Shishir Nagaraja

Ryan Shah, Mujeeb Ahmed, Shishir Nagaraja

In this paper, we present an acoustic side channel attack which makes use of smartphone microphones recording a robot in operation to exploit acoustic properties of the sound to fingerprint a robot's movements. In this work we consider the possibility of an insider adversary who is within physical proximity of a robotic system (such as a technician or robot operator), equipped with only their smartphone microphone. Through the acoustic side-channel, we demonstrate that it is indeed possible to fingerprint not only individual robot movements within 3D space, but also patterns of movements which could lead to inferring the purpose of the movements (i.e. surgical procedures which a surgical robot is undertaking) and hence, resulting in potential privacy violations. Upon evaluation, we find that individual robot movements can be fingerprinted with around 75% accuracy, decreasing slightly with more fine-grained movement meta-data such as distance and speed. Furthermore, workflows could be reconstructed with around 62% accuracy as a whole, with more complex movements such as pick-and-place or packing reconstructed with near perfect accuracy. As well as this, in some environments such as surgical settings, audio may be recorded and transmitted over VoIP, such as for education/teaching purposes or in remote telemedicine. The question here is, can the same attack be successful even when VoIP communication is employed, and how does packet loss impact the captured audio and the success of the attack? Using the same characteristics of acoustic sound for plain audio captured by the smartphone, the attack was 90% accurate in fingerprinting VoIP samples on average, 15% higher than the baseline without the VoIP codec employed. This opens up new research questions regarding anonymous communications to protect robotic systems from acoustic side channel attacks via VoIP communication networks.

Ryan Shah, Chuadhry Mujeeb Ahmed, Shishir Nagaraja

Connected robots play a key role in Industry 4.0, providing automation and higher efficiency for many industrial workflows. Unfortunately, these robots can leak sensitive information regarding these operational workflows to remote adversaries. While there exists mandates for the use of end-to-end encryption for data transmission in such settings, it is entirely possible for passive adversaries to fingerprint and reconstruct entire workflows being carried out -- establishing an understanding of how facilities operate. In this paper, we investigate whether a remote attacker can accurately fingerprint robot movements and ultimately reconstruct operational workflows. Using a neural network approach to traffic analysis, we find that one can predict TLS-encrypted movements with around ~60% accuracy, increasing to near-perfect accuracy under realistic network conditions. Further, we also find that attackers can reconstruct warehousing workflows with similar success. Ultimately, simply adopting best cybersecurity practices is clearly not enough to stop even weak (passive) adversaries.

Ryan Shah, Mujeeb Ahmed, Shishir Nagaraja

Connected teleoperated robotic systems play a key role in ensuring operational workflows are carried out with high levels of accuracy and low margins of error. In recent years, a variety of attacks have been proposed that actively target the robot itself from the cyber domain. However, little attention has been paid to the capabilities of a passive attacker. In this work, we investigate whether an insider adversary can accurately fingerprint robot movements and operational warehousing workflows via the radio frequency side channel in a stealthy manner. Using an SVM for classification, we found that an adversary can fingerprint individual robot movements with at least 96% accuracy, increasing to near perfect accuracy when reconstructing entire warehousing workflows.

Zeynep Yasemin Erdogan, Shishir Nagaraja, Chuadhry Mujeeb Ahmed et al.

In this paper, we present a framework that uses acoustic side-channel analysis (ASCA) to monitor and verify whether a robot correctly executes its intended commands. We develop and evaluate a machine-learning-based workflow verification system that uses acoustic emissions generated by robotic movements. The system can determine whether real-time behavior is consistent with expected commands. The evaluation takes into account movement speed, direction, and microphone distance. The results show that individual robot movements can be validated with over 80% accuracy under baseline conditions using four different classifiers: Support Vector Machine (SVM), Deep Neural Network (DNN), Recurrent Neural Network (RNN), and Convolutional Neural Network (CNN). Additionally, workflows such as pick-and-place and packing could be identified with similarly high confidence. Our findings demonstrate that acoustic signals can support real-time, low-cost, passive verification in sensitive robotic environments without requiring hardware modifications.

