, howpublished = {U.S. Patent 9,832,206; International Patent Application WO2014153528A2}, year = 2017, month = {November}, day = 28, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-patent9832206/index.html}, note = {Priority date 2013-03-21; Filed 2014-03-21; Issued 2017-11-28}, abstract = {A system and method for authenticating and continuously verifying authorized users of a digital device includes an authentication device attached to an arm or wrist of authorized users. The authentication device has an accelerometer, digital radio, a processor configured to provide identity information over the radio, and to transmit motion data. The motion data is received by the digital device and the identity transmitted is verified as an identity associated with an authorized user. Input at a touchscreen, touchpad, mouse, trackball, or keyboard of the digital device is detected, and correlated with the motion data. Access to the digital device is allowed if the detected input and the detected motion data correlate, and disallowed otherwise.}, } @Misc{kotz:patent9595187, author = {David Kotz and Ryan Halter and Cory Cornelius and Jacob Sorber and Minho Shin and Ronald Peterson and Shrirang Mare and Aarathi Prasad and Joseph Skinner and Andr{\'{e}}s Molina-Markham}, title = {Wearable computing device for secure control of physiological sensors and medical devices, with secure storage of medical records, and bioimpedance biometric}, howpublished = {U.S. Patent 9,595,187; International Patent Application WO2013096954A1}, year = 2017, month = {March}, day = 14, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-patent9595187/index.html}, note = {Priority date 2011-12-23; Filed 2012-12-24; Issued 2017-03-14}, abstract = {A wearable master electronic device (Amulet) has a processor with memory, the processor coupled to a body-area network (BAN) radio and uplink radio. The device has firmware for BAN communications with wearable nodes to receive data, and in an embodiment, send configuration data. The device has firmware for using the uplink radio to download apps and configurations, and upload data to a server. An embodiment has accelerometers in Amulet and wearable node, and firmware for using accelerometer readings to determine if node and Amulet are worn by the same subject. Other embodiments use pulse sensors or microphones in the Amulet and node to both identify a subject and verify the Amulet and node are worn by the same subject. Another embodiment uses a bioimpedance sensor to identify the subject. The wearable node may be an insulin pump, chemotherapy pump, TENS unit, cardiac monitor, or other device.}, } @InProceedings{pierson:wanda-demo, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Demo: Wanda, securely introducing mobile devices}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2016, month = {June}, pages = 113, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2938559.2938581}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-demo/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We developed Wanda -- a `magic wand' that accomplishes all three of the above goals -- and will demonstrate a prototype implementation.}, } @TechReport{pierson:wanda-tr, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Wanda: securely introducing mobile devices -- Extended version}, institution = {Dartmouth Computer Science}, year = 2016, month = {February}, number = {TR2016-789}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-tr/index.html}, note = {Expanded version of the INFOCOM 2016 paper by the same title.}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation. This Tech Report contains supplemental information to our INFOCOM 2016 paper titled, ``Wanda: securely introducing mobile devices.'' Much of the additional information is in Section II, III, and VI.}, } @InProceedings{pierson:wanda, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Wanda: securely introducing mobile devices}, booktitle = {Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}, year = 2016, month = {April}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2016.7524366}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals \emph{simply}, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation.}, } @PhdThesis{mare:thesis, author = {Shrirang Mare}, title = {Seamless Authentication for Ubiquitous Devices}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Shrirang Mare}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-793.}, abstract = {User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform -- an interruption in our workflow. In this dissertation, we study people's authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users. \par First, we present the findings of a user study we conducted to understand people's authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants' lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it. \par Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user's wristband and the user's phone) share their knowledge (e.g., about user's interaction with the phone) to verify the user's identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method's usability and security from the system and the user's perspective. Based on the evaluation, our authentication method shows promise for reducing users' authentication burden for desktops and smartphones.}, } @PhdThesis{prasad:thesis, author = {Aarathi Prasad}, title = {Privacy-preserving controls for sharing mHealth data}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Aarathi Prasad}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-794.