BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @Misc{pierson:snap-patent, author = {Timothy J. Pierson and Ronald Peterson and David F. Kotz}, title = {{System and method for proximity detection with single-antenna device}}, howpublished = {U.S. Patent 11,871,233; International Patent Application WO2019210201A1}, year = 2024, month = {January}, day = 9, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-patent/index.html}, note = {Priority date 2018-04-27; Filed 2019-04-26; Published 2021-07-29, Issued 2024-01-09}, abstract = {A single-antenna device includes a single antenna, at least one processor, and at least one memory. The single-antenna device is operable to receive a signal including at least one frame. Each of said frame includes a repeating portion. The single-antenna device determines a difference of phase and amplitude of the repeating portion and further determines whether the signal is transmitted from a trusted source based at least in part on the difference of phase and amplitude of the repeating portion.}, } @Misc{pierson:closetalker-patent2, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {{Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}}, howpublished = {U.S. Patent 11,894,920}, year = 2024, month = {February}, day = 6, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent2/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, Continuation of 11,153,026; Issued 2024-02-06}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @Misc{pierson:wanda-patent2, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Apparatus for securely configuring a target device}}, howpublished = {U.S. Patent 11,683,071}, year = 2023, month = {June}, day = 20, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent2/index.html}, note = {Continuation of U.S. Patent 10,574,298. Priority date 2015-06-23; Filed 2020-01-20; Allowed 2023-02-10; Issued 2023-06-20}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{mare:saw-patent, author = {Shrirang Mare and David Kotz and Ronald Peterson}, title = {{Effortless authentication for desktop computers using wrist wearable tokens}}, howpublished = {U.S. Patent 11,574,039}, year = 2023, month = {February}, day = 7, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw-patent/index.html}, note = {Priority date 2018-07-20; International application Filed 2019-07-19; National stage Filed 2021-01-20; Issued 2023-02-07}, abstract = {A system and method for authenticating users of a digital device includes an authentication device attached to an authorized user. The authentication device includes one or more motion sensors and acts as a user identity token. To authenticate with a digital device, the user performs one or more interactions with the digital device using the hand associated with the authentication device. The digital device correlates the inputs received due to the interactions with the user's hand and/or wrist movement, as measured by the authentication device. Access to the digital device is allowed if the inputs and movements are correlated.}, } @PhdThesis{hardin:thesis, author = {Taylor Hardin}, title = {{Information Provenance for Mobile Health Data}}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-thesis/index.html}, abstract = { Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Many believe that combining the data produced by these mHealth apps and devices may give healthcare-related service providers and researchers a more holistic view of an individual's health, increase the quality of service, and reduce operating costs. For such mHealth data to be considered useful though, data consumers need to be assured that the authenticity and the integrity of the data has remained intact --- especially for data that may have been created through a series of aggregations and transformations on many input data sets. In other words, \emph{information provenance} should be one of the main focuses for any system that wishes to facilitate the sharing of sensitive mHealth data. Creating such a trusted and secure data sharing ecosystem for mHealth apps and devices is difficult, however, as they are implemented with different technologies and managed by different organizations. Furthermore, many mHealth devices use ultra-low-power micro-controllers, which lack the kinds of sophisticated Memory Management Units (MMUs) required to sufficiently isolate sensitive application code and data. \par In this thesis, we present an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. To this end, we devise a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. Then we address the security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) with our health-data system, Amanuensis, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. Finally, we look at identity privacy and data freshness issues introduced by the use of blockchain and TEEs. Namely, we present a privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain. }, } @InProceedings{peters:via, author = {Travis Peters and Timothy J. Pierson and Sougata Sen and Jos{\'{e}} Camacho and David Kotz}, title = {{Recurring Verification of Interaction Authenticity Within Bluetooth Networks}}, booktitle = {{Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021)}}, year = 2021, month = {June}, pages = {192--203}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3448300.3468287}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-via/index.html}, abstract = {Although user authentication has been well explored, device-to-device authentication -- specifically in Bluetooth networks -- has not seen the same attention. We propose Verification of Interaction Authenticity (VIA) -- a recurring authentication scheme based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. To evaluate our approach we produced a new dataset consisting of more than 300 Bluetooth network traces collected from 20 Bluetooth-enabled smart-health and smart-home devices. In our evaluation, we found that devices can be correctly verified at a variety of granularities, achieving an F1-score of 0.86 or better in most cases.}, } @Article{sen:vibering-j, author = {Sougata Sen and David Kotz}, title = {{VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}}, journal = {Journal of Pervasive and Mobile Computing}, year = 2021, month = {December}, volume = 78, articleno = 101505, numpages = 16, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2021.101505}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-j/index.html}, abstract = {Many Internet of Things (IoT) devices are capable of sensing their environment, communicating with other devices, and actuating on their environment. Some of these IoT devices, herein known as ``smartThings'', collect meaningful information from raw data when they are in use and in physical contact with their user (e.g., a blood-glucose monitor); the smartThing's wireless connectivity allows it to transfer that data to its user's trusted device, such as a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. \par To address this problem, in this paper, we investigate the use of \emph{vibration}, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call \emph{VibeRing}. