Upload
independent
View
1
Download
0
Embed Size (px)
Citation preview
1
SoK: Remotely Wiping Sensitive
Data on stolen Smartphones
Sahiti Koganti
University of Texas at San Antonio
ABSTRACT
Now-a-days technology is trending up higher. Of
all the technological innovations mobile phones
and especially Smartphones are becoming
immensely popular and very much helpful to
people. It is playing a vital role in everyone’s life.
They contain huge amount of personal data like
contacts, messages, photos, credit card
information, passwords and much more.
Sometimes people may sync their office laptops
to their smartphones so that they will be able to
work from outside of the office. But if the device
is lost the adversary can be able to get a lot of
information. To prevent the data to be stolen
even if the device is stolen some techniques have
been proposed. My paper will discuss about these
techniques. These are mainly cloud based
techniques. But all these mechanisms cannot be
used in some situations. My paper will also
discuss the challenges of those techniques.
INTRODUCTION
Enormous developments in technology have made
different transitions. Today’s mobile phones and
in particular Smartphones have taken over
desktops as primary computing platform as they
are becoming very powerful. Smartphones are
creating a great trend in today’s market. Despite
its great advantages they are bringing in new
challenges. They became an attractive entity to
everyone and hence they are more stolen either
for its huge price value or for the huge amount of
information it contains. Some mechanisms have
been proposed and implemented for post-theft
control of data on these smartphones. In this paper
I will discuss a few of them and also briefly
describe my thoughts as one of these mechanisms.
With this systemization of knowledge paper I will
make the following contributions:
Develop a general model of all the
mechanisms for wiping of sensitive data
on smartphones.
Discuss briefly about how each
mechanism works on wiping of sensitive
data.
Discuss about the disadvantages of the
mechanisms and in what type of situations
they might not be useful
Discuss some of the unwanted sensitive
data removal mechanisms to reduce the
sensitive data exposed to theft.
SYSTEMIZATION MODEL OF MY PAPER
The whole paper has been modeled and figure 1
illustrates this model. It starts with mobile phones,
and as this paper mainly focuses on the
smartphones, the flow goes like this. The
smartphones have diversity of usages and hence
3
have to become smarter and responsible devices.
Due to its mobility and great usage flexibility
there have been many risks. One of the greatest
risks is loss of sensitive data when the device is
lost or stolen. To reduce this risk “Theft
Abatement” can be done. There are many types of
theft abatement and a few of them are idle
timeout, remotely erase sensitive data, password
access and failed password attempts. This paper is
mainly focused on remotely erasing sensitive data.
Remotely erasing can be done by directly using
anti-theft protection apps which can be available
to the user directly on smartphones. Since these
are not having so much extensive capability some
anti-theft mechanisms like CleanOS, SafeCode,
SMS, Remote control system, Remote lock and
wipe with integrity checking, Emergency call
mechanism. There are some general mechanisms
that can be used as well. Some of them are
Shredding, Vanish, SafeVanish, Keypad,
Revocable backup system. This can all be done by
using Cloud. But people feel that home is much
safer than cloud due to its limitations like privacy
and security. Hence this paper also discusses
some techniques to improve privacy and security
on cloud like CloudViews, User driven privacy
enforcement, Data security and privacy in cloud
computing, Cloud data protection for masses,
Cloudsec.
DIVERSITY OF USAGE
Different people use Smartphones in a different
manner. They interact with them in a myriad of
ways. The way they interact and the applications
they use are very much diversified. This is proved
by a research conducted by Dr. Hossein Falaki
and his team.
MOBILE PHONES TO RESPONSIBLE
DEVICES
Applications running on mobile phones in the past
are very limited. Today’s mobile phones are
replacing desktop PCs and are becoming more
powerful. But mobile phone operating systems
currently lack the mechanisms to adequately
protect these increasingly capable devices. As a
result an adversary may be able to not only cause
numerous violations of user’s data confidentiality
and integrity, but also cause significant problems
for the cellular networks themselves. That is these
mobile phones are introducing a variety of ways
for attackers to exploit applications and the
network infrastructure itself. But these known
techniques will provide security but some
mechanisms have to be implemented to protect
these minimum critical systems.
Hence some mechanisms have been proposed that
makes mobile phones smarter and responsible
devices that are capable of intelligently operating
in order to remain as mission critical devices. This
is done by providing these devices with more
capable and reliable trusted computing bases, so
as to greatly increase their ability to protect key
applications and create predictable network
impact. These mechanisms use the combination of
mediation, access control, resource management
and quality of service etc. But these are not
perfect and needs to be improvised.
