Workshop

Friday 27th September

On Friday a workshop on Mobile Systems Security and Privacy will take place in the Department of Computer Science and Technology. All attendees at CANS are welcome to join the workshop without additional charge. We will have nine invited talks delivered by professors from Imperial, KTH Royal Institute of Technology and the Universities of Linz, Oxford, Piraeus, Saskatchewan, Surrey, UCL and Waterloo,  supporting discussion on the latest research challenges and opportunities. A detailed timetable of events will be published in due course. 

Workshop Programme

09:00-09:30 Registration and Coffee

Note: The workshop takes place in the Department of Computer Science and Technology

09:30-10:50 Session 1: Smartphone ecosystems

Natalia Stakhanova

Certificate reuse across the Android ecosystem

The insecurities of public-key infrastructure (PKI) on the Internet have been the focus of research for over a decade. The extensive presence of broken, weak, and vulnerable cryptographic keys has been repeatedly emphasized by many studies. Analyzing the security implications of cryptographic keys' vulnerabilities, several studies noted the presence of public key reuse.  In this talk, we explore this phenomena in Android ecosystem. We investigate the presence of duplicate X.509 certificates and reused RSA public keys within Android domain and across PKI ecosystem, analyze their cryptographic weaknesses, and investigate the sources of reuse.

Bio: Dr. Natalia Stakhanova is the Canada Research Chair in Security and Privacy, and Associate Professor at the University of Saskatchewan, Canada. She is a former NB Innovation Research Chair in Cybersecurity at the University of New Brunswick. Her work revolves around building secure systems. Dr. Stakhanova has published over 70 publications in the areas of network security, software protection, and code attribution. She holds 4 patents in the field of computer security. Dr. Stakhanova serves as a member of the Canadian Cross-Cultural Roundtable on Security (CCRS), the group that provides advice to the Minister of Public Safety Canada and the Minister of Justice and Attorney General of Canada, concerning matters of national security and public safety. She is an Associate Editor for IEEE Transactions on Dependable and Secure Computing (TDSC) and Guest Editor for IEEE Transactions on Network and Service Management (IEEE TNSM). Dr. Stakhanova is the recipient of numerous recognitions and awards including the top 20 Canadian Women in Cybersecurity, the CyberNB Recognition Award, the McCain Young Scholar Award and the Anita Borg Institute Faculty Award. She is a strong advocate of Women in IT and co-founder of CyberLaunch Academy, an initiative that aims to promote science and technology among children.


Constantinos Patsakis

A deep-dive into the Chinese App Ecosystem from the Security Perspective

This work was done jointly with Nikolaos Lykousas

While the main platform for mobile smartphones is undoubtedly Android, the app ecosystem is fragmented. A considerable amount of users often use applications from alternate stores. However, beyond this user-driven shift, there is another app ecosystem that has been developed in China with numerous app stores that are used by almost 1 billion devices, which accounts for almost one-third of all Android users. Beyond usage statistics, it is crucial to assess the security of these applications as their outreach also affects users outside China. For instance, several of these apps may have already been ported to the official Google Play store, many of them are used to control IoT devices that are imported from China and can use the same backend. Creating an automated pipeline to analyse these apps, we have identified the catastrophic security practices of developers in the Chinese Android ecosystem, with a particular focus on the prevalence of Tencent Cloud and other AWS-like services such as Aliyun. More precisely, a significant number of developers hardcode credentials within mobile applications, leading to severe vulnerabilities that compromise user data, allow for remote control of devices, or large-scale phishing attacks.

Bio: Constantinos Patsakis received his B.Sc. in mathematics from the University of Athens, Greece, M.Sc. in information security from Royal Holloway, University of London, and his PhD in cryptography and malware from the University of Piraeus. In the past, he has worked as a researcher at the UNESCO Chair in Data Privacy, at Rovira i Virgili, at Trinity College, Dublin, and at the Luxembourg Institute of Science and Technology. He is an Associate Professor at the University of Piraeus and an Adjunct Researcher at the Athena Research and Innovation Center. He has authored more than 100 publications in prestigious peer-reviewed international conferences and journals and participated in several national and European Research and Development projects. His main areas of research include cryptography, security, privacy, blockchains, and cybercrime.


10:50-11:20 Coffee

11:20-12:40 Session 2: Mobile networks and location

Panos Papadimitratos

Securing location-based mobile computing

A broad gamut of Internet of Things and mobile applications are location-based: their operation relies on precise position information or they collect location-specific data. They have gained popularity, offering valuable services to users and systems. This brings forth a dual challenge: how to secure position information and how to safeguard the system from misbehaving data-collecting devices/users. In this talk, we discuss these two problems: securing Global Navigation Satellite System (GNSS) positioning and securing participatory location-based services.

