I am a computer scientist with additional interest in physics, philosophy and politics. At the moment, I hold a Professorship at Johannes Kepler University Linz and act as the head of the Institute for Networks and Security as well as Director of Android Platform Security at Google. Occasionally, I act also as security consultant. Previously, I was head of the Josef Ressel Center for User-friendly Secure Mobile Environments and held Professorships in Mobile Computing at Upper Austria University of Applied Sciences, at University of Vienna, AT, and before that a Marie Curie Fellowship at the University of Lancaster, UK. I received Dipl.-Ing. (MSc) and Dr. techn. (PhD, Promotio sub auspiciis Praesidentis rei publicae) degrees from Johannes Kepler University Linz, Austria and my Venia Docendi for Applied Computer Science from University of Vienna, Austria.
This is my personal web page, and I update it only irregularly as I work on private projects. More content might be added within the next few weeks, months, or eons. My email inbox is often swamped, so please be patient when waiting for replies. Although I used to be able to respond to every email, this is unfortunately no longer possibly. I typically read most emails, though (unless they look like Spam to my filter or me or are in any way abusive).
Venia docendi (Habilitation) in Applied Computer Science, 2009
University of Vienna, Austria
Dr.techn. (PhD) in Computer Science, 2004
Johannes Kepler University Linz, Austria
Dipl.Ing. (MSc) in Computer Science, 2002
Johannes Kepler University Linz, Austria
Mobile device authentication has been a highly active research topic for over 10 years, with a vast range of methods proposed and analyzed. In related areas, such as secure channel protocols, remote authentication, or desktop user authentication, strong, systematic, and increasingly formal threat models have been established and are used to qualitatively compare different methods. However, the analysis of mobile device authentication is often based on weak adversary models, suggesting overly optimistic results on their respective security. In this article, we introduce a new classification of adversaries to better analyze and compare mobile device authentication methods. We apply this classification to a systematic literature survey. The survey shows that security is still an afterthought and that most proposed protocols lack a comprehensive security analysis. The proposed classification of adversaries provides a strong and practical adversary model that offers a comparable and transparent classification of security properties in mobile device authentication.
Tor onion services are a challenging research topic because they were designed to reveal as little metadata as possible which makes it difficult to collect information about them. In order to improve and extend privacy protecting technologies, it is important to understand how they are used in real world scenarios. We discuss the difficulties associated with obtaining statistics about V3 onion services and present a way to monitor V3 onion services in the current Tor network that enables us to derive statistically significant information about them without compromising the privacy of individual Tor users. This allows us to estimate the number of currently deployed V3 onion services along with interesting conclusions on how and why onion services are used.
Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This article aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.
People own and carry an increasing number of ubiquitous mobile devices, such as smartphones, tablets, and notebooks. Being small and mobile, those devices have a high propensity to become lost or stolen. Since mobile devices provide access to their owners’ digital lives, strong authentication is vital to protect sensitive information and services against unauthorized access. However, at least one in three devices is unprotected, with inconvenience of traditional authentication being the paramount reason. We present the concept of CORMORANT, an approach to significantly reduce the manual burden of mobile user verification through risk-aware, multi-modal biometric, cross-device authentication. Transparent behavioral and physiological biometrics like gait, voice, face, and keystroke dynamics are used to continuously evaluate the user’s identity without explicit interaction. The required level of confidence in the user’s identity is dynamically adjusted based on the risk of unauthorized access derived from signals like location, time of day and nearby devices. Authentication results are shared securely with trusted devices to facilitate cross-device authentication for co-located devices. Conducting a large-scale agent-based simulation of 4 000 users based on more than 720 000 days of real-world device usage traces and 6.7 million simulated robberies and thefts sourced from police reports, we found the proposed approach is able to reduce the frequency of password entries required on smartphones by 97.82% whilst simultaneously reducing the risk of unauthorized access in the event of a crime by 97.72%, compared to conventional knowledge-based authentication.
