Inside GNSS Media & Research

NOV-DEC 2017

Issue link:

Contents of this Issue


Page 60 of 67 N O V E M B E R / D E C E M B E R 2 0 1 7 Inside GNSS 61 of the channel (ANs' RSS signature at the user position equates to the user's RSSs at the ANs' location) allows one to estimate the user location by match- ing the observed RSS to a radio map. A test performed in a four-floor uni- versity building in Tampere, Finland showed that the accuracy that can be obtained by an eavesdropper for RSS based FP in WLANs is about 8 meters and typically below 10 meters in more than 70-80% of cases, as illustrated in Figure 2 . Figure 2 shows the positioning accu- racy (in terms of cumulative distribu- tion of the distance error) that can be obtained by an adversary for the pre- viously mentioned four-floor building. Three different cases are included: i) the adversary has access to the training database (radio map) and to both MAC addresses and RSS measured by the untrusted network from the attacked device (FP method, average accuracy about 8 meters), ii) the adversary has access to the training database and MAC address knowledge (rank based FP method, average accuracy about 17 meters), and iii) no training phase is needed (the radio map is predicted based on a simplified path loss (PL) model) and the adversar y uses only MAC address k nowledge (PL , rank based FP method, average accuracy about 27 meters). For networks with a low density of untrusted ANs, i.e., a few ANs placed in the building by an adversary, even the last approach would still offer building-level accuracy. If the adversary additionally has an actual radio map (i.e., training database), the average accuracy can decrease to about 17 meters or even 8 meters, depending on the positioning information used (MAC only or MAC+RSS). In the network-centric setting, the same vulnerabilities exist. Additional risks arise due to the involvement of an LSP, storing and processing the user's data with his consent, and the transmis- sion of information that is part of the positioning process, for example, the RSS signature measured by the user, or the estimated position that is forwarded by the LSP to the LBSP. Methods to pre- vent this are addressed later in this article. While some location-related vul- nerabilities can only be exploited if the attacker has access to the network or information about it, others require information about the positioning sys- tem. In the worst case, the adversary is an untrusted network operator or LSP who intentiona lly computes and/or leaks the location data, or who provides unintentional access to information that allows a third party to compute and/or leak the sensitive information. Assuming a trustworthy LSP/net- work operator, a mobile-centric posi- tioning system preserves the location privacy better than a network-centric one because of the reduced communi- cation or signaling between the user and the network. e location privacy in a mobile-centric WLAN position- ing system can be further protected if the user does not need to associate with an AN and all necessary data for positioning. For example, a fingerprint database or access node position are broadcast while the user device just listens using 802.11's "monitor mode" (F. Gschwandtner et alia). However, this scenario is limited to special use cases because this mode hinders communi- cations for the user and is usually not enabled by the user. Fu r t her a rg u ment s a ga i nst t he mobile-centric approach exist. First, the radio map is a valuable key component for the location service provider, which is therefore reluctant to make it avail- able without obtaining the user's loca- tion information in exchange. Secondly, maintaining multiple copies of the data- base implies additional costs. irdly, the mobile devices might lack sufficient memory and processing power. Thus, network-centric fingerprinting systems are the common case and one question becomes apparent: is the location service provider trustworthy? If the LSP/network operator cannot be trusted, then an end-to-end encryp- tion is required to preserve location privacy. For a network-centric position- ing system, in which the user's loca- tion is estimated by the LSP, end-to- end encryption can be achieved if the required computations are executed on the encrypted data. Homomorphic encryption allows computations on the encrypted data that, once decrypted, equal the result of the same computa- tions performed on the plain data. For exa mple, t he Pa l lier cr y ptosystem, which provides only additive homomor- phism and therefore reduces computa- tional complexity, has been applied to WLAN fingerprinting (H. Li et alia). As the homomorphic property is reduced to additions, more complex operations can be decomposed and precomputed such that the LSP can perform signature matching based on additions only. How- ever, transmitting several precomputed terms increases the communication overheads. Alternative secure two-party computation protocols, such as Additive Sharing, Yao's Garbled Circuits, might further reduce the computational bur- den. Their use for RSS-based finger- printing is currently under investigation. One might conclude that, in order to achieve reasonable location privacy on the device, an end-to-end encryption is indispensable during communications and at the LSP side. e use of (partial- ly) homomorphic encryption points to a promising direction, however, many practical issues have still to be solved. Given the diversity of pattern match- ing algorithms used in fingerprinting, the privacy protection scheme must be included in the design of the position- ing system. Timing and Angle-Based Techniques Ty pica l ly, t i mi ng a nd a ng le-based positioning methods require that the user device is communicating with the network. Examples of timing and a ng le-ba sed posit ion i ng solut ions widely used in cellular systems are, for example: TOA, TDOA, Round Trip Times (RTT), Time Of Flights (TOF), Angle or Direction of Arrival (AOA/ DOA), Differential Direction of Arriv- al (DDOA), etc. Due to these commu- nications over wireless channels, an untrusted network could get access to the user location information, but due to sy nchronization, authentication, and signaling requirements in various cellular and non-cellular communica- tion networks, it is much harder for an attacker to build such an untrusted

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - NOV-DEC 2017