Biblio

Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user's tapping rhythm. In addition to verifying the RFID card's identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user's secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero.

We propose WristUnlock, a novel technique that uses a wrist wearable to unlock a smartphone in a secure and usable fashion. WristUnlock explores both the physical proximity and secure Bluetooth connection between the smartphone and wrist wearable. There are two modes in WristUnlock with different security and usability features. In the WristRaise mode, the user raises his smartphone in his natural way with the same arm carrying the wrist wearable; the smartphone gets unlocked if the acceleration data on the smartphone and wrist wearable satisfy an anticipated relationship specific to the user himself. In the WristTouch mode, the wrist wearable sends a random number to the smartphone through both the Bluetooth channel and a touch-based physical channel; the smartphone gets unlocked if the numbers received from both channels are equal. We thoroughly analyze the security of WristUnlock and confirm its high efficacy through detailed experiments.

Social media users generate tremendous amounts of data. To better serve users, it is required to share the user-related data among researchers, advertisers and application developers. Publishing such data would raise more concerns on user privacy. To encourage data sharing and mitigate user privacy concerns, a number of anonymization and de-anonymization algorithms have been developed to help protect privacy of social media users. In this work, we propose a new adversarial attack specialized for social media data.We further provide a principled way to assess effectiveness of anonymizing different aspects of social media data. Our work sheds light on new privacy risks in social media data due to innate heterogeneity of user-generated data which require striking balance between sharing user data and protecting user privacy.