Providing methods to anonymously validate user identity is essential in many applications of electronic identity (eID) systems. A feasible approach to realize such a privacy-preserving eID is the usage of group signature protocols or pseudonym-based signatures. However, providing a revocation mechanism that preserves privacy is often the bottleneck for the scalability of such a system. In order to bridge this gap between practicability and privacy, we propose a new pseudonym-based mobile eID signature scheme suitable for smart cards and secure elements that also enables efficient and scalable revocation checks. By using a pseudorandom function, we derive one-time verification tokens used for identity verification as well as revocation checks and generate proofs of validity using a new method referred to as disposable dynamic accumulators. Our scheme preserves unlinkability and anonymity of the eID holder even beyond revocation and does not require online connectivity to a trusted party for verification and revocation checks.
We propose a system for enabling auxiliary communication channels in which a node transmits a millimeter (mm) wave signal which is reflected off a deliberately vibrating surface of a second node and then received by the first node. Data sequences can be encoded in the modulation of the surface, and radar sensing techniques can be used to demodulate the reflected signal. Hence our system enables not only conventional sensing in terms of range, velocity, and orientation estimation but also allows for information to be conveyed by the sensed device. We introduce the design of a metasurface driven by an energy-efficient programmable piezo-electric actuator, detail suitable radar processing, and characterize the link performance of the kinetically induced channel at distances up to five meters. As this metasurface could be used for both mobile devices and infrastructure devices, we describe opportunities for enabling novel capabilities including secure device authentication and extended-range wireless sensing across multiple devices.
In this work we propose a secure communication concept for the protection of critical power supply and distribution infrastructure. Especially, we consider the line current differential protection method for modern smart grid implementations. This protection system operates on critical infrastructure, and it requires a precise time behavior on the communication between devices on both ends of a protected power line. Therefore, the communication has to fulfill deterministic constraints and low-delay requirements and additionally needs to be protected against cyber attacks. Existing systems are often either costly and based on deprecated technology or suffering from maloperations. In order to allow for both, economical and reliable operation, we present the first holistic communication concept capable of using state-of-the-art packet switched networks. Our solution consists of three parts: (i) we develop a list of design requirements for line current differential protection systems communication; (ii) we propose a communication concept obeying these design requirements by combining cryptographical and physical security approaches; and (iii) we evaluate our solution in a practical setup. Our evaluation shows a clock accuracy of 3 µs with a resilience to asymmetric delay attacks down to 8 ns/s. This demonstrates the secure and fault-free operation of a line current differential protection system communicating over a state-of-the-art network.
Biometrics have become important for mobile authentication, e.g. to unlock devices before using them. One way to protect biometric information stored on mobile devices from disclosure is using embedded smart cards (SCs) with biometric match-on-card (MOC) approaches. However, computational restrictions of SCs also limit biometric matching procedures. We present a mobile MOC approach that uses offline training to obtain authentication models with a simplistic internal representation in the final trained state, wherefore we adapt features and model representation to enable their usage on SCs. The pre-trained model can be shipped with SCs on mobile devices without requiring retraining to enroll users. We apply our approach to acceleration based mobile gait authentication as well as face authentication and compare authentication accuracy and computation time of 16 and 32 bit Java Card SCs. Using 16 instead of 32 bit SCs has little impact on authentication performance and is faster due to less data transfer and computations on the SC. Results indicate 11.4% and 2.4-5.4% EER for gait respectively face authentication, with transmission and computation durations on SCs in the range of 2s respectively 1s. To the best of our knowledge this work represents the first practical approach towards acceleration based gait MOC authentication.
This work evaluates the security strength of a smartphone-based gait recognition system against zero-effort and live minimal-effort impersonation attacks under realistic scenarios. For this purpose, we developed an Android application, which uses a smartphone-based accelerometer to capture gait data continuously in the background, but only when an individual walks. Later, it analyzes the recorded gait data and establishes the identity of an individual. At first, we tested the performance of this system against zero-effort attacks by using a dataset of 35 participants. Later, live impersonation attacks were performed by five professional actors who are specialized in mimicking body movements and body language. These attackers were paired with their physiologically close victims, and they were given live audio and visual feedback about their latest impersonation attempt during the whole experiment. No false positives under impersonation attacks, indicate that mimicry does not improve chances of attackers being accepted by our gait authentication system. In 29% of total impersonation attempts, when attackers walked like their chosen victim, they lost regularity between their steps which makes impersonation even harder for attackers.