Rilwan Umar, Aydin Abadi, Basil Aldali et al.

Weather forecasting plays a vital role in disaster preparedness, agriculture, and resource management, yet current centralized forecasting systems are increasingly strained by security vulnerabilities, limited scalability, and susceptibility to single points of failure. To address these challenges, we propose a decentralized weather forecasting framework that integrates Federated Learning (FL) with blockchain technology. FL enables collaborative model training without exposing sensitive local data; this approach enhances privacy and reduces data transfer overhead. Meanwhile, the Ethereum blockchain ensures transparent and dependable verification of model updates. To further enhance the system's security, we introduce a reputation-based voting mechanism that assesses the trustworthiness of submitted models while utilizing the Interplanetary File System (IPFS) for efficient off-chain storage. Experimental results demonstrate that our approach not only improves forecasting accuracy but also enhances system resilience and scalability, making it a viable candidate for deployment in real-world, security-critical environments.

Kaspar Rosager Ludvigsen, Shishir Nagaraja, Angela Daly

The role of software in society has changed drastically since the start of the 21st century. Software can now partially or fully facilitate anything from diagnosis to treatment of a disease, regardless of whether it is psychological or pathological, with the consequence of software being comparable to any other type of medical equipment, and this makes discovering when software must comply with such rules vital to both manufacturers and regulators. In lieu of the Medical Device Regulation we expand on the idea of intention, and identify the criteria software must fulfil to be considered medical devices within EU-law.

Kaspar Rosager Ludvigsen, Shishir Nagaraja

Over the last decade, surgical robots have risen in prominence and usage. For surgical robots, connectivity is necessary to accept software updates, accept instructions, and transfer sensory data, but it also exposes the robot to cyberattacks, which can damage the patient or the surgeon. These injuries are normally caused by safety failures, as seen in accidents with industrial robots, but cyberattacks are caused by security failures instead. We create a taxonomy for both types of failures in this paper specifically for surgical robots. These robots are increasingly sold and used in the European Union (EU); we therefore consider how surgical robots are viewed and treated by EU law. Specifically, which rights regulators and manufacturers have, and which legal remedies and actions a patient or manufacturer would have in a single national legal system in the union, if injuries were to occur from a security failure caused by an adversary that cannot be unambiguously identified. We find that the selected national legal system can adequately deal with attacks on surgical robots, because it can on one hand efficiently compensate the patient. This is because of its flexibility; secondly, a remarkable absence of distinction between safety vs security causes of failure and focusing instead on the detrimental effects, thus benefiting the patient; and third, liability can be removed from the manufacturer by withdrawing its status as party if the patient chooses a separate public law measure to recover damages. Furthermore, we find that current EU law does consider both security and safety aspects of surgical robots, without it mentioning it through literal wording, but it also adds substantial liabilities and responsibilities to the manufacturers of surgical robots, gives the patient special rights and confers immense powers on the regulators.

Shishir Nagaraja

A key characteristic of the spread of infectious diseases is their ability to use efficient transmission paths within contact graphs. This enables the pathogen to maximise infection rates and spread within a target population. In this work, we devise techniques to localise infections and decrease infection rates based on a principled analysis of disease transmission paths within human-contact networks (proximity graphs). Experimental results of disease spreading shows that that at low visibility rates contact tracing slows disease spreading. However to stop disease spreading, contact tracing requires both significant visibility (at least 60%) into the proximity graph and the ability to place half of the population under isolation. We find that pro-actively isolating super-links -- key proximity encounters -- has significant benefits: targeted isolation of a fourth of the population based on 35% visibility into the proximity graph prevents an epidemic outbreak. It turns out that isolating super-spreaders is more effective than contact tracing and testing but less effective than targeting super-links. We highlight the important role of topology in epidemic outbreaks. We argue that proactive innoculation of a population by disabling super-links and super-spreaders may have an important complimentary role alongside contact tracing and testing as part of a sophisticated public-health response to epidemic outbreaks.

