Thanks to the modern technology, you can open a car door or smart gate without pressing a button and pay your groceries by simply showing your debit card to a payment terminal. Transparent authentication systems like these are easy to use, but the other side of the coin may be weak information security. Machine learning is one way of improving transparent authentication and this is one of the topics on which Mika Juuti, a doctoral candidate at Aalto University, focused in his dissertation.
Transparent authentication systems aim to anticipate user’s aim to access a system. They are based on two physical devices communicating with each other, such as a smart key and a car or a smart gate. When the car or the gate verifies that the user is close by, the door or the gate opens. In keyless cars, for example, this happens by measuring the radio signal sent by the car key.
Manufacturers of many expensive cars have recently suffered from problems related to transparent authentication systems, as the radio signal between the car key and the car’s authentication system is easy to manipulate. In these types of attacks – called relay attacks – the attacker places two relays in the signal between the car and the key that strengthen the connection. Consequently, the door opens even though, in reality, the key was nowhere near the car.
Making use of machine learning in information security was a central theme in Juuti’s dissertation. In the first part of his dissertation, Juuti studied systems that aim to attack transparent authentication systems and how transparent authentication systems can defend themselves against such attacks.
As a part of the research project, Juuti and his colleagues developed an Android-based mobile app STASH that wants to prevent relay attacks. It allows access to a system’s database or its usage only if it can ensure that, for example, the key is close to the smart gate.
The STASH app estimates the proximity based on user's previous trajectories. The system is secure because the attacker cannot manipulate the acceleration or gyro sensors of a key or similar device. STASH could effectively prevent, for example, attacks to smart gates or smart houses. Researchers tested the new app in controlled settings and designed it in a way that allows its integration to existing transparent authentication systems.
Look at the whole picture
Juuti – who will defend his dissertation on Monday, 19th of August – says that it is important for designers and researchers to understand motives and current technology in order to design safer systems.
‘Unlike in many other disciplines, cyber security research studies an attacker who doesn’t tell that they have discovered a new way of attacking because it benefits them economically or in some other way. Therefore, researchers need to anticipate problems that may arise when launching a new technology.’
According to Juuti, focusing on the whole picture and evaluating each component of a system is essential when improving information security. What is the weakest link of the system? What is the worst thing that could happen if an attacker exploits its vulnerabilities? ‘If you go through all these things, you will find many ways in which you can weaken information security properties of a system.’