Presentation is loading. Please wait.

Presentation is loading. Please wait.

LOCATION TRACKING USING MOBILE DEVICE POWER ANALYSIS

Published byNatalie Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "LOCATION TRACKING USING MOBILE DEVICE POWER ANALYSIS"— Presentation transcript:

1 LOCATION TRACKING USING MOBILE DEVICE POWER ANALYSIS
POWERSPY LOCATION TRACKING USING MOBILE DEVICE POWER ANALYSIS Yan Michalevsky(1), Gabi Nakibly(2), Dan Boneh(1) and Aaron Schulman(1) (1) Stanford University, (2) National Research and Simulation Center, Rafael Ltd. Presented by Brad Holliday

2 SMARTPHONE LOCATION ≈ OWNER LOCATION

3 Requires Permissions ACCESSING LOCATION
Even coarse location based on cellular network information Requires Permissions

4 READING VOLTAGE AND CURRENT
/sys/class/power_supply/battery/voltage_now /sys/class/power_supply/battery/current_now Does Not Require Permissions

5 Power usage can reveal location
Power = f (Signal Strength) We assume a malicious application is installed on the victim’s device and runs in the background. The application has no permission to access the GPS or any other location data such as the cellular or WiFi components. In particular, the application has no permission to query the identity of visible cellular base stations or the SSID of visible WiFi networks. We only assume access to power data (which requires no special permissions on Android) and permission to communicate with a remote server. Network connectivity is needed to generate dummy low rate traffic to prevent the cellular radio from going into low power state. In our setup we also use network connectivity to send data to a central server for processing. However, it may be possible to do all processing on the phone.1 As noted earlier, the application can only read the aggregate power consumed by the phone. It cannot measure the power consumed by the cellular radio alone. This presents a significant challenge since many components on the phone consume variable amounts of power at any given time. Consequently, all the measurements are extremely noisy and we need a way to “see” though the noise. To locate the phone, we assume the attacker has prior knowledge of the area or routes through which the victim is traveling. This knowledge allows the attacker to measure the power consumption profile of different routes in that area in advance. Our system correlates this data with the phone’s measured power usage and we show that, despite the noisy measurements, we are able to correctly locate the phone. Alternatively, as for many other machine learning cases, the training data can also be collected after obtaining the unlabeled query data. For instance, an attacker obtained a power consumption profile of a user, the past location of whom it is extremely important to determine. She can still collect, after the fact, reference profiles for a limited area in which the user has likely been driving and carry out the attack. For this to work we need the tracked phone to be moving by a car or a bus while being tracked. Our system cannot locate a phone that is standing still since that only provides the power profile for a single location. We need multiple adjacent locations for the attack to work. Threat Model

6 SIGNAL STRENGTH DEPENDS ON GEOGRAPHY AND ENVIRONMENT
Distance to base station is the primary factor that determines signal strength Also affected by objects in the signal path, trees and buildings Finally, depends on multi-path interference caused by objects that reflect the radio signal back to the phone through paths having different lengths However, signal strength can be fairly consistent as base stations and objects are fairly stationary

7 SIGNAL STRENGTH STABILITY
We first demonstrate that signal strength in each location on a drive can be static over the course of several days. We collected signal strength measurements from a smartphone once, and again several days later. In Figure 1 we plot the signal strength observed on these two drives. In this figure it is apparent that (1) the segments of the drive where signal strength is high (green) and low (red) are in the same locations across both days, and (2) that the progression of signal strength Signal strength profiles measured on two different days are stable

8 POWER PROFILE CONSISTENCY
The results presented in Figure 3 indicate that there is similarity between different models that could allow one model to be used as a reference for another. This experiment serves as a proof of concept: we leave further evaluation of such an attack scenario, where the attacker and victim use different phone models, to future work. In this paper, we assume that the attacker can obtain reference power measurements using the same phone model as the victim. Two Phones Same Model, Same Drive Different Models, Same Drive

9 WHAT CAN WE ACHIEVE BY THAT?
1. Route distinguishability 3. New route inference 2. Real-time motion tracking The experiments

10 Related Work Power analysis = powerful side channel
High sample rate power traces for externally connected power monitors to recover private encryption keys from a cryptographic system KOCHER, P., JAFFE, J., AND JUN, B. Differential power analysis. In Advances in Cryptology – CRYPTO’99 (1999), Springer, pp. 388–397. Relationship between signal strength and power consumption in smartphones Bartendr: demonstrated that paths of signal strength measurements are stable across several drives SCHULMAN, A., SPRING, N., NAVDA, V., RAMJEE, R., DESHPANDE, P., GRUNEWALD, C., PADMANABHAN, V. N., AND JAIN, K. Bartendr: a practical approach to energy-aware cellular data scheduling. MOBICOM (2010)

