@inproceedings{d725fa2fc04f4685af4c814f8ab7364c,
title = "Location-leaking through Network Traffic in Mobile Augmented Reality Applications",
abstract = "Mobile Augmented Reality (AR) applications allow the user to interact with virtual objects positioned within the real world via a smart phone, tablet or smart glasses. As the popularity of these applications grows, recent researchers have identified several security and privacy issues pertaining to the collection and storage of sensitive data from device sensors. Location-based AR applications typically not only collect user location data, but transmit it to a remote server in order to download nearby virtual content. In this paper we show that the pattern of network traffic generated by this process alone can be used to infer the user's location. We demonstrate a side-channel attack against a widely available Mobile AR application inspired by Website Fingerprinting methods. Through the strategic placement of virtual content and prerecording of the network traffic produced by interacting with this content, we are able to identify the location of a user within the target area with an accuracy of 94%. This finding reveals a previously unexplored vulnerability in the implementation of Mobile AR applications and we offer several recommendations to mitigate this threat.",
keywords = "Augmented Reality, data privacy, mobile applications",
author = "Gabriel Meyer-Lee and Jiacheng Shang and Jie Wu",
note = "Funding Information: VII. CONCLUSION While our localization method for WallaMe comes with several qualifications, the 93.8% raw localization accuracy and 97.3% adjusted location accuracy achieved for Scenario 1 clearly that network traffic analysis techniques can be used to tie network traffic patterns to physical locations. The 94.8% adjusted accuracy found for Scenario 2 shows that this method can absolutely be used to establish automated localization of a WallaMe user within a fixed area. As AR technology spreads and increases in popularity, this threat that this attack poses will only increase. This threat can be mitigated, however, through responsible design by developers of location-based AR applications. These developer should build in measures to decorrelate the network traffic from the physical location of their users, such as download padding or probabilistic downloads of nearby AR content. Developers of AR technology must consider the network traffic of the device to be sensitive data, in addition to the personally identifiable information communicated via that network, and provide reasonable restrictions to the access of this data. ACKNOWLEDGMENTS This research was supported in part by NSF grants CNS 1757533, CNS 1629746, CNS 1564128, CNS 1449860, CNS 1461932, CNS 1460971, and IIP 1439672. Funding Information: This research was supported in part by NSF grants CNS 1757533, CNS 1629746, CNS 1564128, CNS 1449860, CNS 1461932, CNS 1460971, and IIP 1439672. Publisher Copyright: {\textcopyright} 2018 IEEE.; null ; Conference date: 17-11-2018 Through 19-11-2018",
year = "2018",
month = jul,
day = "2",
doi = "10.1109/PCCC.2018.8711065",
language = "English",
series = "2018 IEEE 37th International Performance Computing and Communications Conference, IPCCC 2018",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "2018 IEEE 37th International Performance Computing and Communications Conference, IPCCC 2018",
}