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques. Overall, we successfully exchange a secret between a smartRing and various smartThings, at least 85.9\% of the time. We show that \emph{VibeRing} can perform this exchange at 12.5 bits/second at a bit error rate of less than 2.5\%. We also show that \emph{VibeRing} is robust to the smartThing's constituent material as well as the holding style. Finally, we demonstrate that a nearby adversary cannot decode or modify the message exchanged between the trusted devices. }, } @Misc{pierson:closetalker-patent, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {{Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}}, howpublished = {U.S. Patent 11,153,026}, year = 2021, month = {October}, day = 19, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, US amendment filed 2021-01-29; Issued 2021-10-19}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @TechReport{landwehr:thaw-tr, author = {Carl Landwehr and David Kotz}, title = {{THaW publications}}, institution = {Dartmouth Computer Science}, year = 2020, month = {December}, number = {TR2020-904}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/landwehr-thaw-tr/index.html}, abstract = {In 2013, the National Science Foundation's Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions, led by Dartmouth College, to enable trustworthy cybersystems for health and wellness. As of this writing, the Trustworthy Health and Wellness (THaW) project's bibliography includes more than 130 significant publications produced with support from the THaW grant; these publications document the progress made on many fronts by the THaW research team. The collection includes dissertations, theses, journal papers, conference papers, workshop contributions and more. The bibliography is organized as a Zotero library, which provides ready access to citation materials and abstracts and associates each work with a URL where it may be found, cluster (category), several content tags, and a brief annotation summarizing the work's contribution. For more information about THaW, visit thaw.org.}, } @Article{liang:jlighttouch, author = {Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Securely Connecting Wearables to Ambient Displays with User Intent}}, journal = {IEEE Transactions on Dependable and Secure Computing}, year = 2020, month = {July}, volume = 17, number = 4, pages = {676--690}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/TDSC.2018.2840979}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-jlighttouch/index.html}, abstract = {Wearables are often small and have limited user interfaces, hence they often wirelessly interface with a personal smartphone or a personal computer to relay information from the wearable for display. In this paper, we envision a new method LightTouch by which a wearable can establish a secure connection to an ambient display, such as a television or computer monitor, based on the user's intention to connect to the display. Such connections must be secure to prevent impersonation attacks, must work with unmodified display hardware, and must be easy to establish. LightTouch uses standard RF methods for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting displays (98 percent success connection ratio), and secure against impersonation attacks.}, } @InProceedings{sen:vibering, author = {Sougata Sen and David Kotz}, title = {{VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}}, booktitle = {{Proceedings of the International Conference on the Internet of Things (IoT)}}, year = 2020, month = {October}, articleno = 13, numpages = 8, publisher = {ACM}, copyright = {ACM}, ISBN13 = 9781450387583, DOI = {10.1145/3410992.3410995}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering/index.html}, abstract = {With the rapid growth in the number of IoT devices that have wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a \emph{secret}, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this paper, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smart ring, to share a secret with a smart IoT device. This exchanged secret can be used to bootstrap a secure wireless channel over which the devices can communicate. We believe that in future IoT devices can use such a technique to seamlessly connect with authorized devices with minimal user interaction overhead. In this paper, we specifically investigate (a) the feasibility of using vibration generated by a custom wearable for communication, (b) the effect of various parameters on this communication channel, and (c) the possibility of information manipulation by an adversary or information leakage to an adversary. For this investigation, we conducted a controlled study as well as a user study with 12 participants. In the controlled study, we could successfully share messages through vibrations with a bit error rate of less than 2.5\%. Additionally, through the user study we demonstrate that it is possible to share messages with various types of objects accurately, quickly and securely as compared to several existing techniques. Overall, we find that in the best case we can exchange 85.9\% messages successfully with a smart device.}, } @PhdThesis{peters:thesis, author = {Travis Peters}, title = {{Trustworthy Wireless Personal Area Networks}}, school = {Dartmouth Computer Science}, year = 2020, month = {August}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2020-878}, abstract = {\par In the Internet of Things (IoT), everyday objects are equipped with the ability to compute and communicate. These smart things have invaded the lives of everyday people, being constantly carried or worn on our bodies, and entering into our homes, our healthcare, and beyond. This has given rise to wireless networks of smart, connected, always-on, personal things that are constantly around us, and have unfettered access to our most personal data as well as all of the other devices that we own and encounter throughout our day. It should, therefore, come as no surprise that our personal devices and data are frequent targets of ever-present threats. Securing these devices and networks, however, is challenging. In this dissertation, we outline three critical problems in the context of Wireless Personal Area Networks (WPANs) and present our solutions to these problems. \par First, I present our Trusted I/O solution (BASTION-SGX) for protecting sensitive user data transferred between wirelessly connected (Bluetooth) devices. This work shows how in-transit data can be protected from privileged threats, such as a compromised OS, on commodity systems. I present insights into the Bluetooth architecture, Intel's Software Guard