Bio: Panos Papadimitratos earned his Ph.D. degree from Cornell University, Ithaca, NY. He then held positions at Virginia Tech, EPFL and PoliTo. Panos is currently a Professor at KTH Royal Institute of Technology, Stockholm, Sweden, where he leads the Networked Systems Security group. His research agenda includes a gamut of security and privacy problems, with emphasis on wireless and mobile networks. He chairs the ACM WiSec conference steering committee. He is a member of the Privacy Enhancing Technologies Symposium Advisory Board and the CANS conference steering committee and the vice-chair of the ACM Europe Council. Panos is an IEEE Fellow and an ACM Distinguished Member. His group webpage is: https://nss.proj.kth.se/


Ioana Boureanu

The Rise and Fall of 5G’s Authentication and Key Management for Applications (AKMA): A Security and Privacy Analysis

In this work, we will look at the security and privacy of the 5G procedure called Authentication and Key Management for Applications (AKMA), which is standardised by 3GPP and has seen much attention there in the last two years. We will use various formal methods and tools to reason about the security and privacy properties of AKMA. We find several flaws, which we patch, with backwards compatibility in mind; we prove these small amendments of AKMA secure and private.

Bio: Ioana Boureanu is Professor of Secure Systems at University of Surrey and Director of Surrey Centre for Cyber Security. Her research focuses on (automatic) analysis of security using mainly logic-based formalisms, as well as on provable security and applied cryptography. Before joining Surrey, she worked as a researcher and professor in Switzerland, as well as a cryptography consultant in industry. 


12:40-13:40 Lunch and demonstrations

13:40-15:40 Session 3: Securing systems

Ivan Martinovic

Charging Up and Tuning In: The Hidden Antenna in Your EV Charging System

The Combined Charging System (CCS), one of the most widely used DC rapid charging technologies for electric vehicles, is vulnerable to wireless attacks. The charging cable acts as an unintentional antenna, leaking power-line communication (PLC) signals and allowing adversaries to inject their own signals using off-the-shelf radio equipment. In this talk, we discuss this topic in detail, covering the basics of CCS technology and the root causes behind a novel wireless attack called Brokenwire. This attack interrupts the necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a distance with a low energy budget, allowing individual vehicles or entire fleets to be disrupted simultaneously. The talk will also offer insights from a large-scale measurement study of already deployed DC charging stations, analysing the current state of deployment for various protocols with security implications, such as the adoption of TLS as mandated in the latest versions of the ISO 15118 standard.

Bio: Ivan Martinovic is a Professor of Computer Science at the University of Oxford, where he leads the Systems Security Lab and serves as Head of the Security Research Theme in the Department. His research focuses on wireless systems security and network security. Currently, he works on the security of satellite systems, including transmitter authentication, RF jamming, and physical-layer security used in electric vehicles (EVs). Before joining Oxford, he was a postdoctoral researcher at the Security Research Lab at UC Berkeley and the Secure Computing and Networking Centre at UC Irvine. He obtained his PhD from TU Kaiserslautern and his MSc from TU Darmstadt, Germany.


Kami Vaniea

Keeping software patched

Keeping software up to date is a serious issue for everyone from end-users, to software engineers, to system administrators. When security issues are found in software they are corrected by issuing an update or patch, but the existence of an update does not mean it will be installed. In this talk I will look at a range of different people who interact with patches and explore why it is that patching remains slow.

Bio: Dr Vaniea is an Associate Professor in ECE at the University of Waterloo where she heads the Technology Usability Lab in Privacy and Security (TULiPS). She is also a member of Waterloo's Cybersecurity and Privacy Institute. She was formally at the University of Edinburgh were she was Deputy Director of the Academic Center of Excellence in Cyber Security Research. Her research looks at how people use security and privacy technology and how to design such technologies so that they better support people. Recent project directions include: phishing, developer-centred privacy, smart speaker bystander privacy, virtual reality study design, patch management by system administrators, and anonymity on Q&A sites. She also works with numerous undergraduate and masters project students on topics like: cookie dialogues, password management, just-in-time website supply chains, and cyber security games.


René Mayrhofer

The cryptographic dilemma of eIDAS 2.0

eIDAS 2.0, the European Digital Identity Regulation 2024/1183 published on 30 April 2024, establishes a set of security and privacy requirements for the upcoming European Digital Identity Wallet (EUDIW) along with the political intention to publish a complete set of specifications, also known as the Architecture Reference Framework (ARF) within 6 months to enable national implementations. However, fully achieving the defined requirements - particularly unlinkability of interactions without restricting assumptions - does not seem to be possible with already standardized protocols based on salted hash sets and classic asymmetric signatures, such as the ISO 18013-5 mobile driving license standard. This talk will present the current state of discussion with regard to various options for signature standards and their associated challenges for practical deployment.