}, abstract = {Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. In this dissertation, we present our findings about factors that affect people's sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus.}, } @TechReport{cornelius:voice-tr, author = {Cory Cornelius and Zachary Marois and Jacob Sorber and Ron Peterson and Shrirang Mare and David Kotz}, title = {Vocal resonance as a biometric for pervasive wearable devices}, institution = {Dartmouth Computer Science}, year = 2014, month = {February}, number = {TR2014-747}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-voice-tr/index.html}, abstract = {We anticipate the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. In our vision, the user can simply wear the desired set of devices, and they ``just work''; no configuration is needed, and yet they discover each other, recognize that they are on the same body, configure a secure communications channel, and identify the user to which they are attached. This paper addresses a method to achieve the latter, that is, for a wearable device to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. We use vocal resonance, that is, the sound of the person's voice as it travels through the person's body. By collecting voice samples from a small wearable microphone, our method allows the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone device is physically on the speaker's body. We collected data from 25 subjects, demonstrate the feasibility of a prototype, and show that our method works with 77\% accuracy when a threshold is chosen a priori.}, } @InProceedings{cornelius:wearable, author = {Cory Cornelius and Ronald Peterson and Joseph Skinner and Ryan Halter and David Kotz}, title = {A wearable system that knows who wears it}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2014, month = {June}, pages = {55--67}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2594369}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-wearable/index.html}, abstract = {Body-area networks of pervasive wearable devices are increasingly used for health monitoring, personal assistance, entertainment, and home automation. In an ideal world, a user would simply wear their desired set of devices with no configuration necessary: the devices would discover each other, recognize that they are on the same person, construct a secure communications channel, and recognize the user to which they are attached. In this paper we address a portion of this vision by offering a wearable system that unobtrusively recognizes the person wearing it. Because it can recognize the user, our system can properly label sensor data or personalize interactions. \par Our recognition method uses bioimpedance, a measurement of how tissue responds when exposed to an electrical current. By collecting bioimpedance samples using a small wearable device we designed, our system can determine that (a)the wearer is indeed the expected person and (b) the device is physically on the wearer's body. Our recognition method works with 98\% balanced-accuracy under a cross-validation of a day's worth of bioimpedance samples from a cohort of 8 volunteer subjects. We also demonstrate that our system continues to recognize a subset of these subjects even several months later. Finally, we measure the energy requirements of our system as implemented on a Nexus S smart phone and custom-designed module for the Shimmer sensing platform.}, } @InProceedings{liang:healthtech14, author = {Xiaohui Liang and David Kotz}, title = {Securely Connecting Wearable Health Devices to External Displays}, booktitle = {Proceedings of the USENIX Summit on Health Information Technologies}, year = 2014, month = {August}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-healthtech14/index.html}, note = {No paper -- workshop presentation only}, abstract = {Wearable health technology is becoming a hot commodity as it has the potential to help both patients and clinicians continuously monitor vital signs and symptoms. One popular type of wearable devices are worn on human wrist and are equipped with sensors to passively perform sensing tasks. Their constrained user interface, however, is ineffective to display the sensory data for users. We envision connecting a wrist-worn device to a display device, such as a television, so the user is able to view the sensory data. Such connections must be secure to prevent the sensory data from being eavesdropped by other devices, must be made only when the user intends, and must be easy even when a new display is encountered (such as in a medical clinic, or a hotel room). In this presentation, we will discuss the secure wearable/display connection problem by revisiting existing methods and hardware designs of wrist-worn devices and display devices. We then present possible solutions that leverage the built-in hardware components of wrist-worn devices to implement, secure, intentional, easy connections to ambient display devices.}, } @TechReport{mare:zebra-tr, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Cory Cornelius and Ronald Peterson and David Kotz}, title = {ZEBRA: Zero-Effort Bilateral Recurring Authentication (Companion report)}, institution = {Dartmouth Computer Science}, year = 2014, month = {May}, number = {TR2014-748}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-zebra-tr/index.html}, note = {This project has been renamed CSAW.