THE SMARTPHONE AND ITS RISKS
The desktop PCs, laptops and servers have more
protection mechanisms than mobile phones, since
they are used from a long time. Many researchers
have come up with different solutions. They are
well implemented and are working good for now.
But mobile phones are emerging into trend now
4
and hence protection mechanisms are still in the
research stage. Also the mobility, convenience
and capabilities of mobile phones especially the
smartphones potentially open new types of risks.
There are several key scenarios to consider to
limit the risks:
1. The smartphones gets lost or stolen and
subsequently there is unauthorized access
to the smartphone, unauthorized access to
data and unauthorized calls
2. Unauthorized access to the network
3. Administrative control to computer
systems are lost
4. Sensitive data is accessed
5. Inappropriate use of the internet
THEFT ABATEMENT
The keystone of the smartphone security model is
avoiding loss or theft. For an unsecure phone, loss
or theft of the device leads to security issues
potentially impacting members, the internal
network and the company’s reputation. These
risks can be reduced by applying some security
controls and policies already available for these
devices. Fundamental security elements to reduce
risk of data theft are:
1. Remotely erase data – to reduce the risk of
sensitive data being accessible, enable the
“remote wipe” functionality to delete the
contents of a smartphone that was lost or
stolen.
2. Password access – enable a password
policy on the smartphone.
3. Failed password attempts – to reduce the
risk of unauthorized access to data on the
smartphone, configure the device to
perform a data wipe after predefined
number of failed logon attempts.
4. Idle timeout – enable password protected
screen lockout or screen saver mode when
a specified duration of non – use is
reached.
REMOTELY ERASE DATA
The best way to approach is to erase the sensitive
data on the smartphones remotely using the
services provided by cloud. Also some
mechanisms use the others like password access,
failed password attempts and idle timeout by itself
or can be done remotely. There are two ways to
deal with this.
1. Use of Anti-theft protection apps
2. Use of Anti-theft mechanisms
ANTI-THEFT PROTECTION APPS FOR
SMARTPHONES
Most smartphones have native remote wipe
capabilities. They are inbuilt or available to the
users in the form of apps. There are a number of
apps out there that can locate, lock and/or erase
the wireless device if it gets lost or stolen. If these
features aren’t enough, then they can be
supplemented with cloud. Several popular cloud
services offer remote data wipe options for iOS or
android devices. Apple iOS users who register
with iCloud can do so through the FindMyPhone
app, as long as it was enabled before the device
got lost. Android users may register with the
cloud services that their wireless carrier or device
manufacturer offers. For example Samsung’s
DIVE remote control app can remotely invoke
factory reset. These are just a few of the mainly
available consumer cloud services that support
end-user remote find and wipe.
5
ANTI-THEFT PROTECTION
MECHANISMS
These mechanisms use either the Wi-fi or Internet
connection, SMS service, SIM card for cellular
network connection to work.
1. CleanOS
CleanOS identifies and tracks sensitive data in
RAM and on stable storage, encrypts them with
key and evicts that key to the cloud when data is
not in active use on the device
Methodology: CleanOS is a new Android-based
Operating System that minimizes sensitive data
exposure by evicting it to a trusted cloud
whenever the data is not under active usage. It
implements sensitive data objects (SDOs) which
identifies locations of sensitive data in RAM and
stable storage, monitors its use by applications,
and evicts sensitive data to cloud whenever it is
not under active use. The cloud intermediates all
accesses to unused SDOs and can offer a lot of
useful post-loss functions like:
Disable SDO access after theft
Audit SDO exposures and access
Rate – limit SDO accesses
Basic Functioning: Applications create SDOs
and add sensitive data to them. An SDO is a
logical collection of java objects that contain
sensitive data and that are related somehow.
CleanOS implements three functions for SDOs :
Tracks data in SDOs using taint tracking
Evicts SDOs to a trusted cloud whenever
idle
Decrypts SDO data when it is accessed
again
The following diagram gives an illustration of
SDO object:
Figure 1: Illustration of SDO object
Evict – Idle Garbage Collection: To evict SDOs,
a new type of java garbage collector named as
evict-idle garbage collector (eiGC) was
introduced. A traditional garbage collector de-
allocates only the objects which will never be
used in the future but the eiGC evicts objects that
have not been used for a period of time, even if
they might be used again in the future. eiGC is run
periodically to evict idle SDOs. For any java
object that is tainted with an idle SDOs ID, the
eiGC “evicts” that object, setting its E bit in the
tag.
Disadvantage: Requires network connectivity
with cloud all the time hence needs internet
connection.