Extensions (SGX), and how a Trusted I/O solution can be engineered on commodity devices equipped with SGX. \par Second, I present our work on AMULET and how we successfully built a wearable health hub that can run multiple health applications, provide strong security properties, and operate on a single charge for weeks or even months at a time. I present the design and evaluation of our highly efficient event-driven programming model, the design of our low-power operating system, and developer tools for profiling ultra-low-power applications at compile time. \par Third, I present a new approach (VIA) that helps devices at the center of WPANs (e.g., smartphones) to verify the authenticity of interactions with other devices. This work builds on past work in anomaly detection techniques and shows how these techniques can be applied to Bluetooth network traffic. Specifically, we show how to create normality models based on fine- and course-grained insights from network traffic, which can be used to verify the authenticity of future interactions. }, } @Misc{pierson:wanda-patent, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Apparatus for Securely Configuring A Target Device and Associated Methods}}, howpublished = {U.S. Patent 10,574,298}, year = 2020, month = {February}, day = 25, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent/index.html}, note = {Priority date 2015-06-23; Filed 2016-06-23; Issued 2020-02-25}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{liang:lighttouch-patent, author = {Xiaohui Liang and Tianlong Yun and Ron Peterson and David Kotz}, title = {{Secure System For Coupling Wearable Devices To Computerized Devices with Displays}}, howpublished = {U.S. Patent 10,581,606}, year = 2020, month = {March}, day = 3, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch-patent/index.html}, note = {Priority date 2014-08-18, Filed 2015-08-18; Issued 2020-03-03.}, abstract = {A system has a first electronic device with optical sensor, digital radio transceiver, and processor with firmware; this device is typically portable or wearable. The system also has a computerized device with a display, a second digital radio transceiver, and a second processor with firmware. The first and computerized devices are configured to set up a digital radio link when in radio range. The second processor uses a spot on the display to optically transmit a digital message including a secret such as an encryption key or subkey and/or an authentication code adapted for authenticating an encrypting the radio link. The first device receives the digital message via its optical sensor, and uses the digital message to validate and establish encryption on the radio link. In embodiments, the system determines a location of the first device on the display and positions the transmission spot at the determined location.}, } @Article{greene:sharehealth, author = {Emily Greene and Patrick Proctor and David Kotz}, title = {{Secure Sharing of mHealth Data Streams through Cryptographically-Enforced Access Control}}, journal = {Journal of Smart Health}, year = 2019, month = {April}, volume = 12, pages = {49--65}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.smhl.2018.01.003}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-sharehealth/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareHealth, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design and prototype implementation of this system make three contributions: (1) they apply cryptographically-enforced access-control measures to stream-based (specifically mHealth) data, (2) they recognize the temporal nature of mHealth data streams and support revocation of access to part or all of a data stream, and (3) they depart from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @InProceedings{mare:csaw19, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {{Continuous Smartphone Authentication using Wristbands}}, booktitle = {{Proceedings of the Workshop on Usable Security (USEC)}}, year = 2019, month = {February}, numpages = 12, publisher = {Internet Society}, copyright = {the authors}, DOI = {10.14722/usec.2019.23013}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-csaw19/index.html}, abstract = {Many users find current smartphone authentication methods (PINs, swipe patterns) to be burdensome, leading them to weaken or disable the authentication. Although some phones support methods to ease the burden (such as fingerprint readers), these methods require active participation by the user and do not verify the user's identity after the phone is unlocked. We propose CSAW, a continuous smartphone authentication method that leverages wristbands to verify that the phone is in the hands of its owner. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband's motion with the phone's motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). Through two user studies (N{$=$}27,11) we evaluated CSAW's accuracy, usability, and security. Our experimental evaluation demonstrates that CSAW was able to conduct initial authentication with over 99\% accuracy and continuous authentication with over 96.5\% accuracy.}, } @InProceedings{pierson:closetalker, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {{CloseTalker: secure, short-range ad hoc wireless communication}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2019, month = {June}, pages = {340--352}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3307334.3326100}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker/index.html}, abstract = {Secure communication is difficult to arrange between devices that have not previously shared a secret. Previous solutions to the problem are susceptible to man-in-the-middle attacks, require additional hardware for out-of-band communication, or require an extensive public-key infrastructure. Furthermore, as the number of wireless devices explodes with the advent of the Internet of Things, it will be impractical to manually configure each device to communicate with its neighbors. \par Our system, CloseTalker, allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker does not require any specialized hardware or sensors in the devices, does not require complex algorithms or cryptography libraries, occurs only when intended by the user, and can transmit a short burst of data or an address and key that can be used to establish long-term or long-range communications at full bandwidth. \par In this paper we present a theoretical and practical evaluation of CloseTalker, which exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key.