Shishir Nagaraja, Ryan Shah

We propose VoIPLoc, a novel location fingerprinting technique and apply it to the VoIP call provenance problem. It exploits echo-location information embedded within VoIP audio to support fine-grained location inference. We found consistent statistical features induced by the echo-reflection characteristics of the location into recorded speech. These features are discernible within traces received at the VoIP destination, enabling location inference. We evaluated VoIPLoc by developing a dataset of audio traces received through VoIP channels over the Tor network. We show that recording locations can be fingerprinted and detected remotely with a low false-positive rate, even when a majority of the audio samples are unlabelled. Finally, we note that the technique is fully passive and thus undetectable, unlike prior art. VoIPLoc is robust to the impact of environmental noise and background sounds, as well as the impact of compressive codecs and network jitter. The technique is also highly scalable and offers several degrees of freedom terms of the fingerprintable space.

Ryan Shah, Shishir Nagaraja

The use of connected surgical robotics to automate medical procedures presents new privacy challenges. We argue that conventional patient consent protocols no longer work. Indeed robots that replace human surgeons take on an extraordinary level of responsibility. Surgeons undergo years of training and peer review in a strongly regulated environment, and derive trust via a patient's faith in the hospital system. Robots on the other hand derive trust differently, via the integrity of the software that governs their operation. From a privacy perspective, there are two fundamental shifts. First, the threat model has shifted from one where the humans involved were untrusted to one where the robotic software is untrusted. Second, the basic unit of privacy control is no longer a medical record, but is replaced by four new basic units: the subject on which the robot is taking action; the tools used by the robot; the sensors (i.e data) the robot can access; and, finally access to monitoring and calibration services which afford correct operation of the robot. We suggest that contextual privacy provides useful theoretical tools to solve the privacy problems posed by surgical robots. However, it also poses some challenges: not least that the complexity of the contextual-privacy policies, if rigorously specified to achieve verification and enforceability, will be exceedingly high to directly expose to humans that review contextual privacy policies. A medical robot works with both information and physical material. While informational norms allow for judgements about contextual integrity and the transmission principle governs the constraints applied on information transfer, nothing is said about material property. Certainly, contextual privacy provides an anchor for useful notions of privacy in this scenario and thus should be considered to be extended to cover both information and material flows.

Ryan Shah, Michael McIntee, Shishir Nagaraja et al.

Secure sensor calibration constitutes a foundational step that underpins operational safety in the Industrial Internet of Things. While much attention has been given to IoT security such as the use of TLS to secure sensed data, little thought has been given to securing the calibration infrastructure itself. Currently traceability is achieved via manual verification using paper-based datasheets which is both time consuming and insecure. For instance, when the calibration status of parent devices is revoked as mistakes or mischance is detected, calibrated devices are not updated until the next calibration cycle, leaving much of the calibration parameters invalid. Aside from error, any party within the calibration infrastructure can maliciously introduce errors since the current paper based system lacks authentication as well as non-repudiation. In this paper, we propose a novel resilient architecture for calibration infrastructure, where the calibration status of sensor elements can be verified on-the-fly to the root of trust preserving the properties of authentication and non-repudiation. We propose an implementation based on smart contracts on the Ethereum network. Our evaluation shows that Ethereum is likely to address the protection requirements of traceable measurements.

Shishir Nagaraja, Ryan Shah

Advertising is a primary means for revenue generation for millions of websites and smartphone apps (publishers). Naturally, a fraction of publishers abuse the ad-network to systematically defraud advertisers of their money. Defenses have matured to overcome some forms of click fraud but are inadequate against the threat of organic click fraud attacks. Malware detection systems including honeypots fail to stop click fraud apps; ad-network filters are better but measurement studies have reported that a third of the clicks supplied by ad-networks are fake; collaborations between ad-networks and app stores that bad-lists malicious apps works better still, but fails to prevent criminals from writing fraudulent apps which they monetise until they get banned and start over again. This work develops novel inference techniques that can isolate click fraud attacks using their fundamental properties. In the {\em mimicry defence}, we leverage the observation that organic click fraud involves the re-use of legitimate clicks. Thus we can isolate fake-clicks by detecting patterns of click-reuse within ad-network clickstreams with historical behaviour serving as a baseline. Second, in {\em bait-click defence}. we leverage the vantage point of an ad-network to inject a pattern of bait clicks into the user's device, to trigger click fraud-apps that are gated on user-behaviour. Our experiments show that the mimicry defence detects around 81\% of fake-clicks in stealthy (low rate) attacks with a false-positive rate of 110110 per hundred thousand clicks. Bait-click defence enables further improvements in detection rates of 95\% and reduction in false-positive rates of between 0 and 30 clicks per million, a substantial improvement over current approaches.

