Event Info
Monday, May 02, 2022 01:00 PM
Qualcomm Conference Room, Jacobs Hall, UC San Diego
Title: What’s Up with WhatsApp and Co? Large-scale Abuse of Contact Discovery in Mobile Messengers
Abstract: Mobile messenger apps have become a de-facto way to exchange messages between users. Conveniently, such apps grab user contacts from the user's contact book and automatically identify (using the contact discovery protocol) who among the contacts is registered on the same messaging platform and, hence, could be texted to.
In this talk, we shed light on contact discovery methods of major messenger platforms WhatsApp, Signal, and Telegram and demonstrate severe privacy issues that affect their users and sometimes even numbers not registered with the service. We show that, contrary to expectations, large-scale crawling attacks are (still) possible. For example, we could crawl 10% of US mobile phone numbers of WhatsApp users and 100% for Signal. Furthermore, we demonstrate that contact discovery protocols that hash phone numbers before transmitting them to the server (for privacy reasons) are severely broken – we compare three methods for efficient hash reversal of mobile phone numbers and empirically prove that the hashes can be reverted in real time using consumer-grade hardware. We also present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings and leak unnecessary information to the public.
Motivated by discovered problems, we propose novel effective mitigation techniques against crawling attacks and discuss other countermeasures, such as alternative identifiers, selective contact permissions and safe defaults for information stored in user profiles.
Alexandra Dmitrienko is an associate professor at the University of Wuerzburg in Germany, where she is heading the Secure Software Systems research group. Before taking her current faculty position in 2018, she worked for about 10 years in renowned security institutions in Germany and in Switzerland: Ruhr-University Bochum (2008-2011), Fraunhofer Institute for Information Security in Darmstadt (2011-2015), and ETH Zurich (2016-2017). She holds a PhD degree in Security and Information Technology from TU Darmstadt (2015). Her PhD dissertation focused on security and privacy of mobile systems and applications and was awarded by the European Research Consortium in Informatics and Mathematics (ERCIM STM WG 2016 Award) and recognized as outstanding by Intel – she received an Intel Doctoral Student Honor Award. Today, her research interests focus on various topics on secure software engineering, systems security and privacy, and security and privacy of mobile, cyber-physical, and distributed systems.
Title: Turtles all the way down: On Trusting Trust Anchors.
Challenges of Hardware-assisted Security
Abstract: The large attack surface of applications and commodity operating systems has motivated the design, development and deployment of hardware-assisted security with the promise to provide trust anchors and trusted execution environments on computing systems to enhance the protection of modern software. However, the currently deployed hardware-assisted security architectures seem to struggle with keeping their promises, particularly in the face of recent cross-layer attacks that enable unprivileged software to exploit hardware design and implementation flaws, as shown by attacks such as Meltdown, Spectre, and Foreshadow, to name some. Cross-layer attacks reach far beyond the exploitation of micro-architectural flaws and affect a wide range of computing platforms. They constitute a fundamental paradigm shift, disrupting traditional threat models that have mainly focused on software-only vulnerabilities and often assumed that the underlying hardware is correct and trustworthy.
In this talk, we present a brief overview of the hardware-assisted security landscape, its promises, pitfalls and challenges. We then discuss the recent trends in building open hardware security architectures including our own work. We also briefly discuss the insights we gained in the course of the world's largest hardware security competition that we have been co-organizing with industry and academic partners since 2018. We conclude with future research directions and challenges for building sustainable security for computing systems.
Ahmad-Reza Sadeghi is a professor of Computer Science and the head of the System Security Lab at Technical University of Darmstadt, Germany. He has been leading several Collaborative Research Labs with Intel since 2021, and with Huawei since 2019. He has studied both Mechanical and Electrical Engineering and holds a Ph.D. in Computer Science from the University of Saarland, Germany. Prior to academia, he worked in R&D of IT-enterprises, including Ericsson Telecommunications. He has been continuously contributing to security and privacy research field. He was Editor-In-Chief of IEEE Security and Privacy Magazine, and currently serves on the editorial board of ACM TODAES, ACM TIOT, and ACM DTRAP. For his influential research on Trusted and Trustworthy Computing he received the renowned German "Karl Heinz Beckurts" award. This award honors excellent scientific achievements with high impact on industrial innovations in Germany. In 2018, he received the ACM SIGSAC Outstanding Contributions Award for dedicated research, education, and management leadership in the security community and for pioneering contributions in content protection, mobile security and hardware-assisted security. In 2021, he was honored with Intel Academic Leadership Award at USENIX Security conference for his influential research on cybersecurity and in particular on hardware-assisted security.