2. Safecode
Safecode is a PIN-based user extended security
mechanisms which wipes out data automatically
after a certain number of attempts from iOS
devices.
An adversary who gets the phone might in
common put the device in silent mode, switch off
the device, remove the battery from the device,
place the device in a faraday cage. This
mechanism proposed SafeCode as a system that
prevents the device from being “switched off” or
“silenced” by the adversary, when the device is
stolen. In the best case, it also extends the
opportunity of recovering the stolen device.
6
Disadvantage: It augments the probability of
remotely wiping the device by accidental deletion
of user data by the user itself.
3. SMS
This is a model for remote access and protection
of smartphones using the short message service on
the smartphone. This mechanism is used in
controlling a stolen smartphone remotely by using
the short message service (sms).
Basic Methodology: There will be a client
interface, a client service and a server service. The
commands are requested from the client interface
through an SMS and the server service interprets
these and performs the particular action
interpreted in the command on the user data. All
the actions by the server are done remotely.
Disadvantage: This technique will not work if
SIM card is removed from the stolen device. The
adversary might remove the sim card as soon as
he gets the phone.
4. Remote Control System
This is a design of remote control system for data
protection and backup in mobile devices. This
technique communicates with remote device
through the internet and prevents unauthorized
usage of mobile handsets and personal
information by a remote control when the lock
function is not set before they are lost.
Basic Methodology: The remote control service
server can be utilized by the lost mobile devices
which can be shown in steps below: (a) Initially is
the authentication step, in which the user accesses
the remote control services server (b) Next is the
identification step, in which it is checked to see if
the owner of the communication channel is real or
not. (c) Then the next one is the transmission step,
which an access code is sent to the mobile device
to utilize the remote control program on the
device. (d) In the reception step a mobile device
with an identification number is recognized which
is associated with the access code transmitted by
the transmission step. (e) This step is utilized to
select one of the remote control services and run
the selected one on the terminal (f) This step is to
receive the completion code which indicates that
the remote service is normally processed.
Disadvantage: This technique works only when
the devices have internet connection. The
adversary might disconnect it once stolen.
5. Remote lock and wipe with Integrity
Checking
This mechanism presents a system with Message
Authentication Code (MAC) - based integrity
checking mechanism of SMS notification using
Password-Based Key Derived Function (PBKDF).
The remote lock and wipe system consists of a
remote control module on a server and a
command handling module on a smartphone.
Using these, the remote system sends either of the
two commands lock or wipe to a smartphone by
SMS push notification message. When the user
sends a lock command to the smartphone by using
remote control module, the remote handling
module will enable the password locking function
to lock the smartphone. Similarly, when a wipe
command is sent it wipes out all the personal data
on the smartphone. This can be used mostly when
the device is lost or stolen.
The integrity checking will check if the
commands were coming from a trusted server or
trusted service provider. This might stop the
commands sent from malicious users.
Basic methodology: This mechanism employs
password-based key derived function (PBKDF)
7
which requires the users to put in a password and
get a 20 bytes long authentication code which is
the Hash-based Message Authentication Code
(HMAC).
Generating Message Authentication Code:
Initially the SMS notification is sent and the
remote control module first creates a secret key
from the password using PBKDF. Using HMAC
function with the secret key, the message
authentication code is generated on the command
message along with the timestamp. Then the
command message is sent with the MAC to the
designated smartphone.
Verifying Message Authentication Code: When
an authenticated SMS notification is received the
command handling module decodes it and checks
the MAC. Also the command handling module
computes a secret key from the passwords using
PBKDF and generates a MAC. Both the decoded
MAC and the re-generated MAC are compared
and the command is executed if they are equal and
ignored if they are not equal.
6. A BETTER APPROACH – Use Emergency
call mechanisms
The above described mechanisms works better
only when there is Wi-Fi or Internet connection,
SMS service, SIM card for cellular network
connection. But once a device is stolen an
adversary might initial either remove the SIM
card or disable the Wi-Fi. Hence a better approach
was designed. This approach utilizes the
“Emergency call mechanisms” to wipe of the data
on the stolen device.
Basic Idea: The basic idea of this approach is to
allow the smartphone use emergency call channel
of the cellular network to receive remote
commands. No normal calls are allowed when sim
card is unplugged, but they still can make
emergency calls such as 911 in the US. When the
smartphone detects the removal of the SIM card,
it will initiate a stealthy emergency call to the
wipe-out service provider, who will send back a
wipe-out command after confirming that the
phone has been lost or stolen. This whole process
is not known to the adversary.
Assumptions: In order to test how this approach
works the authors have made certain assumptions.
