In the context of Information-Centric Networking, Interest Flooding Attacks (IFAs) represent a new and dangerous sort of distributed denial of service. Since existing proposals targeting IFAs mainly focus on local information, in this paper we propose GNN4IFA as the first mechanism exploiting complex non-local knowledge for IFA detection by leveraging Graph Neural Networks (GNNs) handling the overall network topology.In order to test GNN4IFA, we collect SPOTIFAI, a novel dataset filling the current lack of available IFA datasets by covering a variety of IFA setups, including ~40 heterogeneous scenarios over three network topologies. We show that GNN4IFA performs well on all tested topologies and setups, reaching over 99% detection rate along with a negligible false positive rate and small computational costs. Overall, GNN4IFA overcomes state-of-the-art detection mechanisms both in terms of raw detection and flexibility, and - unlike all previous solutions in the literature - also enables the transfer of its detection on network topologies different from the one used in its design phase. @en

Xiaomi is the leading company in the fitness tracking industry. Successful attacks on its fitness tracking ecosystem would result in severe consequences, including the loss of sensitive health and personal data. Despite these relevant risks, we know very little about the security mechanisms adopted by Xiaomi. In this work, we uncover them and show that they are insecure. In particular, Xiaomi protects its fitness tracking ecosystem with custom application-layer protocols spoken over insecure Bluetooth Low-Energy (BLE) connections (ignoring standard BLE security mechanisms already supported by their devices) and TLS connections. We identify severe vulnerabilities affecting such proprietary protocols, including unilateral and replayable authentication. Those issues are critical as they affect all Xiaomi trackers released since 2016 and up-to-date Xiaomi companion apps for Android and iOS. We show in practice how to exploit the identified vulnerabilities by presenting six impactful attacks. Four attacks enable to wirelessly impersonate any Xiaomi fitness tracker and companion app, man-in-the-middle (MitM) them, and eavesdrop on their communication. The other two attacks leverage a malicious Android application to remotely eavesdrop on data from a tracker and impersonate a Xiaomi fitness app. Overall, the attacks have a high impact as they can be used to exfiltrate and inject sensitive data from any Xiaomi tracker and compatible app. We propose five practical and low-overhead countermeasures to mitigate the presented vulnerabilities. Moreover, we present breakmi, a modular toolkit that we developed to automate our reverse-engineering process and attacks. breakmi understands Xiaomi application-layer proprietary protocols, reimplements Xiaomi security mechanisms, and automatically performs our attacks. We demonstrate that our toolkit can be generalized by extending it to be compatible with the Fitbit ecosystem. We will open-source breakmi.@en

The Internet model has changed from its first design, rolling from host-centric to information-centric. Consequently, researchers foresee the urge for a new network paradigm that will be more suitable for the need of nowadays users. Named-Data Networking (NDN) adheres to the Information-Centric Networking (ICN) paradigms that have been proposed as possible current Internet substitutes. New proposals concerning NDN-related challenges are released regularly. However, most of these proposals are evaluated using network simulations or theoretical analysis due to lacking a full-stack NDN testbed. Although valid, research has shown that simulation environments or proposed overlay testbeds disturb the experiments and introduce performance mismatches. Motivated by the shreds of evidence mentioned above, we propose a setup of an NDN testbed composed of Raspberry Pi devices. After that, we conduct performance analysis for crucial NDN features such as name-based forwarding, in-network caching, and data packet signing. Our experiments confirm the benefits of enabling caches in intermediate nodes. Furthermore, we compare different signing algorithms based on the producer's goodput and processing time. Indeed, SHA-256 is confirmed as the most lightweight with 103 Mpbs goodput and 130 µs processing time. Nevertheless, a security and performance trade-off must be met. On the other hand, as research has demonstrated, such features can be exploited to compromise users' privacy and degrade the network's performance. Additionally, the attack performance might change while implemented in a real deployment. To validate such effects, we transfer two state-of-the-art privacy attacks from a simulation domain to a physical environment, i.e., our testbed. While one of the transferred attacks preserves the preciseness on the testbed, the other demonstrates result mismatches. @en