}, } @InProceedings{pierson:snap, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {{Proximity Detection with Single-Antenna IoT Devices}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}}, year = 2019, month = {October}, articleno = 21, numpages = 15, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3300061.3300120}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap/index.html}, abstract = {Providing secure communications between wireless devices that encounter each other on an ad-hoc basis is a challenge that has not yet been fully addressed. In these cases, close physical proximity among devices that have never shared a secret key is sometimes used as a basis of trust; devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. \par We present theoretical and practical evaluation of a method called SNAP -- SiNgle Antenna Proximity -- that allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our proximity detection technique leverages the repeating nature Wi-Fi's preamble and the behavior of a signal in a transmitting antenna's near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm.}, } @InProceedings{sen:vibering-poster, author = {Sougata Sen and Varun Mishra and David Kotz}, title = {{Using vibrations from a SmartRing as an out-of-band channel for sharing secret keys}}, booktitle = {{Adjunct Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp)}}, year = 2019, month = {September}, pages = {198--201}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/3341162.3343818}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-poster/index.html}, abstract = {With the rapid growth in the number of Internet of Things (IoT) devices with wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this work, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9\% messages successfully. Our technique demonstrates the possibility of sharing messages accurately, quickly and securely as compared to several existing techniques.}, } @TechReport{carrigan:fitbit, author = {Joseph Carrigan and David Kotz and Aviel Rubin}, title = {{STEM Outreach Activity with Fitbit Wearable Devices}}, institution = {Dartmouth College and Johns Hopkins University}, year = 2018, month = {February}, number = {TR2018-839}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/carrigan-fitbit/index.html}, abstract = {This document provides a toolkit for an STEM outreach activity based on Fitbit wearable fitness devices. The activity is targeted toward high-school students. This document provides guidance preparing for and executing the activity and measuring outcomes. This document contains templates that can be used as is or altered to suit your specific needs.}, } @Article{liu:vocalresonance, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {{Vocal Resonance: Using Internal Body Voice for Wearable Authentication}}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (UbiComp)}, year = 2018, month = {March}, volume = 2, number = 1, articleno = 19, numpages = 23, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3191751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-vocalresonance/index.html}, abstract = {We observe the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. For many devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. In this paper we propose the use of vocal resonance, that is, the sound of the person's voice as it travels through the person's body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. We explore two machine-learning approaches that analyze voice samples from a small throat-mounted microphone and allow the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone-enabled device is physically on the speaker's body. We collected data from 29 subjects, demonstrate the feasibility of a prototype, and show that our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification.}, } @Article{mare:saw, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {{SAW: Wristband-based authentication for desktop computers}}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (Ubicomp)}, year = 2018, month = {September}, volume = 2, number = 3, articleno = 125, numpages = 29, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3264935}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw/index.html}, abstract = {Token-based proximity authentication methods that authenticate users based on physical proximity are effortless, but lack explicit user intentionality, which may result in accidental logins. For example, a user may get logged in when she is near a computer or just passing by, even if she does not intend to use that computer. Lack of user intentionality in proximity-based methods makes them less suitable for multi-user shared computer environments, despite their desired usability benefits over passwords. \par We present an authentication method for desktops called Seamless Authentication using Wristbands (SAW), which addresses the lack of intentionality limitation of proximity-based methods. SAW uses a low-effort user input step for explicitly conveying user intentionality, while keeping the overall usability of the method better than password-based methods. In SAW, a user wears a wristband that acts as the user's identity token, and to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user's proximity and correlating the received keyboard or mouse inputs with the user's wrist movement, as measured by the wristband. In our feasibility user study (n{$=$}17), SAW proved quick to authenticate (within two seconds), with a low false-negative rate of 2.5\% and worst-case false-positive rate of 1.8\%. In our user perception study (n{$=$}16), a majority of the participants rated it as more usable than passwords.}, } @InProceedings{peters:bastionsgx, author = {Travis Peters and Reshma Lal and Srikanth Varadarajan and Pradeep Pappachan and David Kotz}, title = {{BASTION-SGX: Bluetooth and Architectural Support for Trusted I/O on SGX}}, booktitle = {{Proceedings of the International Workshop on Hardware and Architectural Support for Security and Privacy (HASP)}}, year = 2018, month = {June}, articleno = 3, numpages = 9, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3214292.3214295}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-bastionsgx/index.html}, abstract = {This paper presents work towards realizing architectural support for Bluetooth Trusted I/O on SGX-enabled platforms, with the goal of providing I/O data protection that does not rely on system software security. Indeed, we are primarily concerned with protecting I/O from all software adversaries, including privileged software. In this paper we describe the challenges in designing and implementing Trusted I/O at the architectural level for Bluetooth. We propose solutions to these challenges. In addition, we describe our proof-of-concept work that extends existing over-the-air Bluetooth security all the way to an SGX enclave by securing user data between the Bluetooth Controller and an SGX enclave.