It was assumed that the adversary removes the
SIM card from a stolen smartphone and turn off
the Wi-Fi. Adversary is interested in obtaining its
locally stored data, but has not extract the storage
chips or transferred the user data before removing
the SIM card. Adversaries should not keep a
stolen smartphone switched off or position the
phone in an electromagnetic shielding
environment or keep the battery unplugged all the
time. The operator accepts the emergency call that
uses the IMEI as the identification. This number is
used to uniquely identify a stolen smartphone in
most countries. The SIM card used represents all
similar components which have the same
functionality in different networks.
Wipe-out system design: To enable wipe-out
service backstage application needs to be
installed. When the SIM card is removed it is
implied that the phone is stolen and the backstage
application asks for data erasure through making a
customized emergency call automatically and
stealthily. To remotely wipe sensitive data on a
stolen smartphone, the owner interacts with the
service provider as follows:
The owner subscribes to the remote wipe-
out service from the service provider and
registers his/her phone before it is stolen.
After a successful registration, the service
provider records the IMEI number of the
8
phone in the IMEI database and marks its
state as normal.
The owner reports the loss and asks for
erasing the data on the device, as soon as
he realizes the lost of the smartphone.
After authenticating the user, the service
provider tags the associated item of the
reported phone as stolen in the IMEI
database.
Figure 2: Remote wipe – out framework
Procedure:
The smartphone attaches a deletion
indicator to an emergency call, and makes
this customized emergency call attempt on
the mobile cellular network. The IMEI is
used as the equipment identication.
The call control entity checks the state of
the smartphone in the IMEI database of
the service provider, after receiving the
request for setting up a customized
emergency call.
If the smartphone is tagged as stolen in the
database, the call control entity sends the
wipe-out command to the smartphone.
Otherwise, the call control entity responds
with a call accepted message which is the
same as the access permission for a normal
legal emergency call.
Device Registration: To remotely wipe sensitive
data on a stolen phone without the SIM card and
the WiFi connection, a user needs to subscribe to
the remote wipe-out service before the
smartphone gets lost. The owner registers the
service with identification information (e.g., ID
card information) that can uniquely identify
himself to the service provider and installs this
application on the smartphone. The service
provider records the IMEI number of the
registered smartphone and marks its state as
normal in the IMEI database.
Report of Lost Smartphone: If the smartphone
is stolen, the owner could request wipe-out
through a service call or web interface or sms.
Each service provider can implement his own
specific way and hence it depends on service
provider. Service provider must authenticate the
user before recording the report and perform
follow-up procedure. This is required because it
might be malicious users who requested the wipe
out. Hence the user needs to provide identity
information for authentication. When the user
reports the theft and the identity is verified
successfully, the service provider updates the
record of the stolen device in the IMEI database
by tagging its state as stolen.
RemoteWipe-Out: Emergency channel is used to
remotely control a stolen smartphone. Once the
smartphone detects the absence of the SIM card, it
asks for data erasure through emergency call. The
deletion indicator is attached to the emergency
call. The author states that just minimal
modifications are required for current protocols in
9
implementation of this mechanism. The call
control entity checks the IMEI number in the
IMEI database of the service provider confirming
the state of the phone, and then decides whether
the device needs to be wiped out. If returned state
is stolen in the IMEI database, the call control
entity sends a wipe-out command to the device.
Security Analysis: The service provider verifies
the reporter's identity when a smartphone is
reported stolen. This prevents a malicious attacker
from misusing this system to falsely wipe another
user's smartphone. The user uses PIN code for
extra security which prevents the service provider
to wipe data accidently. This mechanism uses
secure deletion, but smartphone should not be
switched off or out of battery. When power is
back it continues secure deletion till it wipes off
all data.
Disadvantage: This mechanism only works when
the adversary removes the sim card. Also if the
user was not able to detect his lost of phone
before the adversary removes the sim card this
mechanism will not work. Also the adversary
should not keep the phone switched off.
MECHANISMS FOR REMOVING
UNWANTED SENSITIVE DATA
The sensitive data may be scattered widely
throughout the devices. Sometimes it may sit on
the devices even after it has been used and will no
longer be used or it might be used later in the
future but there is no certainty. Then in such type
of situations it is better to remove the unwanted
sensitive data from the devices so that there will
be less sensitive data on the devices that is
exposed to theft.
1. Shredding your garbage
Some sensitive data like passwords, social
security numbers, credit card numbers and
confidential documents often permeates systems
throughout user and kernel space for long periods
of time. The implications of all this sensitive data
being accessible past the end of its useful life will
be high, like, increasing the risk of losing the data
when the devices are lost, stolen or compromised.