Today, mobile devices like smartphones and tablets have become an indispensable part of people’s lives, posing many new questions e.g., in terms of interaction methods, but also security. In this paper, we conduct a large scale, long term analysis of mobile device usage characteristics like session length, interaction frequency, and daily usage in locked and unlocked state with respect to location context and diurnal pattern. Based on detailed logs from 29,279 mobile phones and tablets representing a total of 5,811 years of usage time, we identify and analyze 52.2 million usage sessions with some participants providing data for more than four years.Our results show that context has a highly significant effect on both frequency and extent of mobile device usage, with mobile phones being used twice as much at home compared to in the office. Interestingly, devices are unlocked for only 46 % of the interactions. We found that with an average of 60 interactions per day, smartphones are used almost thrice as often as tablet devices (23), while usage sessions on tablets are three times longer, hence are used almost for an equal amount of time throughout the day. We conclude that usage session characteristics differ considerably between tablets and smartphones. These results inform future approaches to mobile interaction as well as security.
In this paper, we study the concept of security zones as an intermediate layer of compartmentalization on mobile devices. Each of these security zones is isolated against the other zones and holds a different set of applications and associated user data and may apply different security policies. From a user point of view, they represent different contexts of use for the device, e.g., to distinguish between gaming (private context), payment transactions (secure context), and company-related email (enterprise context). We propose multiple visualization methods for conveying the current security zone information to the user, and interaction methods for switching between zones. Based on an online and a laboratory user study, we evaluated these concepts from a usability point of view. One important result is that in the tension field between security and usability, additional hardware can support the user’s awareness toward their zone context.
In a wireless world, users can establish ad hoc virtual connections between devices that are unhampered bycables. This process is known as spontaneous device association. A wide range of interactive protocols andtechniques have been demonstrated in both research and practice, predominantly with a focus on securityaspects. In this article, we survey spontaneous device association with respect to the user interaction itinvolves. We use a novel taxonomy to structure the survey with respect to the different conceptual modelsand types of user action employed for device association. Within this framework, we provide an in-depthsurvey of existing techniques discussing their individual characteristics, benefits and issues.
Authenticating spontaneous interactions between devices and usersis challenging for several reasons: the wireless (and therefore invisible)nature of device communication, the heterogeneous nature of devicesand lack of appropriate user interfaces in mobile devices, and therequirement for unobtrusive user interaction. The most promisingapproach that has been proposed in literature involves the exploitationof so-called auxiliary channels for authentication to bridge thegap between usability and security. This concept has spawned theindependent development of various authentication methods and researchprototypes, that, unfortunately, remain hard to compare and interchangeand are rarely available to potential application developers. Wepresent a novel, unified cryptographic authentication protocol framework(UACAP) to unify these approaches and analyze its security properties.This protocol and a selection of auxiliary channels aimed at authenticationof mobile devices has been implemented and released in an open sourceubiquitous authentication toolkit (OpenUAT). We also present an initialuser study evaluating four of these channels.
A challenge in facilitating spontaneous mobile interactions is to provide pairing methods that are both intuitive and secure. Simultaneous shaking is proposed as a novel and easy-to-use mechanism for pairing of small mobile devices. The underlying principle is to use common movement as a secret that the involved devices share for mutual authentication.We present two concrete methods, ShaVe and ShaCK, in which sensing and analysis of shaking movement is combined with cryptographic protocolsfor secure authentication. ShaVe is based on initial key exchange followed by exchange and comparison of sensor data for verification of key authenticity. ShaCK, in contrast, is based on matching featuresextracted from the sensor data to construct a cryptographic key.The classification algorithms used in our approach are shown to robustly separate simultaneous shaking of two devices from other concurrent movement of a pair of devices, with a false negative rate of under 12 percent. A user study confirms that the method is intuitive and easy to use, as users can shake devices in an arbitrary pattern.
Spontaneous interaction is a desirable characteristic associated withmobile and ubiquitous computing. The aim is to enable users to connecttheir personal devices with devices encountered in their environmentin order to take advantage of interaction opportunities in accordancewith their situation. However, it is difficult to secure spontaneousinteraction as this requires authentication of the encountered device,in the absence of any prior knowledge of the device. In this paperwe present a method for establishing and securing spontaneous interactionson the basis of emphspatial references that capture the spatialrelationship of the involved devices. Spatial references are obtainedby accurate sensing of relative device positions, presented to theuser for initiation of interactions, and used in a peer authenticationprotocol that exploits a novel mechanism for message transfer overultrasound to ensures spatial authenticity of the sender.
