Assuring PRivacy for Internet COnnected Things – Apricot

With a combination of binary-level function detection and information flow tracking, data can be traced through applications along its life cycle, tracking its usage and detecting potential privacy breaches when they occur. By combining state-of-the-art binary analysis with dynamic data flow tracking in the cloud through JIT compiler instrumentation, we achieve an end-to-end privacy tracking of sensitive data.

This project aims at automating the verification of privacy goals of IoT services, from sensor devices all the way into the cloud services — during development and after deployment.

Privacy by itself is not a financial advantage and correspondingly offers limited incentive for companies to invest, especially in the current market where few American companies control entire markets and huge shares of online data, but have little incentive for pursuing privacy protection. The consortium contributes to technology which can be applied in future certification schemes for IoT and Cloud privacy enforcement within the European Cybersecurity Act. The resulting benefits go beyond the project partners and will be available for society and the open European market, thus, justifying public support for the developed technologies.

Outcomes of our work in the ENCOPIA project:

Wichelmann, J., Pätschke, A., Wilke, L., & Eisenbarth, T. (2023). Cipherfix: Mitigating Ciphertext Side-Channel Attacks in Software. 32nd USENIX Security Symposium, USENIX Security 2023. www.usenix.org/conference/usenixsecurity23/presentation/wichelmann
Wichelmann, J., Peredy, C., Sieck, F., Pätschke, A., & Eisenbarth, T. (2023). MAMBO-V: Dynamic Side-Channel Leakage Analysis on RISC-V. Detection of Intrusions and Malware, and Vulnerability Assessment: 20th International Conference, DIMVA 2023, Proceedings, 3–23. doi.org/10.1007/978-3-031-35504-2_1
Casagrande, M., Losiouk, E., Conti, M., Payer, M., & Antonioli, D. (2022). BreakMi: Reversing, Exploiting and Fixing Xiaomi Fitness Tracking Ecosystem. IACR Trans. Cryptogr. Hardw. Embed. Syst. (TCHES). doi.org/10.46586/tches.v2022.i3.330-366
Wichelmann, J., Sieck, F., Pätschke, A., & Eisenbarth, T. (2022). Microwalk-CI: Practical Side-Channel Analysis for JavaScript Applications. Proceedings of the 2022 ACM SIGSAC Conference on Computer And Communications Security, CCS 2022. doi.org/10.1145/3548606.3560654
TalksPermalink
Marco Casagrande & Daniele Antonioli: BreakMi: Reversing, Exploiting and Fixing Xiaomi (and Fitbit) Fitness Tracking Ecosystems, hardwear.io USA, 2023.

Today’s IoT devices are used to collect huge amounts of data. In turn, Big Data analytics are used to analyze this data to provide new services. As the world becomes pervasively sentient with sensors placed in all kinds of daily devices, opting out is no longer possible. Connected devices will record personal information of all passersby, resulting in a conflict between the right to privacy of individuals and the interest of making the benefits of big data analytics available to society on the other side.
To make both goals achievable, great care in the design and development of the complete IoT system from the device to connected cloud services is necessary. This project aims at automating the verification of privacy goals of IoT services, from sensor devices all the way into the cloud services — during development and after deployment.
We propose to use methods of binary analysis to ensure that sensitive data can be tracked through programs and services by analyzing the used software and tracking data flows within them. Automated privacy analysis tools do not exist today. With a combination of binary-level function detection and information flow tracking, data can be traced through applications along its life cycle, tracking its usage and detecting potential privacy breaches. By combining state-of-the-art embedded binary analysis with dynamic data flow tracking in the cloud through JIT compiler instrumentation, we achieve an end-to-end privacy tracking of sensitive data. The consortium brings together partners from industry and academia with significant experience in building, operating and analyzing systems that handle private information and complementary skills while representing a significant market share of IoT systems in Europe.
The proposed tools can ensure that data is used as intended and that protective mechanisms are applied. The researched methods can also be applied in certification schemes under the European Cybersecurity Act.