11 1. Route distinguishability
Collection of power consumption profiles Each power profile is a time-series Classifier based on time series comparison using Dynamic Time Warping (DTW) Profiles have different baselines and variability, so clean up prior to DTW Normalization: Calculate mean and subtract it, and divide the result by the standard deviation Smoothing: using a moving average filter to reduce noise Down sample: by a factor of 10 to reduce computational complexity Because different rides along the same route can vary in speed at different locations along the ride, and because routes having the same label can vary slightly at certain points (especially before getting to a highway and after exiting it), we need to compare profile features that can vary in time and length and allow for a certain amount of difference. We also have to compensate for different baselines in power consumption due to constant components that depend on the running applications and on differences in device models.

12 DYNAMIC TIME WARPING Euclidian Distance DTW Distance
Dynamic time warping (DTW) is a time series alignment algorithm developed originally for speech recognition(1). It aims at aligning two sequences of feature vectors by warping the timeaxis iteratively until an optimal match (according to a suitable metrics) between the two sequences is found Euclidian Distance DTW Distance

13 A classification problem
Compute the DTW distance between the new power profile and all reference profiles Select the known route that yields the minimal distance

14 distinguish between routes Results
Unique Routes # Ref. Profiles/Route # Test Success % Random Guess % 8 10 55 85 13 17 5 119 71 6 4 136 68 21 3 157 61 25 2 182 53 29 1 211 40

15 2. REAL-TIME TRACKING 3 Approaches
1. A window of received samples is a subsequence of the reference power profile 2. Infer location from reference profile 3. Route is known 3 Approaches Tracking via Dynamic Time Warping (DTW) Improved tracking via a motion model Tracking using Optimal Subsequence Bijection (OSB) similar to that of route distinguishability use only the measurements collected up to this point, which comprise a sub-sequence of the entire route profile Use Subsequence DTW algorithm Instead of classic DTW search a sub-sequence in a larger sequence return a distance measure as well as the corresponding start and end offsets. search the sequence of measurements so far in all reference profiles and select profile that yields minimal DTW distance. The location estimate corresponds to the location associated with the end offset returned by the algorithm.

16 Improved tracking using a simple motion model Algorithm
locked  false //Are we locked on target? while target moving do loc[i], score  estimateLocation() d  getDistance(loc[i], loc[i – 1]) if locked and d > MAX_DISP then loc[i]  loc [i – 1] //Resume previous estimate end if if score > THRESHOLD then locked  true end while While the previous approach can make mistakes in location estimation due to a match with an incorrect location know when we are “locked” on the target define a similarity threshold so that if the minimal DTW distance is above this threshold, we are in a locked state Once locked on the target, we perform a simple sanity check at each iteration: “Has the target displaced by more than X?” If the sanity check does not pass estimate unlikely accurate output the previous estimate as the new estimated location Similarity below threshold, we switch to an unlocked state stop performing sanity check until “locked” again.

17 Optimal Subsequence Bijection
Similar to DTW DTW assumes the reference profile contains no noise OSB deals with noise in either the reference profile or target sequence Can skip elements in either sequence

18 Real-time mobile device tracking results
10 training profiles and an additional test profile. The evaluation simulates the conditions of real-time tracking by serially feeding samples to the algorithm as if they are received from an application installed on the device. We calculate the estimation error, i.e. the distance between the estimated coordinates and the true location of the mobile device at each step of the simulation. We are interested in the convergence time, i.e. the number of samples it takes until the location estimate is close enough to the true location, as well as in the distribution of the estimation errors given by a histogram of the absolute values of the distances. (a) Errors histogram. Almost 90% of the errors are less than 1 km. (b) Improved tracking algorithm removed the big errors OSB vs DTW OSB outperforms DTW most of the time

19 3. New route inference Future potential routes are not explicitly known Goal: Identify the final location after it traverses and unknown route Assumption: Know the general area Pre-record power profiles of all road segments Given the power profile of the tracked device, reconstruct the unknown route (3) The number of potential routes in the area may be too large to practically pre-record Such as: university campus, neighborhood, small town, highway network (4) Each possible route a mobile device may take is a concatenation of some subset of these road segments (5) The reconstructed route will point to the final location

20 Hysteresis Hysteresis algorithm is used to decide when to hand-off to a new base station When a signal strength threshold is reached it will hand- off to a new station Results: Two phones in the same location can be attached to two different base stations

