Can’t You Hear Me Knocking: Novel Security and Privacy Threats to Mobile Users

Prof. Mauro ContiUniversity of Padua


While Smartphone and IoT devices usage become more and more pervasive, people start also asking to which extent such devices can be maliciously exploited as “tracking devices”. The concern is not only related to an adversary taking physical or remote control of the device, but also to what a passive adversary without the above capabilities can observe from the device communications. Work in this latter direction aimed, for example, at inferring the apps a user has installed on his device, or identifying the presence of a specific user within a network. In this talk, we discuss threats coming from contextual information and to which extent it is feasible, for example, to identify the specific actions that a user is doing on mobile apps, by eavesdropping their encrypted network traffic. We will also discuss the possibility of building covert and side channels leveraging energy consumption and audio signals.

Mauro Conti is an Associate Professor at the University of Padua, Italy. He obtained his Ph.D. from Sapienza University of Rome, Italy, in 2009. After his Ph.D., he was a Post-Doc Researcher at Vrije Universiteit Amsterdam, The Netherlands. In 2011 he joined as Assistant Professor the University of Padua, where he became Associate Professor in 2015. In 2017, he obtained the national habilitation as Full Professor for Computer Science and Computer Engineering. He has been Visiting Researcher at GMU (2008, 2016), UCLA (2010), UCI (2012, 2013, 2014, 2017), TU Darmstadt (2013), UF (2015), and FIU (2015, 2016). He has been awarded with a Marie Curie Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD (2013). His main research interest is in the area of security and privacy. In this area, he published more than 200 papers in topmost international peer-reviewed journals and conference. He is Associate Editor for several journals, including IEEE Communications Surveys & Tutorials and IEEE Transactions on Information Forensics and Security. He was Program Chair for TRUST 2015, ICISS 2016, WiSec 2017, and General Chair for SecureComm 2012 and ACM SACMAT 2013. He is Senior Member of the IEEE.


You can download the presentation: 20170918_Covert & Side Channels rid

A Federated  Architecture for Attribute-based and Behavioral Authentication as a High-Assurance Service 

Prof. Michael Sirivianos,  Cyprus University of Technology


Current authentication methods on the Web have serious weaknesses. First, services heavily rely on the password paradigm, which diminishes the end-users’ security and usability. Second, the lack of attribute-based authentication does not allow anonymity-preserving access to services. Third, users have multiple online accounts that often reflect distinct identity aspects. This  makes proving combinations of identity attributes hard on the users. In this talk, we address these weaknesses by proposing a privacy-preserving architecture for device-centric and attribute-based authentication. Our architecture is based on: (a) the seamless integration between usable/strong device-centric authentication methods and federated login solutions; (b) the separation of concerns for Authorization, Authentication, Behavioral Authentication and Identification to facilitate incremental deployability, wide adoption and compliance with NIST assurance levels; (c) a novel centralized component that allows end-users to perform identity profile and consent management, to prove combinations of fragmented identity aspects, and to perform account recovery in case of device loss.
This is the first effort towards fusing the aforementioned techniques under an integrated architecture. This architecture effectively deems the password paradigm obsolete with minimal modification of the service provider’s software stack.

Michael Sirivianos holds a PhD from Duke University since 2010. His current research interests lie in the fields of security in social networks, trust-aware design of distributed systems, device-centric authentication and federated ID, large scale data processing, and discrimination based on web personal data. He has published papers in the most influential conferences and journals of Networked Systems, including SIGCOMM, NSDI, INFOCOM, IMC and ACM Transactions on Networking. He has extensive experience in EU-funded projects. Specifically, he is the technical manager of the ReCRED project (Horizon 2020 Innovation Action – 2014) and the coordinator of the
ENCASE project (Horizon 2020 Marie Curie RISE – 2015). He is also the co-director of the Network Systems and Science Research Laboratory.