}, } @InProceedings{pierson:snap-poster, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {{Poster: Proximity Detection with Single-Antenna IoT Devices}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}}, year = 2018, month = {October}, pages = {663--665}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3241539.3267751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-poster/index.html}, abstract = {Close physical proximity among wireless devices that have never shared a secret key is sometimes used as a basis of trust. In these cases, devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. We investigate a method for a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our approach leverages the repeating nature Wi-Fi's preamble and the characteristics of a transmitting antenna's near field to detect proximity with high probability. Our method never falsely declares proximity at ranges longer than 14 cm.}, } @Article{reza:nocloud, author = {Reza Rawassizadeh and Timothy Pierson and Ronald Peterson and David Kotz}, title = {{NoCloud: Experimenting with Network Disconnection by Design}}, journal = {IEEE Pervasive Computing}, year = 2018, month = {January}, volume = 17, number = 1, pages = {64--74}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MPRV.2018.011591063}, URL = {https://www.cs.dartmouth.edu/~kotz/research/reza-nocloud/index.html}, abstract = {Application developers often advocate uploading data to the cloud for analysis or storage, primarily due to concerns about the limited computational capability of ubiquitous devices. Today, however, many such devices can still effectively operate and execute complex algorithms without reliance on the cloud. The authors recommend prioritizing on-device analysis over uploading the data to another host, and if on-device analysis is not possible, favoring local network services over a cloud service.}, } @PhdThesis{pierson:thesis, author = {Timothy J. Pierson}, title = {{Secure Short-range Communications}}, school = {Dartmouth Computer Science}, year = 2018, month = {June}, copyright = {Timothy J. Peterson}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2018-845}, abstract = {Analysts predict billions of everyday objects will soon become ``smart'' after designers add wireless communication capabilities. Collectively known as the Internet of Things (IoT), these newly communication-enabled devices are envisioned to collect and share data among themselves, with new devices entering and exiting a particular environment frequently. People and the devices they wear or carry may soon encounter dozens, possibly hundreds, of devices each day. Many of these devices will be encountered for the first time. Additionally, some of the information the devices share may have privacy or security implications. Furthermore, many of these devices will have limited or non-existent user interfaces, making manual configuration cumbersome. This situation suggests that devices that have never met, nor shared a secret, but that are in the same physical area, must have a way to securely communicate that requires minimal manual intervention. In this dissertation we present novel approaches to solve these short-range communication issues. Our techniques are simple to use, secure, and consistent with user intent. We first present a technique called Wanda that uses radio strength as a communication channel to securely impart information onto nearby devices. We focus on using Wanda to introduce new devices into an environment, but Wanda could be used to impart any type of information onto wireless devices, regardless of device type or manufacturer. Next we describe SNAP, a method for a single-antenna wireless device to determine when it is in close physical proximity to another wireless device. Because radio waves are invisible, a user may believe transmissions are coming from a nearby device when in fact the transmissions are coming from a distant adversary attempting to trick the user into accepting a malicious payload. Our approach significantly raises the bar for an adversary attempting such a trick. Finally, we present a solution called JamFi that exploits MIMO antennas and the Inverse-Square Law to securely transfer data between nearby devices while denying more distant adversaries the ability to recover the data. We find JamFi is able to facilitate reliable and secure communication between two devices in close physical proximity, even though they have never met nor shared a key.}, } @Misc{molina-markham:patent9961547, author = {Andr{\'{e}}s D. Molina-Markham and Shrirang Mare and Ronald Peterson and David Kotz}, title = {{Continuous seamless mobile device authentication using a separate electronic wearable apparatus}}, howpublished = {U.S. Patent 9,961,547}, year = 2018, month = {May}, day = 1, URL = {https://www.cs.dartmouth.edu/~kotz/research/molina-markham-patent9961547/index.html}, note = {Priority date 2016-09-30, Filed 2016-09-30; Issued 2018-05-01}, abstract = {A technique performs a security operation. The technique includes receiving first activity data from a mobile device, the first activity data identifying activity by a user that is currently using the mobile device. The technique further includes receiving second activity data from an electronic wearable apparatus, the second activity data identifying physical activity by a wearer that is currently wearing the electronic wearable apparatus. The technique further includes, based on the first activity data received from the mobile device and the second activity data received from the electronic wearable apparatus, performing an assessment operation that provides an assessment result indicating whether the user that is currently using the mobile device and the wearer that is currently wearing the electronic wearable apparatus are the same person. With such a technique, authentication may be continuous but without burdening the user to repeatedly re-enter a password.}, } @InProceedings{kotz:safethings, author = {David Kotz and Travis Peters}, title = {{Challenges to ensuring human safety throughout the life-cycle of Smart Environments}}, booktitle = {{Proceedings of the ACM Workshop on the Internet of Safe Things (SafeThings)}}, year = 2017, month = {November}, pages = {1--7}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3137003.3137012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-safethings/index.html}, abstract = {The homes, offices, and vehicles of tomorrow will be embedded with numerous ``Smart Things,'' networked with each other and with the Internet. Many of these Things are embedded in the physical infrastructure, and like the infrastructure they are designed to last for decades -- far longer than is normal with today's electronic devices. What happens then, when an occupant moves out or transfers ownership of her Smart Environment? This paper outlines the critical challenges required for the safe long-term operation of Smart Environments. How does an occupant identify and decommission all the Things in an environment before she moves out? How does a new occupant discover, identify, validate, and configure all the Things in the environment he adopts? When a person moves from smart home to smart office to smart hotel, how is a new environment vetted for safety and security, how are personal settings migrated, and how are they securely deleted on departure? When the original vendor of a Thing (or the service behind it) disappears, how can that Thing (and its data, and its configuration) be transferred to a new service provider? What interface can enable lay people to manage these complex challenges, and be assured of their privacy, security, and safety? We present a list of key research questions to address these important challenges.