This talk is about the Android platform with over 3 Billion active devices - not even counting devices that are based on AOSP (the Android Open Source Project code) but are not officially Android. Providing security guarantees in such a massive and diverse ecosystem with multiple stakeholders is a major challenge. This keynote will present the main aspects of the security model, system architecture, and mitigations and safeguards developed over more than 10 years. Some of the early design decisions shaped the platform from the start and still form the foundation for its current security posture, while many additional safeguards were added over time. More recently, an academic consortium has started building a public transparency database for collecting measurements about the security status of devices, both from special device farms under laboratory settings and from in-the-field devices through crowd sourcing. Using such data to check for compliance with the Android platform security model and potentially ranking devices based on their security attributes is another interesting challenge. In this keynote, we will also present the current state of this database and ides for next steps.
How can we use digital identity for authentication in the physical world without compromising user privacy? This central question is an underlying concern for further developments in ubiquitous computing scenarios: enabling individuals to – for example – use public transport and other payment/ticketing applications, access physical doors, access computing resources on public terminals, or even cross country borders without carrying any form of physical identity document or trusted mobile device. Moving towards such a device-free infrastructure-based authentication could be easily facilitated by centralized databases with full biometric records of all individuals, authenticating and therefore tracking people in all their interactions in the digital and physical worlds. However, such centralized tracking is not compatible with fundamental human rights to data privacy. One option to gain the utility of such digital authentication without sacrificing privacy rights is a fully decentralized approach to digital user authentication in the physical world. An ensemble of biometric sensors, different verifiers, and decentralized personal identity agents gives each individual better control over their digital and physical world interactions and data traces they leave.
The Android ecosystem is immense, represents a diverse manifold of use cases and participants, and is therefore highly complex. At the same time, Android primarily targets end-users and acts as the gateway to digital services for a majority of often non-technical Internet users. Balancing flexibility, security, and usability raises interesting challenges; many trade-offs are not immediately apparent and non-trivial to resolve. This talk will cover some of my own lessons learned before and since joining the Android Security & Privacy team, starting with the Android platform security model, complexities of the ecosystem that are particularly relevant to security, and methods to improve security across many partners. Current and future challenges include insider attack resistance, transparency different layers, and new use cases such as identity credentials.
The threat model for a mobile device ecosystem is complex. In addition to the obvious physical attacks on lost or stolen devices and malicious code threats, typical mobile devices integrate a significant amount of code from different organizations into their system images, which are in turn executed on an increasingly complex hardware infrastructure. Both benign mistakes, as well as malicious attacks, could happen on any of these layers, by any of these organizations. Therefore, users as well as app developers and service providers currently have to trust every single one of these organizations. Note that OEMs (original equipment manufacturers) in their role as integrators typically verify their supply chain and components they integrate. However, there are also other parties in the full chain that can tamper with devices after they leave an OEM and before they are in the hands of users. Summarizing, many people could—by honest mistake or malicious intent—tamper with components of a modern smartphone to compromise user security. We call such attacks insider attacks, independently of the motivation or association of these insiders. The basic threat is that insiders have privileged access to some components during the manufacturing or update chain that would allow them to make modifications that third parties could not. This talk will introduce the complexity of the insider attack problem (which is not unique to Android) and introduce some defenses that have already been put in place. In Android, we counter such insider attacks on multiple levels and aim to remove or limit the capability of insiders to harm users, which implies the limiting required trust in many of the involved parties. At the secure hardware level, Android Pie 9.0 introduced insider attack resistance (IAR) for updates to tamper-resistant hardware such as secure elements that is used to validate the user knowledge factor in authentication and for deriving, storing, and using cryptographic key material. Even Google and the respective OEM are technically incapable of distributing modified firmware to such tamper-resistant hardware to exfiltrate user keys without their cooperation. On the system software level, some devices make the hash of their currently running firmware available for (anonymous) local and remote verification. The combination of these features already provide transparency on the system software level and severely limit the possibility of targeted attacks on firmware and system software levels. We continue to work on this problem, and this talk is partially a call to action for the security community to devise additional novel methods to mitigate against insider attacks on components in the mobile device landscape.