The risk of information leakage and the Slingbox Pro

Security is hard. Sometimes, you secure the information well enough that it is infeasible to determine what the encrypted information is, and you feel like you’ve done well. Normally, that would be enough. However, sometimes you have some clever folks come along and look at the characteristics that aren’t subject to encryption to figure out what the secured data is. Basically, an attack on the secondary information in the stream. So what, exactly, does this mean? Well, in this particular instance, I found the security and privacy analysis on gadgets extremely interesting. These researchers were able to determine with extremely high accuracy what movies were being streamed from a Slingbox Pro based on the variation in amount of data sent. They couldn’t tell what the data was, but could still count the number of bits and compare that information to known characteristics of the unencrypted streams from movies to guess what was being passed.

The Slingbox Pro is not the only target of their investigations, but it is the most interesting to me. They also find privacy issues with the Nike+iPod Sport Kit and security issues with Microsoft’s Zune social relationships.

We analyze three new consumer electronic gadgets in order to gauge the privacy and security trends in mass-market UbiComp devices. Our study of the Slingbox Pro uncovers a new information leakage vector for encrypted streaming multimedia. By exploiting properties of variable bitrate encoding schemes, we show that a passive adversary can determine with high probability the movie that a user is watching via her Slingbox, even when the Slingbox uses encryption. We experimentally evaluated our method against a database of over 100 hours of network traces for 26 distinct movies.

Despite an opportunity to provide significantly more location privacy than existing devices, like RFIDs, we find that an attacker can trivially exploit the Nike+iPod Sport Kit’s design to track users; we demonstrate this with a GoogleMaps-based distributed surveillance system. We also uncover security issues with the way Microsoft Zunes manage their social relationships.

. . .

We test this algorithm on a dataset consisting of over 100 hours of network throughput data. With only 10 minutes worth of monitoring data, we are able to predict with 62% accuracy the movie that is being watched (on average over all movies); this compares favorably with the less than 4% accuracy that one would achieve by random chance. With 40 minutes worth of monitoring data, we are able to predict the movie with 77% accuracy. For certain movies we can do significantly better; for 15 out of the 26 movies, given a 40 minute trace we are able to predict the correct movie with over 98% accuracy. Given the simplicity of our algorithm, this indicates a significant amount of information leakage – a fact that is not immediately obvious to the users, who likely trust the built in encryption in the device to protect privacy.

Any transmission method whose characteristics depend on the content that is being transmitted is susceptible to the kind of attack we have described. As the world moves towards more advanced multimedia compression methods, and streaming media becomes ubiquitous, variable bitrate encoding is here to stay. Preventing information leakage in variable bitrate streams without a significant performance penalty is an interesting challenge for both the signal processing and the security communities. More broadly, a fundamental challenge that we must address is how to identify, understand, and mitigate information leakage channels in the full range of upcoming UbiComp devices.

The entire report is 23 pages, although a moderate portion of that is footnotes, citations, or images. If you are interested in indirect attacks on security, however, it is well worth the 20-30 minutes it will take to read for understanding.

Also, I realize that they had a significantly constrained data set, which eased their analysis and improved accuracy. However, the whole point of security vulnerability research is finding attacks that work in any manner. From there, attacks against static defenses will never regress – they either get better or stay the same if not worked on. In other words, this data problem has been shown on a limited data set. Given sufficient time and computational resources, it will still work against larger data sets, including the data set of all available streamed media. It might currently be infeasible to properly determine most of the possible data streams now, but computational power is ever increasing, storage space is expanding and getting cheaper, and the time necessary to analyze any stream will continue to go down.

This is a hard to solve problem for folks that are concerned about privacy, and one that I believe the engineers at Slingbox will continue working on. Their use of decent cryptography already shows an attention to security and privacy. I expect to see updates in the distribution system to reduce secondary data characteristic attack possibilities in the future. (via Freedom-to-tinker)

[tags]Slingbox pro security and privacy analysis, Attacks on secondary data characteristics, Interesting privacy and security research of gadgets[/tags]