}, } @InProceedings{liang:lighttouch, author = {Xiaohui Liang and Tianlong Yun and Ronald Peterson and David Kotz}, title = {{LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent}}, booktitle = {{Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}}, year = 2017, month = {May}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2017.8057210}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch/index.html}, abstract = {Wearables are small and have limited user interfaces, so they often wirelessly interface with a personal smartphone/computer to relay information from the wearable for display or other interactions. In this paper, we envision a new method, LightTouch, by which a wearable can establish a secure connection to an ambient display, such as a television or a computer monitor, while ensuring the user's intention to connect to the display. LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped via the visible-light communication (the brightness channel) from the display to the low-cost, low-power, ambient light sensor of a wearable. A screen `touch' gesture is adopted by users to ensure that the modulation of screen brightness can be securely captured by the ambient light sensor with minimized noise. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments and a preliminary user study we demonstrate that LightTouch is compatible with current display and wearable designs, is easy to use (about 6 seconds to connect), is reliable (up to 98\% success connection ratio), and is secure against attacks.}, } @InProceedings{liang:wearsys17, author = {Xiaohui Liang and David Kotz}, title = {{AuthoRing: Wearable User-presence Authentication}}, booktitle = {{Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}}, year = 2017, month = {June}, pages = {5--10}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089357}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-wearsys17/index.html}, abstract = {A common log-in process at computers involves the entry of username and password; log out depends on the user to remember to log out, or a timeout to expire the user session. Once logged in, user sessions may be vulnerable to imposter attacks in which an impostor steps up to the user's unattended computer and inherits the user's access privilege. We propose a ring-based authentication system called ``AuthoRing'', which restricts the imposter attackers from generating new inputs at the computer's mouse and keyboard. During the log-in process, an eligible AuthoRing user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer's AuthoRing system correlates hand-motion data received from the ring with the input data from the computer's window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user.}, } @InProceedings{liu:mobisys17, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {{Poster: Vocal Resonance as a Passive Biometric}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2017, month = {June}, pages = 160, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081333.3089304}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-mobisys17/index.html}, abstract = {We present a novel, unobtrusive biometric measurement that can support user identification in wearable body-mounted devices: \emph{vocal resonance}, that is, the sound of the person's voice as it travels through the person's body.}, } @InProceedings{liu:wearsys17, author = {Rui Liu and Reza Rawassizadeh and David Kotz}, title = {{Toward Accurate and Efficient Feature Selection for Speaker Recognition on Wearables}}, booktitle = {{Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}}, year = 2017, month = {June}, pages = {41--46}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089352}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-wearsys17/index.html}, abstract = {Due to the user-interface limitations of wearable devices, voice-based interfaces are becoming more common; speaker recognition may then address the authentication requirements of wearable applications. Wearable devices have small form factor, limited energy budget and limited computational capacity. In this paper, we examine the challenge of computing speaker recognition on small wearable platforms, and specifically, reducing resource use (energy use, response time) by trimming the input through careful feature selections. For our experiments, we analyze four different feature-selection algorithms and three different feature sets for speaker identification and speaker verification. Our results show that Principal Component Analysis (PCA) with frequency-domain features had the highest accuracy, Pearson Correlation (PC) with time-domain features had the lowest energy use, and recursive feature elimination (RFE) with frequency-domain features had the least latency. Our results can guide developers to choose feature sets and configurations for speaker-authentication algorithms on wearable platforms.}, } @InProceedings{pierson:s3, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {{Secure Information Transfer Between Nearby Wireless Devices}}, booktitle = {{Proceedings of the Mobicom S3 workshop}}, year = 2017, month = {October}, pages = {11--13}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3131348.3131355}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-s3/index.html}, abstract = {Securely transferring data between two devices that have never previously met nor shared a secret is a difficult task. Previous solutions to the problem are susceptible to well-known attacks or may require extensive infrastructure that may not be suitable for wireless devices such as Internet of Things sensors that do not have advanced computational capabilities. \par We propose a new approach: using jamming to thwart adversaries located more than a few centimeters away, while still allowing devices in close physical proximity to securely share data. To accomplish this secure data transfer we exploit MIMO antennas and the Inverse-Square Law.