This mechanism uses a strategy called secure
deallocation which reduces the lifetime of the
sensitive data in memory. In this the data is
removed from the memory after its last use.
Data life cycle has been used to provide a
conceptual framework for understanding the
lifetime of the data. By doing this we can
determine the effectiveness of secure deallocation.
Its mechanism is to do a First write after
allocation until explicit deallocation.
Secure deallocation zeros out sensitive
information when it’s finished being used that is it
clears the data at deallocation or within a short
time afterwards, which minimizes the data
lifetime. The best place to do deallocation is on
every layer. This Layered clearing of data makes
the secure deallocation worthy. It’s because
layered clearing ensures that data is cleared at
every layer of the system including user
applications, user libraries, and the OS Kernel.
Applications generally have good amount of
knowledge regarding the details of the sensitive
data like what data are sensitive, where the
sensitive data is and when the best time to clear
them is. But finding all the places where sensitive
data is situated and removing them all is a little
complex process. Hence it is complex and
laborious to identify all spots for deallocation.
Compilers handle all the implicit allocations
performed by programs like local variables
10
allocated on the stack and hence they can handle
clearing data that the programs do not explicitly
control. But clearing data at this level can be
expensive.
Libraries handle the dynamic memory requests
made by the programs which can be considered as
the best place for clearing these requests. The
drawback here is that the programs have to
deallocate the data explicitly and as promptly as
possible.
Operating system kernels handles all of the
resources and acts as a final safety net for clearing
all the unused data which was not done in
previous stages.
The secure deallocation has also been evaluated
and it showed that it makes data last about 1.35
times longer on average than ideal case but much
less time than natural lifetime would be.
2. Vanish
Data privacy is becoming more concerning factor
in today’s society. Two formidable challenges to
privacy are Data lives forever and Retroactive
disclosure of both data and user keys has become
commonplace.
We have to empower users to control the lifetime
of data. This introduces the concept of Self-
destructing data. The goals of self-destructing data
model are:
Until timeout, users can read original
message.
After timeout, all copies become
permanently unreadable
even for attackers who obtain an
archived copy and user keys
without requiring explicit delete
action by user/services
without having to trust any
centralized services.
Traditional solutions like PGP, centralized data
management services, forward-secure encryption
are not sufficient for self-destructing data. Hence
we leverage peer to peer systems to Vanish.
Vanish combines global-scale Distributed Hash
Tables (DHTs) with secret sharing to provide self-
destructing data. It causes the sensitive
information, such as emails, files, or text
messages, to irreversibly self-destruct, without
any action on the user’s part and without any
centralized or trusted system.
There are a few limitations for DHTs when used
for vanish like applications.
3. SafeVanish
SafeVanish is an extension of Vanish which
includes some extra features to improve self-
destruction for protecting data privacy. It consists
of mainly three features.
First is Cascade, which is an extensible
framework for integrating multiple key-storage
mechanisms into a single self-destructing data
system. It enhances resistance to attack by
combining the security advantages of a diverse set
of key-storage approaches.
Second is Tide, a new key-storage system for self-
destructing data that leverages the ubiquity and
easy deployment of Apache Web Servers
throughout the Internet. It combines the
advantages of DHTs, such as wide scale
distribution, with advantages of centralized
systems, such as resistance to crawling attacks.
Third is to harden Vaze DHT used in the Vanish
and other DHTs against data harvesting attacks.
11
4. Keypad
Keypad provides an auditing file system for theft-
prone devices. This mechanism provides two most
important features. First is, auditabiity and second
is, remote data control. With auditabiity we can
achieve fine grained file auditing which means a
user can know if the files have been accessed after
a device has been lost or stolen. With remote data
control, keypad gets the feature of disabling
future file accessing capability after a device is
lost. This can be done on the device even when
there is no network connectivity.
To get these features keypad uses encryption
combined with remote key storage. This means
that files are encrypted locally but encryption keys
are stored remotely. The basic idea of keypad is:
(1) encrypts each file with its own symmetric key,
(2) stores all keys on a remote audit service, (3)
downloads the key for a file each time it is
accessed and (4) destroys the key immediately
after use.
Also keypad uses an audit server with every
protected file access. This will prevent the new
accesses to the files if the device is stolen.
The primary goal of keypad is to provide strong
audit security. If the attacker gets access to a file
from a device and if the file is being protected by
the keypad’s remote audit server, the audit server
has to maintain at least one log entry and should
not be available to the attacker to tamper with.