}, abstract = {We describe and evaluate Zero-Effort Bilateral Recurring Authentication (ZEBRA) in our paper that appears in IEEE Symposium on Security and Privacy, May 2014. In this report we provide a more detailed comparative evaluation of ZEBRA against other related authentication schemes. The abstract of the paper follows. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85\% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90\% of users and identified all adversaries within 50 s.}, } @InProceedings{mare:zebra14, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Cory Cornelius and Ronald Peterson and David Kotz}, title = {ZEBRA: Zero-Effort Bilateral Recurring Authentication}, booktitle = {Proceedings of the IEEE Symposium on Security \& Privacy}, year = 2014, month = {May}, pages = {705--720}, publisher = {IEEE}, copyright = {the authors}, DOI = {10.1109/SP.2014.51}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-zebra14/index.html}, note = {This project has been renamed CSAW.}, abstract = {Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. \par To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85\% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90\% of users and identified all adversaries within 50 s.}, } @InProceedings{cornelius:biometrics-poster, author = {Cory Cornelius and Zachary Marois and Jacob Sorber and Ron Peterson and Shrirang Mare and David Kotz}, title = {Passive Biometrics for Pervasive Wearable Devices (Poster paper)}, booktitle = {Proceedings of the Workshop on Mobile Computing Systems and Applications (HotMobile)}, year = 2012, month = {February}, numpages = 1, publisher = {ACM}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-biometrics-poster/index.html}, abstract = {Wearable devices -- like the FitBit, MOTOACTV, and Jawbone UP -- are increasingly becoming more pervasive whether for monitoring health and fitness, personal assistance, or home automation. While pervasive wearable devices have long been researched, we are now beginning to see the fruits of this research in the form of commercial offerings. Today, many of these commercial wearable devices are closed systems that do not interoperate with other devices a person might carry. We believe, however, these commercial offerings signal the coming of wireless body-area networks that will connect these pervasive wearable devices and leverage existing devices a user already owns (e.g., a smartphone). Such wireless body-area networks will allow devices to specialize and utilize the capabilities of other devices in the network. A sensor, for example, might harness the internet connectivity of a smartphone to store its data in the cloud. Utilized in this way, devices will become cheaper because they will only require the components necessary for their speciality, and they will also become more pervasive because they can easily be shared between users. \par In order for such a vision to be successful, these devices will need to seamlessly interoperate with no interaction required of the user. As difficult as it is for users to manage their wireless area networks, it will be even more difficult for a user to manage their wireless body-area network in a truly pervasive world. As such, we believe these wearable devices should form a wireless body-area network that is passive in nature. This means that these pervasive wearable devices will require no configuration, yet they will be able form a wireless body-area network by (1) discovering their peers, (2) recognizing they are attached to the same body, (3) securing their communications, and (4) identifying to whom they are attached. While we are interested in all aspects of these passive wireless body-area networks, we focus on the last requirement: identifying who is wearing a device.}, } @InProceedings{cornelius:impedance, author = {Cory Cornelius and Jacob Sorber and Ronald Peterson and Joe Skinner and Ryan Halter and David Kotz}, title = {Who wears me? Bioimpedance as a passive biometric}, booktitle = {Proceedings of the USENIX Workshop on Health Security and Privacy}, year = 2012, month = {August}, numpages = 10, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-impedance/index.html}, abstract = {Mobile and wearable systems for monitoring health are becoming common. If such an mHealth system knows the identity of its wearer, the system can properly label and store data collected by the system. Existing recognition schemes for such mobile applications and pervasive devices are not particularly usable -- they require \emph{active} engagement with the person (e.g., the input of passwords), or they are too easy to fool (e.g., they depend on the presence of a device that is easily stolen or lost). \par We present a wearable sensor to passively recognize people. Our sensor uses the unique electrical properties of a person's body to recognize their identity. More specifically, the sensor uses \emph{bioimpedance} -- a measure of how the body's tissues oppose a tiny applied alternating current -- and learns how a person's body uniquely responds to alternating current of different frequencies. In this paper we demonstrate the feasibility of our system by showing its effectiveness at accurately recognizing people in a household 90\% of the time.