Author : Apoorva A 1
Date of Publication :14th November 2019
Abstract: Real-time crowd sourced maps, such as Waze provide timely updates on traffic, congestion, accidents, and points of interest. In this paper, we demonstrate how lack of strong location authentication allows creation of software-based Sybil devices that expose crowd sourced map systems to a variety of security and privacy attacks. Our experiments show that a single Sybil device with limited resources can cause havoc on Waze, reporting false congestion and accidents and automatically rerouting user traffic. More importantly, we describe techniques to generate Sybil devices at scale, creating armies of virtual vehicles capable of remotely tracking precise movements for large user populations while avoiding detection. To defend against Sybil devices, we propose a new approach based on co-location edges, authenticated records that attest to the one-time physical collocation of a pair of devices. Over time, co-location edges combine to form large proximity graphs that attest to physical interactions between devices, allowing scalable detection of virtual vehicles. We demonstrate the efficacy of this approach using large-scale simulations, and how they can be used to dramatically reduce the impact of the attacks. We have informed Waze/Google team of our research findings. Currently, we are in active collaboration with Waze team to improve the security and privacy of their system.
Reference :
-
- N. Stefanovitch, A. Alshamsi, M. Cebrian, and I. Rahwan, “Error andattack tolerance of collective problem solving: The DARPA shredder challenge,” EPJ Data Sci., vol. 3, no. 1, pp. 1–27, 2014.
- B. Carbunar and R. Potharaju, “You unlocked the Mt. Everest badge on Foursquare! ountering location fraud in geosocial networks,” in Proc. MASS, 2012, pp. 182–190
- Z. Zhang et al., “On the validity of geosocial mobility traces,” in Proc. HotNets, 2013, p. 11.
- J. R. Douceur, “The Sybil attack,” in Proc. IPTPS, 2002, pp. 251–260.
- S. Cheng, Uber‟s Terrifying „Ghost Drivers‟ are Freaking out Passengers in China. New York, NY, USA: Quartz, Sep. 2016.
- Y. Wang, “Ghost drivers are just one of Uber China‟s problems following DIDI takeover,” Forbes, Sep. 2016.
- M. Wehner, “How to cheat at Pokémon Go and catch any Pokemon you want without leaving your couch,” DailyDot, Jul. 2016.
- How to Avoid Getting Banned in Pokemon Go While Location Spoofing, Cydiageeks, San Francisco, CA, USA, Jul. 2016.
- V. Goel, “Maps that live and breathe with data,” The New York Times, New York, NY, USA, Tech. Rep., Jun. 2013. [Online]. Available: https://www.nytimes.com/2013/06/11/technology/mo bile-companiescrave-maps-that-live-and-breathe.html
- Google Maps and Waze, Outsmarting Traffic Together, Google Official Blog, Google, Mountain View, CA, USA, Jun. 2013.
- GenyMotion Emulator. Accessed: Jun. 2016. [Online]. Available: http://www.genymotion.com
- Monkeyrunner. Accessed: Jun. 2016. [Online]. Available: https://developer.android.com/studio/test/monkeyrun ner/index.html
- B. Reed, “Google Maps becomes Google‟s second 1 billion-download hit,” Yahoo! News, Jun. 2014.
- Charles Proxy. Accessed: Jun. 2016. [Online]. Available: http://www. charlesproxy.com
- D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan, “SMVHUNTER: Large scale, automated detection of SSL/TLS man-in-themiddle vulnerabilities in Android Apps,” in Proc. NDSS, 2014. [Online]. Available: http://dx.doi.org/10.14722/ndss.2014.23205