The Internet model has changed from its first design, rolling from host-centric to information-centric. Consequently, researchers foresee the urge for a new network paradigm that will be more suitable for the need of nowadays users. Named-Data Networking (NDN) adheres to the Information-Centric Networking (ICN) paradigms that have been proposed as possible current Internet substitutes. New proposals concerning NDN-related challenges are released regularly. However, most of these proposals are evaluated using network simulations or theoretical analysis due to lacking a full-stack NDN testbed. Although valid, research has shown that simulation environments or proposed overlay testbeds disturb the experiments and introduce performance mismatches. Motivated by the shreds of evidence mentioned above, we propose a setup of an NDN testbed composed of Raspberry Pi devices. After that, we conduct performance analysis for crucial NDN features such as name-based forwarding, in-network caching, and data packet signing. Our experiments confirm the benefits of enabling caches in intermediate nodes. Furthermore, we compare different signing algorithms based on the producer's goodput and processing time. Indeed, SHA-256 is confirmed as the most lightweight with 103 Mpbs goodput and 130 µs processing time. Nevertheless, a security and performance trade-off must be met. On the other hand, as research has demonstrated, such features can be exploited to compromise users' privacy and degrade the network's performance. Additionally, the attack performance might change while implemented in a real deployment. To validate such effects, we transfer two state-of-the-art privacy attacks from a simulation domain to a physical environment, i.e., our testbed. While one of the transferred attacks preserves the preciseness on the testbed, the other demonstrates result mismatches. @en

The Internet model has changed from its first design, rolling from host-centric to information-centric. Consequently, researchers foresee the urge for a new network paradigm that will be more suitable for the need of nowadays users. Named-Data Networking (NDN) adheres to the Information-Centric Networking (ICN) paradigms that have been proposed as possible current Internet substitutes. New proposals concerning NDN-related challenges are released regularly. However, most of these proposals are evaluated using network simulations or theoretical analysis due to lacking a full-stack NDN testbed. Although valid, research has shown that simulation environments or proposed overlay testbeds disturb the experiments and introduce performance mismatches. Motivated by the shreds of evidence mentioned above, we propose a setup of an NDN testbed composed of Raspberry Pi devices. After that, we conduct performance analysis for crucial NDN features such as name-based forwarding, in-network caching, and data packet signing. Our experiments confirm the benefits of enabling caches in intermediate nodes. Furthermore, we compare different signing algorithms based on the producer's goodput and processing time. Indeed, SHA-256 is confirmed as the most lightweight with 103 Mpbs goodput and 130 µs processing time. Nevertheless, a security and performance trade-off must be met. On the other hand, as research has demonstrated, such features can be exploited to compromise users' privacy and degrade the network's performance. Additionally, the attack performance might change while implemented in a real deployment. To validate such effects, we transfer two state-of-the-art privacy attacks from a simulation domain to a physical environment, i.e., our testbed. While one of the transferred attacks preserves the preciseness on the testbed, the other demonstrates result mismatches. @en

Collective Remote Attestation (CRA) is a well-established approach where a single Verifier attests the integrity of multiple devices in a single execution of the challenge-response protocol. Current CRA solutions are well-suited for Internet of Things (IoT) networks, where the devices are distributed in a mesh topology and communicate only with their physical neighbours. Recent advancements on low-energy protocols, though, enabled the IoT devices to connected to the Internet, thus disrupting the concept of physical neighbour. In this paper, we propose HolA (Holistic and Autonomous Attestation), the first CRA scheme designed for Internet-like IoT networks. HolA provides defence against attacks targeting both the nodes and the network infrastructure. We deployed HolA on both a network of real devices (i.e., 5 Raspberry Pis) and a simulated environment (i.e., 1M devices in an Omnet++ network). Our results demonstrate that HolA can resist against a disruptive attacker that compromises up to half of the network devices and that tampers with network traffic. HolA can verify the integrity of 1M devices in around 12 s while the state-of-the-art requires 71 s. Finally, HolA requires 7 times less memory per device compared with the state-of-the-art.@en

WebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android framework through Java interfaces and WebViewClient objects. Thus, while rendering web content a hybrid app can execute malicious Javascript code that can access the sensitive data on the device, bypassing the sandbox model usually adopted by standalone browsers. Researchers already analyzed the security issues of WebView objects, by focusing on Javascript interfaces. However, we believe that there are other aspects related to the rendering of web content in Android apps, such as WebViewClient objects, that could lead to security issues. In this paper, we introduce three new types of vulnerabilities related to WebView, that expose new attack surfaces concerning the most well-known vulnerability related to JavaScript interfaces. To detect these new types of vulnerabilities, we designed WebVSec, a static analysis system that relies on a set of custom inference rules, heuristically formalized. By designing WebVSec to detect also the vulnerability already described in the state-of-art, we were able to compare WebVSec with BabelView on a set of 2000 applications. BabelView was found not able to detect our new three types of vulnerabilities and also less precise and efficient in detecting the already known vulnerability. In particular, over the 2000 analyzed apps, WebVSec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, WebVSec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, WebVSec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.@en