Bio: René Mayrhofer is a computer scientist with additional interest in physics, philosophy and politics. He holds a Professorship at Johannes Kepler University Linz and acts as the head of the Institute for Networks and Security as well as Director of Android Platform Security at Google. Previously, he was head of the Josef Ressel Center for User-friendly Secure Mobile Environments and held Professorships in Mobile Computing at Upper Austria University of Applied Sciences, at University of Vienna, and before that a Marie Curie Fellowship at the University of Lancaster, UK. He received Dipl.-Ing. (MSc) and Dr. techn. (PhD, Promotio sub auspiciis Praesidentis rei publicae) degrees from Johannes Kepler University Linz, Austria and a Venia Docendi for Applied Computer Science from University of Vienna, Austria.


15:40-16:10 Coffee

16:10-17:30 Session 4: Privacy and reliable evidence

Soteris Demetriou

Toward secure, privacy-preserving dementia detection on mobile devices

Dementia is a neurocognitive condition affecting millions of users worldwide and its cases are expected to triple by 2050. The UK’s National Health Service (NHS) set as a priority to increase early dementia diagnosis rates and improve support for patients by shifting  more care from hospitals to the communities. Mobile devices with their always on, always present nature and rich sensing capabilities pose as an ideal platform for supporting this endeavour. Signals such as oral and written speech which are widely available on mobile platforms have shown success in dementia classification. However, leveraging speech for dementia classification on mobile devices comes with important challenges: data availability, privacy, and security. Firstly, dementia classification methods depend on large sets of available labelled datasets which are not always available. Secondly, speech signals encompass personally identifiable information such as the speaker’s identity which should not be leaked. Thirdly, sensitive functionality such as speech processing for dementia classification must be performed efficiently and securely on users’ devices. Data augmentation is a promising technique for dealing with the first challenge. I will present our systematic analysis of data augmentation techniques for audio and text based dementia classification. Next, I will present our approach for tackling the privacy challenge by disentangling dementia-important prosody features from speaker embeddings. Lastly, I will conclude with some thoughts on how we can enable lightweight, secure speech processing on mobile platforms.

Bio: Dr Soteris Demetriou is a Senior Lecturer of Computer Systems Security at the Department of Computing at Imperial College London and the Director of the Applications, Platforms, and Systems Security Research Lab (APSS). He is also the lead of Imperial's Academic Centre of Excellence in Cyber Security Research (ACE-CSR). His interests lie in the security and privacy of mobile and cyber-physical systems. By analyzing operating systems, networking protocols, machine learning models and side-channels his work has uncovered design flaws, leading to severe security vulnerabilities and privacy leakages on the Android operating system, Amazon services, commodity IoT devices and 3D object detectors among others, affecting millions of users. In response, his work has introduced tools, methods, and end-to-end systems to improve end-user privacy and strengthen security on mobile and cyber-physical systems.  His work appeared multiple times in top international systems security conferences such as NDSS and ACM CCS but also in other systems and sensing conferences such as ACM SOSP, IEEE Infocom, ACM MobiSys ACM SenSys, Usenix OSDI, and Usenix NSDI. His work also received prestigious awards, including a best paper award at NDSS 2018, and his mobile systems security work is also close to practice and resulted in three relevant US patents. 


Steven Murdoch

Re-designing computer systems for reliable electronic evidence

Computer systems are increasingly relied upon for a wide range of important tasks, but much of the research on reliability has been restricted to the control systems for safety-critical hardware. For other systems, efforts to assess their effectiveness has been more ad-hoc and of questionable validity, even those relied upon to produce legally admissible evidence. From breathalyzers and forensic software to the infamous Post Office Horizon system, computer bugs can make the difference between someone being imprisoned and going free. This talk will discuss some examples of computer evidence failures risking causing miscarriages of justice, and what can be done to mitigate such risks in the future. In particular, it will motivate the idea that computer systems relied upon for computer evidence should be built with rigorous engineering techniques, but that these techniques are distinct from what are needed for safety-critical systems. When combined with appropriate treatment by the legal system, we can help avoid future miscarriages of justice.

Bio: Steven J. Murdoch is Professor of Security Engineering and head of the Information Security Research Group of University College London, working on payment system security, privacy-enhancing technologies, online safety, and the interaction between computer science and the law. He teaches on the UCL MSc in Information Security. His research interests include authentication/passwords, banking security, anonymous communications, censorship resistance and covert channels. He has worked with the OpenNet Initiative, investigating Internet censorship, and for the Tor Project, on improving the security and usability of the Tor anonymity system. His current research is on how computer systems can produce evidence to allow fair and efficient dispute resolution. Professor Murdoch was Chief Security Architect at Cronto, and following their acquisition of the technology he developed, he took on the role of Distinguished Scientist for OneSpan. He is a member of REPHRAIN, the National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online. He is a director of the Open Rights Group, a UK-based digital campaigning organisation working to protect rights to privacy and free speech online and is a Fellow of the IET and BCS..


17:30 Closing remarks