5. Revocable Backup System
A revocable backup system enables the user to
remove files from both the file system and all
backup tapes. This means that the user has remove
files from file system and all backup tapes without
ever mounting a single tape.
In order to achieve this it uses cryptography. Here
cryptography is used to erase the information
rather than to protect it. The basic idea of
revocable backup system is: (1) the file will be
encrypted using a randomly generated key and
then written to tape (2) when the user wants to
remove the file from the backup tape he instructs
the system to “\forget” the key used to encrypt the
file. Now the data on the tape becomes useless
and cannot be accessed even by the owner of the
file. (3) Hence the file has been erased from the
tape.
CLOUD SERVICES
Cloud is an emerging trend. Several popular cloud
services offer remote data wipe options for
smartphones.
Issues with cloud
Some people don’t trust cloud. A paper “Home is
safer than Cloud” was published, which after
made an extensive research states that many
people would like to save their sensitive data on
the home storage rather than in cloud.
Mechanisms to improve security and privacy
in cloud
But recently many mechanisms have been
proposed and implemented to secure data which is
on cloud. Hence people started to use all the
capabilities and features provided by cloud
providers. The following are few mechanisms that
will improve privacy and security in cloud
1. CloudViews
To simplify the construction of web services
sharing is the key feature. There are mainly three
technological features for a shared-cloud, (1) free,
efficient, and plentiful network bandwidth that
12
supports tighter and larger-scale web service
integration (2) a shared storage system that can
provide powerful abstractions for convenient,
efficient, and large-scale inter-service data sharing
and (3) the potential for a rich run-time ecosystem
consisting of many “utility” web services that act
as building blocks for other services and greatly
facilitate their implementation.
CloudViews provides a convenient, scalable and
efficient data sharing in public clouds. These can
be achieved by the Cloud DB, which takes
advantage of cloud technologies to support
sharing. The basic idea here is to provide
enhanced DB-style views for sharing, capabilities
for protection, query admission control and QoS
for resource allocation.
2. User driven privacy enforcement
Internet of things and cloud computing are an
emerging trend. But privacy is becoming a huge
hindrance in combining both these together from
both end user perspective and that of the service
providers’ perspective. In order to overcome these
privacy concerns and considerations User driven
Privacy Enforcement for Cloud-based services in
the Internet of things has been presented. In
includes mainly three things, which becomes the
backbone for UPECSI and they are privacy
enforcement points, model-driven privacy, and
user interaction. Configuring these on different
layers of abstraction minimizes critical privacy
concerns of different user groups and helps to
increase user acceptance promoting to use this
mechanism in further application areas.
3. Data security and privacy in cloud
computing
Data security and privacy are the two most
important factors considered by the cloud users
because data is stored in different places far from
the user. Security and privacy issues in cloud are
relevant to both hardware and software in the
cloud architecture. a number of techniques have
been proposed by researchers to address these
issues.
Data integrity which is the most critical factor in
cloud computing means, protecting data from
unauthorized deletion, modification, or
fabrication. By using a single database data
integrity can be maintained. Also by avoiding
unauthorized access, which can be checked for
with the help of monitoring the accesses, data
integrity can be achieved. Also the users have to
verify integrity of data in the cloud before
deploying the applications.
Data confidentiality is another important factor
because users have to store their most valuable
and sensitive data in cloud. This can be achieved
when the users store their data in encrypted form
rather than storing it directly. Techniques like
homomorphic encryption, encrypted search and
database, distributive storage, hybrid technique,
three layered data security technique, an event
based isolation, data concealment, deletion
confirmation can be used to achieve data
confidentiality.
Data availability is another important factor that
will make the data of the users always available to
them. Especially when the data is damaged
accidentally by hard disk damage, IDC fire, or
network failure, how soon the data can be
recovered and to what extent the users use the
data is data availability. Hence the service
provider has to offer reliable storage agreement
and reliability of hard drive.
Data privacy is the most important factor as this
provides authorization to access the stored data.
Only those users who have valid authorization
13
should access the data. The main privacy issues
are how to enable users to have control over their
data, how to guarantee the consistency of
replicated data, who is responsible for ensuring
legal requirements for personal information and if
any subcontractors are involved, to what extent
they can be involved. To overcome these issues
the cloud provides identity management, which
allows only trusted users to access the cloud and
their data.
These techniques will make the cloud service
consumers to accept the cloud services and use
them.
4. A secure cloud backup system with deletion
and version control
Data backups are very important for organizations
and they usually require huge space and costs to
store them. Hence the backups are now being
stored in cloud at a low cost. But providing
security to this data is important. For this a secure
cloud backup system that acts as a security layer
on top of today’s cloud storage services known as
FadeVersion has been proposed. Here the backups
are stored in cryptographic form and old versions
of backups are deleted and made inaccessible to
everyone. This is known as fine-grained assured
deletion.