PATTA is the first privacy attack based on network traffic analysis in Information-Centric Networking. PATTA aims to automatically identify the category of requested content by sniffing the communication towards the first hop router. PATTA applies text processing and machine learning techniques to content names in content-oriented architectures. We evaluate PATTA in a simulated network, achieving an accuracy in determining a real-time content category equal to 96%. @en

Today's Internet is experiencing a massive number of users with a continuously increasing need for data, which is the leading cause of introduced limitations among security and privacy issues. To overcome these limitations, a shift from host-centric to data-centric is proposed, and in this context, Information-Centric Networking (ICN) represents a promising solution. Nevertheless, unsettling the current Internet's network layer - i.e., Internet Protocol (IP) - with ICN is a challenging, expensive task since it requires worldwide coordination among Internet Service Providers (ISPs), backbone, and Autonomous Services (AS). Therefore, researchers foresee that the replacement process of the current Internet will transition through the coexistence of IP and ICN. In this perspective, novel architectures combine IP and ICN protocols. However, only a few of the proposed architectures place the security-by-design feature. Therefore, this article provides the first comprehensive Security and Privacy (SP) analysis of the state-of-the-art IP-ICN coexistence architectures by horizontally comparing the SP features among three deployment approaches - i.e., overlay, underlay, and hybrid - and vertically comparing among the ten considered SP features. Lastly, the article sheds light on the open issues and possible future directions for IP-ICN coexistence. Our analysis shows that most architectures fail to provide several SP features, including data and traffic flow confidentiality, availability, and anonymity of communication. Thus, this article shows the secure combination of current and future protocol stacks during the coexistence phase that the Internet will definitely walk across.@en

Today's Internet is experiencing a massive number of users with a continuously increasing need for data, which is the leading cause of introduced limitations among security and privacy issues. To overcome these limitations, a shift from host-centric to data-centric is proposed, and in this context, Information-Centric Networking (ICN) represents a promising solution. Nevertheless, unsettling the current Internet's network layer - i.e., Internet Protocol (IP) - with ICN is a challenging, expensive task since it requires worldwide coordination among Internet Service Providers (ISPs), backbone, and Autonomous Services (AS). Therefore, researchers foresee that the replacement process of the current Internet will transition through the coexistence of IP and ICN. In this perspective, novel architectures combine IP and ICN protocols. However, only a few of the proposed architectures place the security-by-design feature. Therefore, this article provides the first comprehensive Security and Privacy (SP) analysis of the state-of-the-art IP-ICN coexistence architectures by horizontally comparing the SP features among three deployment approaches - i.e., overlay, underlay, and hybrid - and vertically comparing among the ten considered SP features. Lastly, the article sheds light on the open issues and possible future directions for IP-ICN coexistence. Our analysis shows that most architectures fail to provide several SP features, including data and traffic flow confidentiality, availability, and anonymity of communication. Thus, this article shows the secure combination of current and future protocol stacks during the coexistence phase that the Internet will definitely walk across.@en

Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift from the existing host-centric Internet Protocol-based Internet infrastructure towards a content-oriented one. However, researchers have identified some design limitations in NDN, among which some enable to build up a new type of Distributed Denial of Service attack, better known as Interest Flooding Attack (IFA). In IFA, an adversary issues not satisfiable requests in the network to saturate the Pending Interest Table (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Researchers have been trying to mitigate this problem by proposing several detection and reaction mechanisms, but all the mechanisms proposed so far are not highly effective and, on the contrary, heavily damage the legitimate traffic. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at decreasing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT, through which the Malicious Interest (MIs) already stored in the PIT are removed and the new incoming MIs are dropped. In addition, the proposed countermeasure provides an additional security wall on the edges of the network to detect and mitigate the attack as early as possible and improve the network health, i.e., routers PIT occupancy during IFA. To evaluate the effectiveness of our work, we implemented the proposed countermeasure on the open-source ndnSIM simulator and compared its effectiveness with the state of the art. The results show that our proposed countermeasure effectively reduces the IFA damages both in terms of preserved legitimate traffic and availability of routers PIT. Considering the legitimate traffic, the amount of Benign Interests preserved by our approach increases from 5% to 40% with respect to the preservation guaranteed by the state-of-the-art solutions. Concerning the routers PIT availability, our approach guarantees that the 97% of the PIT size is left free for handling the legitimate traffic.@en

Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift from the existing host-centric Internet Protocol-based Internet infrastructure towards a content-oriented one. However, researchers have identified some design limitations in NDN, among which some enable to build up a new type of Distributed Denial of Service attack, better known as Interest Flooding Attack (IFA). In IFA, an adversary issues not satisfiable requests in the network to saturate the Pending Interest Table (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Researchers have been trying to mitigate this problem by proposing several detection and reaction mechanisms, but all the mechanisms proposed so far are not highly effective and, on the contrary, heavily damage the legitimate traffic. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at decreasing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT, through which the Malicious Interest (MIs) already stored in the PIT are removed and the new incoming MIs are dropped. In addition, the proposed countermeasure provides an additional security wall on the edges of the network to detect and mitigate the attack as early as possible and improve the network health, i.e., routers PIT occupancy during IFA. To evaluate the effectiveness of our work, we implemented the proposed countermeasure on the open-source ndnSIM simulator and compared its effectiveness with the state of the art. The results show that our proposed countermeasure effectively reduces the IFA damages both in terms of preserved legitimate traffic and availability of routers PIT. Considering the legitimate traffic, the amount of Benign Interests preserved by our approach increases from 5% to 40% with respect to the preservation guaranteed by the state-of-the-art solutions. Concerning the routers PIT availability, our approach guarantees that the 97% of the PIT size is left free for handling the legitimate traffic.@en

People usually think that digital screens are reliable devices. Unfortunately, attackers can exploit this blind trust to persuade a user to perform unintended actions. In this paper, we present a novel type of Man-in-the-Middle attack named Man-in-the-Video. Man-in-the-Video intercepts the video stream flowing between a computer and its screen and modifies it on-the-fly. The objective of such attack is to distort the perception of reality and to induce improper user behaviour. We implemented HackDMI, a Man-in-the-Video attack performed over an HDMI cable. We applied this attack to a realistic threat scenario (i.e., phishing) and we evaluated it with quantitative measures. HackDMI is able to deceptively modify a 720p video stream, while maintaining a frame-rate of 14FPS. We also recorded three demo videos for qualitative evaluation.@en

Face recognition has been one of the major biometric authentication procedures in smart devices that allows users to provide an additional layer of security for accessing their device. The accuracy of image similarity should depend on the face and its expression, as could be extracted from the whole image. Importantly, the background may have a substantial amount of additional information that can potentially pose a threat to the privacy of the user. In this paper, we report the impact of background on the recommended measure of similarity, Euclidean-L2, across different pictures that represent distinguishable emotions and image background. Additionally, we report that this impact of the background varies for different ethnic groups. Our findings are despite the fact that background should not matter for Face Recognition. For each facial image, we perform two preprocessings, gray-scaling and background whitening, and compute the similarity between the original image and the preprocessed image by using the DeepFace Face Recognition System. We have considered six data sets, i) containing 100 blurry images of one American man, ii) and iii) contained 100 images each of one American man in normal settings, iv) contained 50 each of East Asian men and women, v) contained 50 each of Indian men and women, and vi) contained 50 each of African or African-American men and women. We observe that gray scaling or background whitening images makes them dissimilar, often to the point of being unrecognisable. Overall, we report that the information contained in the background of a facial image can be significant and it can have different impacts across different skin complexions and facial structure. Importantly, our initial results bring up an important question of how to identify the images having a higher risk of exposing private information via the background of a facial image. @en

Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector (NI VD), a novel approach to detect NIV in Android apps by relying on type systems. NI VD applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, NI VD is faster and more efficient, without losing precision in detecting NIV. Finally, through NI VD Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).@en

Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector (NI VD), a novel approach to detect NIV in Android apps by relying on type systems. NI VD applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, NI VD is faster and more efficient, without losing precision in detecting NIV. Finally, through NI VD Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).@en