21 Particle filter 2 Algorithms using a Particle Filter evaluated

22 Inference of new routes results
Random Frequent Alg. 3 Combined Nexus 4 #1 33% 65% 48% 80% Nexus 4 #2 31% 56% 72% Nexus 5 20% 32% 55% HTC Desire 22% 40% 41% Assume we know the starting intersection

23 Paper strengths Proof of concept Novel approach Successful results
Machine learning is powerful

24 Paper weaknesses Too much “pre” information and assumption required
Too many variables Device type Cellular service provider Applications likely to be used by the target Requires variability in targets power consumption Too many towers (density) and the signal strength won’t ever decrease Phone not active enough it might go to sleep and then the signal strength wouldn’t impact the power consumption Doesn’t present a realistic threat

25 POWER CONSUMPTION ≈ LOCATION
Final thoughts POWER CONSUMPTION ≈ LOCATION Dangers of a seemingly innocent side channel (Lost In Space)

Download ppt "LOCATION TRACKING USING MOBILE DEVICE POWER ANALYSIS"

Similar presentations

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,
Applications of one-class classification

Applications of one-class classification
Feedback of Amplifier Circuits I

Feedback of Amplifier Circuits I
Green Network Project Contract

Green Network Project Contract
Word Spotting DTW.

Word Spotting DTW.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
L.M. McMillin NOAA/NESDIS/ORA Regression Retrieval Overview Larry McMillin Climate Research and Applications Division National Environmental Satellite,

L.M. McMillin NOAA/NESDIS/ORA Regression Retrieval Overview Larry McMillin Climate Research and Applications Division National Environmental Satellite,
Lab 2 Lab 3 Homework Labs 4-6 Final Project Late No Videos Write up

Lab 2 Lab 3 Homework Labs 4-6 Final Project Late No Videos Write up
Using Probabilistic Methods for Localization in Wireless Networks Presented by Adam Kariv May, 2005.

Using Probabilistic Methods for Localization in Wireless Networks Presented by Adam Kariv May, 2005.
Robust Object Tracking via Sparsity-based Collaborative Model

Robust Object Tracking via Sparsity-based Collaborative Model
Tracking Fine-grain Vehicular Speed Variations by Warping Mobile Phone Signal Strengths Presented by Tam Vu Gayathri Chandrasekaran*, Tam Vu*, Alexander.

Tracking Fine-grain Vehicular Speed Variations by Warping Mobile Phone Signal Strengths Presented by Tam Vu Gayathri Chandrasekaran*, Tam Vu*, Alexander.
1 Graphical Models in Data Assimilation Problems Alexander Ihler UC Irvine Collaborators: Sergey Kirshner Andrew Robertson Padhraic Smyth.

1 Graphical Models in Data Assimilation Problems Alexander Ihler UC Irvine Collaborators: Sergey Kirshner Andrew Robertson Padhraic Smyth.
1 Integration of Background Modeling and Object Tracking Yu-Ting Chen, Chu-Song Chen, Yi-Ping Hung IEEE ICME, 2006.

1 Integration of Background Modeling and Object Tracking Yu-Ting Chen, Chu-Song Chen, Yi-Ping Hung IEEE ICME, 2006.
Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.
Sampling Distributions

Sampling Distributions
Hand Signals Recognition from Video Using 3D Motion Capture Archive Tai-Peng Tian Stan Sclaroff Computer Science Department B OSTON U NIVERSITY I. Introduction.

Hand Signals Recognition from Video Using 3D Motion Capture Archive Tai-Peng Tian Stan Sclaroff Computer Science Department B OSTON U NIVERSITY I. Introduction.
Software Process and Product Metrics

Software Process and Product Metrics
MobiSteer: Using Steerable Beam Directional Antenna for Vehicular Network Access Vishnu Navda, Anand Prabhu Subramanian, Kannon Dhanasekaran, Andreas Timm-Giel,

MobiSteer: Using Steerable Beam Directional Antenna for Vehicular Network Access Vishnu Navda, Anand Prabhu Subramanian, Kannon Dhanasekaran, Andreas Timm-Giel,
A Pattern Matching Method for Finding Noun and Proper Noun Translations from Noisy Parallel Corpora Benjamin Arai Computer Science and Engineering Department.

A Pattern Matching Method for Finding Noun and Proper Noun Translations from Noisy Parallel Corpora Benjamin Arai Computer Science and Engineering Department.
Rutgers: Gayathri Chandrasekaran, Tam Vu, Marco Gruteser, Rich Martin,

Rutgers: Gayathri Chandrasekaran, Tam Vu, Marco Gruteser, Rich Martin,

Similar presentations

Ads by Google