Cross-Device Security: Threats and Opportunities

跨设备安全：威胁与机遇

• 批准号: RGPIN-2020-04722
• 负责人: Hengartner, Urs
• 金额: $ 2.55万
• 依托单位: University of Waterloo
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=750199
• 关键词: Cross; Device; Security; Threats; Opportunities

Cross-device security denotes the existence of a security relationship between two devices owned by the same user with the property that the security state of one device can be affected by the other device. For example, recent laptops can be configured to no longer ask for a password if the laptop detects that the smartphone of the laptop owner and thereby likely also the laptop owner are nearby. In another example, many Internet of Things (IoT) devices are controlled with a smartphone. Therefore, a successful attack on a user's smartphone may also lead to successful attacks on the user's IoT devices. Finally, in implicit authentication, a device establishes a classification model of its owner's typical behaviour by collecting behavioural data about the owner. The device then uses this classification model for continuously authenticating the user. In terms of cross-device security, a device may share its classification model with some of the user's other devices so that they can also use implicit authentication. The proposed research will demonstrate the opportunities and threats offered and raised by cross-device security. This will be achieved through a combination of solutions from mobile sensing, machine learning, mobile systems development, and user studies, providing interdisciplinary collaboration opportunities to the involved students. The research will proceed along three main thrusts: 1) Transfer of authentication decisions across devices. The research outcome is to enable the secure transfer of a user's authentication status on a device to another device of the same user to prevent the user from having to manually authenticate to the second device. 2) Implicit authentication across devices. The research outcome is to enable the transfer of the classification model built by a device based on its owner's behavioural data to other devices owned by the same user to prevent the other devices from having to collect their own behavioural data and build their own classification model. 3) Security dependencies across devices. A security dependency exists if an attacker taking ownership of a device (or of data gathered by the device) can use this device (or data) to successfully attack other devices of the same user. The research outcome is to inform users of these dependencies and to suggest remedies. The proposed research is important and significant because expecting users to manage security individually for each of their devices is unrealistic. Moreover, the research will make it easier for people to use networked devices securely, benefiting the associated ecosystem, such as device manufacturers, app developers, and communication network providers, and therefore the Canadian economy. Students will acquire skills in cybersecurity, IoT, and applied machine learning, so they will be in high demand across multiple industries.

跨设备安全是指同一用户拥有的两台设备之间存在安全关系，其中一台设备的安全状态可能受到另一台设备的影响。例如，最近的膝上型计算机可以被配置为如果膝上型计算机检测到膝上型计算机所有者的智能电话并且由此可能还有膝上型计算机所有者在附近，则不再询问密码。在另一示例中，许多物联网（IoT）设备用智能电话控制。因此，对用户的智能手机的成功攻击也可能导致对用户的IoT设备的成功攻击。最后，在隐式认证中，设备通过收集关于所有者的行为数据来建立其所有者的典型行为的分类模型。然后，设备使用该分类模型来连续地认证用户。在跨设备安全性方面，设备可以与用户的其他设备中的一些设备共享其分类模型，使得它们也可以使用隐式认证。拟议的研究将展示跨设备安全提供和提出的机会和威胁。这将通过移动的传感、机器学习、移动的系统开发和用户研究等解决方案的组合来实现，为参与的学生提供跨学科合作的机会。该研究将沿着沿着三个主要方向进行：1）跨设备传输认证决策。研究成果是能够将设备上的用户的认证状态安全地传输到同一用户的另一设备，以防止用户必须手动认证到第二设备。2)跨设备的隐式身份验证。研究成果是使设备基于其所有者的行为数据建立的分类模型能够转移到同一用户拥有的其他设备，以防止其他设备必须收集自己的行为数据并建立自己的分类模型。3)跨设备的安全依赖关系。如果获得设备（或设备收集的数据）所有权的攻击者可以使用此设备（或数据）成功攻击同一用户的其他设备，则存在安全依赖性。研究结果是告知用户这些依赖性，并提出补救措施。这项研究非常重要，因为期望用户单独管理每个设备的安全性是不现实的。此外，这项研究将使人们更容易安全地使用联网设备，使相关的生态系统受益，如设备制造商，应用程序开发商和通信网络提供商，从而使加拿大经济受益。学生将获得网络安全，物联网和应用机器学习方面的技能，因此他们将在多个行业中受到高度需求。