Xiaomi is the market leader in the electric scooter (e-scooter) segment, with millions of active users. It provides several e-scooter models and Mi Home, a mobile application for Android and iOS to manage and control an e-scooter. Mi Home and the e-scooter interact via Bluetooth Low Energy (BLE). No prior research evaluated the security of this communication channel, as it employs security protocols proprietary to Xiaomi. Exploiting these protocols results in severe security, privacy, and safety issues, e.g., an attacker could steal an e-scooter or prevent the owner from controlling it. In this work, we fill this research gap by performing the first security evaluation on all proprietary wireless protocols deployed to Xiaomi e-scooters from 2016 to 2021. We identify and reverse-engineer four of them, each having ad-hoc Pairing and Session phases. We develop four attacks exploiting these protocols at the architectural level, and we call them Malicious Pairing (MP) and Session Downgrade (SD). Both attacks can be performed from proximity, if the attacker's machine is within BLE range of the target e-scooter, or remotely, via a malicious application co-located with Mi Home. An adversary can utilize MP and SD to steal a password-protected and software-locked e-scooter, or to prevent a victim from accessing it via Mi Home. We isolate six attack root causes, including the lack of authentication while pairing, and the improper enforcement of the e-scooter password. We open-source the E-Spoofer toolkit. Our toolkit automates the MP and SD attacks, and includes a reverse-engineering module for future research. We empirically confirm the effectiveness of our attacks by exploiting three e-scooters (i.e., M365, Essential, and Mi 3), embedding five BLE subsystem boards and eight BLE firmware versions that support all four Xiaomi protocols. We design and evaluate two practical countermeasures that address our impactful attacks and their root causes, and we release them as part of E-Spoofer. We responsibly disclosed our findings to Xiaomi. @en

Among the possible future Internet architectures, Information Centric Networking (ICN) is the most promising one and researchers working on the Named Data Networking (NDN) project are putting efforts towards its deployment in a real scenario. To properly handle content names, the different components of an NDN network need efficient and scalable data structures. In this paper, we propose a new data structure to support the NDN forwarding procedure by replacing the current Forwarding Information Base (FIB): the Spatial Bloom Filter (SBF), a probabilistic data structure that guarantees fast lookup and efficient memory consumption. Through a set of simulations run to compare the performance of FIB and SBF, we found that the latter uses less than 5 KB of data to handle 106 queried interests, with a (negligible) probability 10-4 of false positive events. Conversely, the FIB requires up to 2.5 GB of data in disadvantageous cases, e.g. when interests are composed of a considerable number of components.@en

Among the possible future Internet architectures, Information Centric Networking (ICN) is the most promising one and researchers working on the Named Data Networking (NDN) project are putting efforts towards its deployment in a real scenario. To properly handle content names, the different components of an NDN network need efficient and scalable data structures. In this paper, we propose a new data structure to support the NDN forwarding procedure by replacing the current Forwarding Information Base (FIB): the Spatial Bloom Filter (SBF), a probabilistic data structure that guarantees fast lookup and efficient memory consumption. Through a set of simulations run to compare the performance of FIB and SBF, we found that the latter uses less than 5 KB of data to handle 106 queried interests, with a (negligible) probability 10-4 of false positive events. Conversely, the FIB requires up to 2.5 GB of data in disadvantageous cases, e.g. when interests are composed of a considerable number of components.@en

A growing trend in repackaging attacks exploits the Android virtualization technique, in which malicious code can run together with the victim app in a virtual container. In such a scenario, the attacker can directly build a malicious container capable of hosting the victim app instead of tampering with it, thus neglecting any anti-repackaging protection developed so far. Also, existing anti-virtualization techniques are ineffective since the malicious container can intercept - and tamper with - such controls at runtime. So far, only two solutions have been specifically designed to address virtualization-based repackaging attacks. However, their effectiveness is limited since they both rely on static taint analysis, thus not being able to evaluate code dynamically loaded at runtime. To mitigate such a problem, in this paper we introduce MARVEL, the first methodology that allows preventing both traditional and virtualization-based repackaging attacks. MARVEL strongly relies on the virtualization technique to build a secure virtual environment where protected apps can run and be checked at runtime. To assess the viability and reliability of MARVEL, we implemented it in a tool, i.e., MARVELoid, that we tested by protecting 4000 apps with 24 different configurations of the protection parameters (i.e., 96k protection combinations). MARVELoid was able to inject the protection into 97.3% of the cases, with a processing time of 98 seconds per app on average. Moreover, we evaluated the runtime overhead on 45 apps, showing that the introduced protection has a negligible impact in terms of average CPU (<5%) and memory overhead (<0.5%).@en