FadeVersion is a secure cloud backup system that
serves as a security layer on top of today’s cloud
storage service. FadeVersion constitutes of two
independent systems to store data backups, a
version control system and an assured deletion
system and the main goal of this is to make these
systems compatible with each other into a single
design. The main advantage of using this is it
eliminates storage of redundant data and adds
minimal performance overhead.
5. Cloud data protection for masses
Cloud offers lower costs, scaling, easier
maintenance, service availability but the key
challenge for the cloud will be to keep data
secure. In order to improve security and privacy
for user data, a new cloud computing paradigm
named as data-protection-as-a-service has been
proposed.
Data protection as a service (DPaaS) enforces
fine-grained access control policies on data units
through application confinement and information
flow checking. It employs cryptographic
protections and offers robust logging and auditing
to provide accountability. It also reduces the per-
application development effort required to offer
data protection while still allowing rapid
development and maintenance. Cloud platform
providers have to provide the DPaas along with
the existing hosting environment.
CONCLUSION
There are many uses of mobile phones and hence
are the risks. Remotely wiping of data from lost
smartphones is a better approach to control the
loss of sensitive data. Hence few mechanisms
have been proposed which implements this
strategy. These techniques provide a good way of
wiping off the sensitive data on smartphones
which are stolen. These also have some
disadvantages. Some techniques can be combined
together to get the best of them.
FUTURE WORK
All the anti-theft mechanisms have some
disadvantages. Two possible solutions that might
be feasible are:
14
1. To have an internal sim so that it cannot be
seen and removed out.
2. To have all the data stored to the normal
sim card, so that as soon as the sim card is
removed no data can be seen on the
mobile phone as it stays with the sim card.
RELATED WORK
Remotely erasing data on smartphones is
becoming very important to remove sensitive
data. Many anti-theft schemes have been
proposed. CleanOS [6] is designed to limit mobile
data exposure with idle eviction. SafeCode [7] is
designed to safeguard security and privacy of user
data on stolen iOS devices using a PIN-based
security mechanism. SMS [9] provides a model
for remote access and protection of smartphones
using the short message service. Remote control
system [8] is designed for data protection and
backup in mobile devices. Remote lock and wipe
with Integrity Checking [10] erases the data by
sending lock and wipe commands to smartphones
from a remote machine with integrity checking.
But all these mechanisms should have internet
connection or cellular network connection. To
come across this use of emergency call
mechanism [5] has been proposed. This approach
uses emergency call channel to establish
connection with a service provider in order to
verify the state of phone and perform remote
action. There are some general techniques as well
which can be used for mobile devices. Shredding
[11] uses secure de-allocation to reduce lifetime
of sensitive data in memory. Vanish [12] uses a
self-destructing model for protecting data privacy.
SafeVanish [13] is an extension of vanish.
Keypad [14] is an auditing file system for theft-
prone devices. Revocable backup system [15]
enables user to remove files from both the file
system and all backup tapes.
REFERENCES
[1] Hossein Falaki, Ratul Mahajan Srikanth
Kandula, Dimitrios Lymberopoulos, Ramesh
Govindan, Deborah Estrin. “Diversity in
smartphone usage”. Proceedings of the 8th
international conference on Mobile systems,
applications, and services, ISBN: 978-1-60558-
985-5
[2] Patrick Traynor et.al. "From mobile phones to
responsible devices" in "Security and
Communication Networks", Wiley Publications,
Vol 4 , Issue 6, 2011
[3] Andrews, W. “The smartphone and its risks”.
RSM McGladrey (2009)
[4] Iulia Ion, Niharika Sachdeva, Ponnurangam
Kumaraguru, and Srdjan _Capkun. “Home is safer
than the cloud! : privacy concerns for consumer
cloud storage”. In Proceedings of the Seventh
Symposium on Usable Privacy and Security, page
13. ACM, 2011.
[5] Xingjie Yuy;z; Zhan Wangy;z;_ Kun Sun Wen
Tao Zhuz;y Neng Gaoz;y Jiwu Jing. “Remotely
Wiping Sensitive Data on Stolen Smartphones”.
In Proceedings of the 9th ACM symposium on
Information, computer and communications
security.
[6] Yang Tang, Phillip Ames, Sravan
Bhamidipati, Ashish Bijlani, Roxana Geambasu,
and Nikhil Sarda. “CleanOS: Limiting mobile
data exposure with idle eviction”. In Proceedings
of the USENIX Conference on Operating Systems
Design and Implementation, Berkeley, CA, USA,
2012.