}, } @Article{cornelius:j-same-body, author = {Cory Cornelius and David Kotz}, title = {Recognizing whether sensors are on the same body}, journal = {Journal of Pervasive and Mobile Computing}, year = 2012, month = {December}, volume = 8, number = 6, pages = {822--836}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2012.06.005}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-j-same-body/index.html}, abstract = {In an open mobile health (mHealth) sensing system, users will be able to seamlessly pair sensors with their cellphone and expect the system to just work. This ubiquity of sensors, however, creates the potential for users to accidentally wear sensors that are not paired with their own cellphone. Our method probabilistically detects this situation by finding correlations between embedded accelerometers in the cellphone and sensor. We evaluate our method over a dataset of seven individuals with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracy of 85\%.}, } @MastersThesis{prasad:msthesis, author = {Aarathi Prasad}, title = {Exposing Privacy Concerns in mHealth Data Sharing}, school = {Dartmouth College Computer Science}, year = 2012, month = {February}, copyright = {Aarathi Prasad}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-msthesis/index.html}, note = {Available as Technical Report TR2012-711}, abstract = {Mobile health (mHealth) has become important in the field of healthcare information technology, as patients begin to use mobile devices to record their daily activities and vital signs. These devices can record personal health information even outside the hospital setting, while the patients are at home or at their workplace. However, the devices might record sensitive information that might not be relevant for medical purposes and in some cases may be misused. Patients need expressive privacy controls so that they can trade potential health benefits of the technology with the privacy risks. To provide such privacy controls, it is important to understand what patients feel are the benefits and risks associated with the technology and what controls they want over the information. \par We conducted focus groups to understand the privacy concerns that patients have when they use mHealth devices. We conducted a user study to understand how willing patients are to share their personal health information that was collected using an mHealth device. To the best of our knowledge, ours is the first study that explores users' privacy concerns by giving them the opportunity to actually share the information collected about them using mHealth devices. We found that patients tend to share more information with third parties than the public and prefer to keep certain information from their family and friends. Finally, based on these discoveries, we propose some guidelines to developing defaults for sharing settings in mHealth systems.}, } @InProceedings{cornelius:same-body, author = {Cory Cornelius and David Kotz}, title = {Recognizing whether sensors are on the same body}, booktitle = {Proceedings of the International Conference on Pervasive Computing (Pervasive)}, series = {Lecture Notes in Computer Science}, year = 2011, month = {June}, volume = 6696, pages = {332--349}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-642-21726-5_21}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-same-body/index.html}, abstract = {As personal health sensors become ubiquitous, we also expect them to become interoperable. That is, instead of closed, end-to-end personal health sensing systems, we envision standardized sensors wirelessly communicating their data to a device many people already carry today, the cellphone. In an open personal health sensing system, users will be able to seamlessly pair off-the-shelf sensors with their cellphone and expect the system to \emph{just work}. However, this ubiquity of sensors creates the potential for users to accidentally wear sensors that are not necessarily paired with their own cellphone. A husband, for example, might mistakenly wear a heart-rate sensor that is actually paired with his wife's cellphone. As long as the heart-rate sensor is within communication range, the wife's cellphone will be receiving heart-rate data about her husband, data that is incorrectly entered into her own health record. \par We provide a method to probabilistically detect this situation. Because accelerometers are relatively cheap and require little power, we imagine that the cellphone and each sensor will have a companion accelerometer embedded with the sensor itself. We extract standard features from these companion accelerometers, and use a pair-wise statistic -- coherence, a measurement of how well two signals are related in the frequency domain -- to determine how well features correlate for different locations on the body. We then use these feature coherences to train a classifier to recognize whether a pair of sensors -- or a sensor and a cellphone -- are on the same body. We evaluate our method over a dataset of several individuals walking around with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracies over 80\%.}, } @InProceedings{cornelius:healthsec10, author = {Cory Cornelius and David Kotz}, title = {On Usable Authentication for Wireless Body Area Networks}, booktitle = {Proceedings of the USENIX Workshop on Health Security (HealthSec)}, year = 2010, month = {August}, numpages = 2, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-healthsec10/index.html}, note = {Position paper}, abstract = {We examine a specific security problem in wireless body area networks (WBANs), what we call the \emph{one body authentication problem}. That is, how can we ensure that the wireless sensors in a WBAN are collecting data about one individual and not several individuals. We explore existing solutions to this problem and provide some analysis why these solutions are inadequate. Finally, we provide some direction towards a promising solution to the problem and how it can be used to create a usably secure WBAN.}, }