}, } @InProceedings{prasad:enact, author = {Aarathi Prasad and David Kotz}, title = {{ENACT: Encounter-based Architecture for Contact Tracing}}, booktitle = {{Proceedings of the ACM Workshop on Physical Analytics (WPA)}}, year = 2017, month = {June}, pages = {37--42}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3092305.3092310}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-enact/index.html}, abstract = {Location-based sharing services allow people to connect with others who are near them, or with whom they shared a past encounter. Suppose it were also possible to connect with people who were at the same location but at a different time -- we define this scenario as a \emph{close encounter}, i.e., an incident of spatial and temporal proximity. By detecting close encounters, a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We address three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users. Finally, we also consider the challenges of a real-world deployment.}, } @InProceedings{prasad:spice, author = {Aarathi Prasad and Xiaohui Liang and David Kotz}, title = {{SPICE: Secure Proximity-based Infrastructure for Close Encounters}}, booktitle = {{Proceedings of the ACM Workshop on Mobile Crowdsensing Systems and Applications (CrowdSense)}}, year = 2017, month = {November}, pages = {56--61}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3139243.3139245}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-spice/index.html}, abstract = {We present a crowdsourcing system that extends the capabilities of location-based applications and allows users to connect and exchange information with users in spatial and temporal proximity. We define this incident of spatio-temporal proximity as a \emph{close encounter}. Typically, location-based application users store their information on a server, and trust the server to provide access only to authorized users, not misuse the data or disclose their location history. Our system, called SPICE, addresses these privacy issues by leveraging Wi-Fi access points to connect users and encrypt their information before it is exchanged, so only users in close encounters have access to the information. We present the design of the system and describe the challenges in implementing the protocol in a real-world application.}, } @TechReport{greene:thesis, author = {Emily Greene}, title = {{ShareABEL: Secure Sharing of mHealth Data through Cryptographically-Enforced Access Control}}, institution = {Dartmouth College, Computer Science}, year = 2017, month = {July}, number = {TR2017-827}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-thesis/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareABEL, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design (and prototype implementation) of this system makes three contributions: (1) it applies cryptographically-enforced access-control measures to wearable healthcare data, which pose different challenges than Electronic Medical Records (EMRs), (2) it recognizes the temporal nature of mHealth data streams and supports revocation of access to part or all of a data stream, and (3) it departs from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @TechReport{harmon:thesis, author = {David B. Harmon}, title = {{Cryptographic transfer of sensor data from the Amulet to a smartphone}}, institution = {Dartmouth College, Computer Science}, year = 2017, month = {May}, number = {TR2017-826}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/harmon-thesis/index.html}, abstract = {The authenticity, confidentiality, and integrity of data streams from wearable healthcare devices are critical to patients, researchers, physicians, and others who depend on this data to measure the effectiveness of treatment plans and clinical trials. Many forms of mHealth data are highly sensitive; in the hands of unintended parties such data may reveal indicators of a patient's disorder, disability, or identity. Furthermore, if a malicious party tampers with the data, it can affect the diagnosis or treatment of patients, or the results of a research study. Although existing network protocols leverage encryption for confidentiality and integrity, network-level encryption does not provide end-to-end security from the device, through the smartphone and database, to downstream data consumers. In this thesis we provide a new open protocol that provides end-to-end authentication, confidentiality, and integrity for healthcare data in such a pipeline. \par We present and evaluate a prototype implementation to demonstrate this protocol's feasibility on low-power wearable devices, and present a case for the system's ability to meet critical security properties under a specific adversary model and trust assumptions.}, } @Article{kotz:agenda, author = {David Kotz and Carl A. Gunter and Santosh Kumar and Jonathan P. Weiner}, title = {{Privacy and Security in Mobile Health~-- A Research Agenda}}, journal = {IEEE Computer}, year = 2016, month = {June}, volume = 49, number = 6, pages = {22--30}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MC.2016.185}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-agenda/index.html}, abstract = {Mobile health technology has great potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health. However, mHealth also raises significant privacy and security challenges.}, } @InProceedings{pierson:wanda-demo, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Demo: Wanda, securely introducing mobile devices}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2016, month = {June}, pages = 113, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2938559.2938581}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-demo/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We developed Wanda -- a `magic wand' that accomplishes all three of the above goals -- and will demonstrate a prototype implementation.}, } @TechReport{pierson:wanda-tr, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Wanda: securely introducing mobile devices -- Extended version}}, institution = {Dartmouth Computer Science}, year = 2016, month = {February}, number = {TR2016-789}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-tr/index.html}, note = {Expanded version of the INFOCOM 2016 paper by the same title.}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation. This Tech Report contains supplemental information to our INFOCOM 2016 paper titled, ``Wanda: securely introducing mobile devices.'' Much of the additional information is in Section II, III, and VI.}, } @InProceedings{pierson:wanda, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Wanda: securely introducing mobile devices}}, booktitle = {{Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}}, year = 2016, month = {April}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2016.7524366}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals \emph{simply}, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation.}, } @PhdThesis{mare:thesis, author = {Shrirang Mare}, title = {{Seamless Authentication for Ubiquitous Devices}}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Shrirang Mare}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-793.