Security in Personal Genomics: Lest We Forget

Prof. Gene Tsudik,  University of California, Irvine (UCI)

Genomic privacy has attracted much attention from the research community, mainly since its risks are unique and breaches can lead to terrifying leakage of most personal and sensitive information. The much less explored topic of genomic security needs to mitigate threats of the digitized genome being altered by its owner or an outside party, which can have dire consequences, especially, in medical or legal settings. At the same time, many anticipated genomic applications (with varying degrees of trust) require only small amounts of genomic data. Supporting such applications requires a careful balance between security and privacy. Furthermore, genome’s size raises performance concerns.  We argue that genomic security must be taken seriously and explored as a research topic in its own right. To this end, we discuss the problem space, identify the stakeholders, discuss assumptions about them, and outline several simple approaches based on common cryptographic techniques, including signature variants and authenticated data structures. We also present some extensions and identify opportunities for future research. The main goal of this paper is to highlight the importance of genomic security as a research topic in its own right.

Gene Tsudik is a Chancellor’s Professor of Computer Science at the University of California, Irvine (UCI). He obtained his PhD in Computer Science from USC in 1991. Before coming to UCI in 2000, he was at IBM Zurich Research Laboratory (1991-1996) and USC/ISI (1996-2000). Over the years, his research interests included numerous topics in security, privacy and applied cryptography. Gene Tsudik is a Fulbright Scholar, a Fulbright Specialist, a fellow of ACM, IEEE and AAAS, as well as a member of Academia Europaea. From 2009 to 2015 he was the Editor-in-Chief of ACM Transactions on Information and Systems Security (TISSEC).


Device-centric authentication for future Internet

Prof. Christos Xenakis,  University of Piraeus, Greece

With e-commerce now exceeding 1 trillion € per annum and the emergence of Internet of Things, the need for reliable and user-friendly authentication mechanisms is more pressing than ever. A European research project entitled “ReCRED: From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control”, try to address the problems of password-based access control: a) password overload, referring to the inability of users to remember different secure passwords for each one of their accounts; b) identity fragmentation, stemming from the fact that independent identity providers (email, social networks, etc.) create disjoint identity realms, making it difficult for end users to prove joint ownership of accounts, e.g., for reputation transfer or to fend off impersonation attacks; and c) lack of support for attribute-based access control (ABAC), which facilitates account-less access through verified identity attributes (e.g., age or location). ReCRED moves the burden of authentication from the user to the device itself, taking full advantage of smartphones’ inherent capabilities. Smartphones evolve into authentication proxies, where every user account can be securely kept and managed on the device, following the most contemporary technological standards that leverage the benefits of asymmetric cryptography (e.g., FIDO Alliance). Users can be authenticated by their mobile devices, locally, using fingerprint, face recognition, how they walk, type, move around the city, etc. ReCRED also offers two additional innovations: a) the consolidation and management of online user identities and accounts, and b) the issuance of anonymous credentials that verify specific attributes or properties of the users, while guaranteeing the latters’ anonymity.

Christos Xenakis received his B.Sc degree in computer science in 1993 and his M.Sc degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). From 1998 – 2001 he was with a Greek telecoms system development firm, where he was involved in the design and development of advanced telecommunications subsystems. From 1996 – 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007 he is a faculty member of the Department of Digital Systems of the University of Piraeus, Greece, where currently is an Associate Professor, a member of the Systems Security Laboratory and the director of the Postgraduate Degree Programme, on “Digital Systems Security”. He has participated in numerous projects realized in the context of EU Programs (ACTS, ESPRIT, IST, AAL, DGHOME, Marie Curie, Horizon2020) as well as National Programs (Greek). He is the project manager of the ReCRED project funded by Horizon2020 and he was the technical manager of the UINFC2 project funded by DGHOME/ISEC. He is also a steering committee member of the European Cyber Security Challenge 2017. His research interests are in the field of systems, networks and applications security. He has authored more than 70 papers in peer-reviewed journals and international conferences.