15
[7] Avinash Srinivasan and Jie Wu. “SafeCode:
Safeguarding Security and Privacy of User Data
on Stolen iOS Devices”. In Cyberspace Safety
and Security, pages 11{20. Springer, 2012.
[8] Inwhee Joe and Yoonsang Lee. “Design of
remote control system for data protection and
backup in mobile devices”. In Interaction
Sciences (ICIS), 2011 4th International
Conference on, pages 189{193. IEEE, 2011.
[9] Senthilraja .R G. Aghila Kuppusamy. “A
model for remote access and protection of
smartphones using short message service”.
International Journal of Computer Science,
Engineering and Information Technology
(IJCSEIT), Vol.2, No.1, February 2012.
[10] Kyungwhan Park, Gun Il Ma, Jeong Hyun
Yi, Youngseob Cho, Sangrae Cho, Sungeun Park.
“Smartphone Remote Lock an d Wipe System
with Integrity Checking of SMS Notification”,
Consumer Electronics (ICCE), IEEE International
Conference on 9-12 Jan. 2011 pages 263-264.
[11] Jim Chow, Ben Pfaff, Tal Gar_nkel, Mendel
Rosenblum fjchow, blp, talg,
[email protected] Stanford University
Department of Computer Science. “Shredding
Your Garbage: Reducing Data Lifetime through
secure deallocation”. In SSYM'05 Proceedings of
the 14th conference on USENIX Security
Symposium - Volume 14, pages 22.
[12] Roxana Geambasu, Tadayoshi Kohno, Amit
Levy, Henry M. Levy. "Vanish: Increasing Data
Privacy with Self-Destructing Data." In
Proceedings of the 18th USENIX Security
Symposium, Montreal, Canada, August 2009.
[13] Roxana Geambasu, Tadayoshi Kohno,
Arvind Krishnamurthy, Amit Levy, Henry M.
Levy, Paul Gardner, and Vinnie Moscaritolo.
"New Directions for Self-destructing Data."
Technical Report, University of Washington,
UW-CSE-11-08-01, 2011.
[14] Roxana Geambasu, John P. John, Steven D.
Gribble, Tadayoshi Kohno, and Henry M. Levy.
"Keypad: An Auditing File System for Theft-
prone Devices." In Proceedings of the European
Conference on Computer Systems (EuroSys),
Salzburg, Austria, April 2011.
[15] Dan Boneh and Richard J. Lipton. “A
Revocable Backup System”. In Proc. of USENIX
Security, 1996.
[16] Roxana Geambasu, Steven D. Gribble, Henry
M. Levy. "CloudViews: Communal Data Sharing
in Public Clouds." In Proceedings of the First
USENIX Workshop on Hot Topics in Cloud
Computing (HotCloud), San Diego, USA, June
2009.
[17] M. Henze, L. Hermerschmidt, D. Kerpen, R.
Häußling, B. Rumpe, K. Wehrle. “User-driven
Privacy Enforcement for Cloud-based Services in
the Internet of Things”. The 2nd International
Conference on Future Internet of Things and
Cloud (FiCloud-2014). www.se-
rwth.de/publications
[18] Yunchuan Sun, Junsheng Zhang, Yongping
Xiong, and Guangyu Zhu. “Data Security and
Privacy in Cloud Computing", Hindawi
Publishing Corporation, International Journal of
Distributed Sensor Networks Volume 2014,
Article ID 190903, 9 pages.
http://dx.doi.org/10.1155/2014/190903
[19] Arthur Rahumed, Henry C. H. Chen, Yang
Tang, Patrick P. C. Lee, and John C. S. Lui. “A
Secure Cloud Backup System with Assured
Deletion and Version Control”. Parallel
Processing Workshops (ICPPW), 2011 40th
16
International Conference on
DOI: 10.1109/ICPPW.2011.17, Publication Year:
2011 , Page(s): 160 – 167, Cited by: Papers (9)
[20] Dawn Song, Elaine Shi, Ian Fischer and
Umesh Shankar. “Cloud Data Protection for the
Masses”. Published by IEEE Computer society in
volume 45 Issue 1, January 2012 Pages 39-45.
[21] Smart phone thefts rose to 3.1 million last
year, Consumer Reports finds Industry solution
falls short, while legislative efforts to curb theft
continue,
http://www.consumerreports.org/cro/news/2014/0
4/smart-phone-thefts-rose-to-3-1-million-last-
year/index.htm