}, abstract = {User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform -- an interruption in our workflow. In this dissertation, we study people's authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users. \par First, we present the findings of a user study we conducted to understand people's authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants' lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it. \par Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user's wristband and the user's phone) share their knowledge (e.g., about user's interaction with the phone) to verify the user's identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method's usability and security from the system and the user's perspective. Based on the evaluation, our authentication method shows promise for reducing users' authentication burden for desktops and smartphones.}, } @PhdThesis{prasad:thesis, author = {Aarathi Prasad}, title = {{Privacy-preserving controls for sharing mHealth data}}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Aarathi Prasad}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-794.}, abstract = {Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. In this dissertation, we present our findings about factors that affect people's sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus.}, } @TechReport{wang:auth, author = {Bingyue Wang}, title = {{Learning Device Usage in Context: A Continuous and Hierarchical Smartphone Authentication Scheme}}, institution = {Dartmouth Computer Science}, year = 2016, month = {March}, number = {TR2016-790}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-auth/index.html}, abstract = {Popular smartphone authentication schemes, such as PIN-based or biometrics-based authentication methods, require only an initial login at the start of a usage session to authorize the user to use all the apps on the phone during the entire session. Those schemes fail to provide continuous protection of the smartphone after the initial login. They also fail to meet the hierarchy of security requirements for different apps under different contexts. In this study, we propose a continuous and hierarchical authentication scheme. We believe that a user's app-usage patterns depend on his location context. As such, our scheme relies on app-usage patterns in different location context to continuously establish the log probability density (LPD) of the authenticity of the current user. Based on different LPD thresholds corresponding to different security requirements, the current user either has a LPD higher than the threshold, which grants him continuous access to the phone or the app, or he has a LPD lower than the threshold, which locks him out of the phone or the app immediately. We test our scheme on 4,600 subjects from the Device Analyzer Dataset. We found that our scheme could correctly identify the authenticity of the majority of the subjects. However, app-usage patterns with or without location context yielded similar performances, indicating that user contexts did not contribute further information to establish user behavioral patterns. Based on our scheme, we propose a hypothetical Android app which would provide continuous and hierarchical authentication for the smartphone users.}, } @Article{kotz:frontiers, author = {David Kotz and Kevin Fu and Carl Gunter and Avi Rubin}, title = {{Security for Mobile and Cloud Frontiers in Healthcare}}, journal = {Communications of the ACM}, year = 2015, month = {August}, volume = 58, number = 8, pages = {21--23}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/2790830}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-frontiers/index.html}, abstract = {Designers and developers of healthcare information technologies must address preexisting security vulnerabilities and undiagnosed future threats.}, } @InProceedings{liang:healthtech14, author = {Xiaohui Liang and David Kotz}, title = {{Securely Connecting Wearable Health Devices to External Displays}}, booktitle = {{Proceedings of the USENIX Summit on Health Information Technologies}}, year = 2014, month = {August}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-healthtech14/index.html}, note = {No paper -- workshop presentation only}, abstract = {Wearable health technology is becoming a hot commodity as it has the potential to help both patients and clinicians continuously monitor vital signs and symptoms. One popular type of wearable devices are worn on human wrist and are equipped with sensors to passively perform sensing tasks. Their constrained user interface, however, is ineffective to display the sensory data for users. We envision connecting a wrist-worn device to a display device, such as a television, so the user is able to view the sensory data. Such connections must be secure to prevent the sensory data from being eavesdropped by other devices, must be made only when the user intends, and must be easy even when a new display is encountered (such as in a medical clinic, or a hotel room). In this presentation, we will discuss the secure wearable/display connection problem by revisiting existing methods and hardware designs of wrist-worn devices and display devices. We then present possible solutions that leverage the built-in hardware components of wrist-worn devices to implement, secure, intentional, easy connections to ambient display devices.}, } @InProceedings{prasad:mobisys-poster, author = {Aarathi Prasad and Xiaohui Liang and David Kotz}, title = {{Poster: Balancing Disclosure and Utility of Personal Information}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2014, month = {June}, pages = {380--381}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2601448}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-mobisys-poster/index.html}, abstract = {The ubiquity of smartphones and mobile and wearable devices allow people to collect information about their health, wellness and lifestyle and share with others. If it is not clear what they need to share to receive benefits, \emph{subjects} (people whose information is collected) might share too much, thus disclosing unnecessary private information. On the other hand, concerned about disclosing personal information, subjects might share less than what the recipient needs and lose the opportunity to enjoy the benefits. This balance of disclosure and utility is important when the subject wants to receive some benefits, but is concerned about disclosing private information. \par We address this problem of balancing disclosure and utility of personal information collected by mobile technologies. We believe subjects can decide how best to share their information if they are aware of the benefits and risks of sharing. We developed ShareBuddy, a privacy-aware architecture that allows recipients to request information and specify the benefits the subjects will receive for sharing each piece of requested information; the architecture displays these benefits and warns subjects about the risks of sharing. We describe the ShareBuddy architecture in this poster.}, }