Ryan Shah, Shishir Nagaraja

Calibration plays an important role in ensuring device accuracy within safety-critical IoT deployments. The process of calibration involves a number of parties which must collaborate to support calibration. Calibration checks often precede safety-critical operations such as preparing a robot for surgery, requiring inter-party interaction to complete checks. At the same time, the parties involved in a calibration ecosystem may share an adversarial relationship with a subset of other parties. For instance, a surgical robot manufacturer may wish to hide the identities of third-parties from the operator (hospital), in order to maintain confidentiality of business relationships around its robot products. Thus, information flows that reveal who-calibrates-for-whom need to be managed to ensure confidentiality. Similarly, information about what-is-being-calibrated and how-often-it-is-calibrated may compromise operational confidentiality. For example, calibration-verification of connected medical devices may reveal the timing of surgical procedures and compromise PII when combined with other meta information. We show that the challenge of managing information flows between the parties involved in calibration cannot be met by any of the classical access control models, as any one of them or a simple conjunction of a subset such as the lattice model fails to meet the desired access control requirements. We demonstrate that a new unified access control model that combines BIBA, BLP, and Chinese Walls holds rich promise. We study the case for unification, system properties, and develop an XACML-based authorisation framework which enforces the unified model. Upon evaluation against a baseline simple conjunction of the three models individually, our unified model outperforms this, demonstrating it is capable of solving the novel access control challenges thrown up by digital-calibration supply chains.

Ryan Shah, Shishir Nagaraja

Distributed sensor networks such as IoT deployments generate large quantities of measurement data. Often, the analytics that runs on this data is available as a web service which can be purchased for a fee. A major concern in the analytics ecosystem is ensuring the security of the data. Often, companies offer Information Rights Management (IRM) as a solution to the problem of managing usage and access rights of the data that transits administrative boundaries. IRM enables individuals and corporations to create restricted IoT data, which can have its flow from organisation to individual control -- disabling copying, forwarding, and allowing timed expiry. We describe our investigations into this functionality and uncover a weak-spot in the architecture -- its dependence upon the accurate global availability of \emph{time}. We present an amplified denial-of-service attack which attacks time synchronisation and could prevent all the users in an organisation from reading any sort of restricted data until their software has been re-installed and re-configured. We argue that IRM systems built on current technology will be too fragile for businesses to risk widespread use. We also present defences that leverage the capabilities of Software-Defined Networks to apply a simple filter-based approach to detect and isolate attack traffic.

Joseph Gardiner, Marco Cova, Shishir Nagaraja

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.

Joseph Gardiner, Shishir Nagaraja

Communication anonymity is a key requirement for individuals under targeted surveillance. Practical anonymous communications also require indistinguishability - an adversary should be unable to distinguish between anonymised and non-anonymised traffic for a given user. We propose Blindspot, a design for high-latency anonymous communications that offers indistinguishability and unobservability under a (qualified) global active adversary. Blindspot creates anonymous routes between sender-receiver pairs by subliminally encoding messages within the pre-existing communication behaviour of users within a social network. Specifically, the organic image sharing behaviour of users. Thus channel bandwidth depends on the intensity of image sharing behaviour of users along a route. A major challenge we successfully overcome is that routing must be accomplished in the face of significant restrictions - channel bandwidth is stochastic. We show that conventional social network routing strategies do not work. To solve this problem, we propose a novel routing algorithm. We evaluate Blindspot using a real-world dataset. We find that it delivers reasonable results for applications requiring low-volume unobservable communication.