惡意程式利用Google語音系統漏洞 Android機「自言自語」洩私隱

中大工程學院信息工程系助理教授張克環的研究團隊,首次發現Android語音助手系統的保安漏洞,他們設計出「VoicEmployer」惡意程式,可 操控仍然受密碼保護的手機。程式在啟動Google語音搜索後,經揚聲器播放惡意語音指令,讓手機自問自答,控制手機執行各種指示,例如致電指定號碼,或 以用戶身份發短訊、發電郵,更可查詢儲存在手機的留言、日程紀錄、當前位置等,掌握用戶行蹤。

Date: 
Friday, July 10, 2015
Media: 
Apple Daily
Media LInk: 
http://hk.apple.nextmedia.com/news/art/20150710/19214923

Security loopholes in Android OS, social media putting 550m users' data at risk, Hong Kong researchers say

Over 550 million people worldwide are at risk of having their data hacked due to security loopholes in the Android phone or social media platforms they use, researchers in Hong Kong claim.  Hackers can use malware to tap into Google Voice Search, the voice assistant module that is pre-installed on some Android devices, without the owner needing to ever activate the software, according to Professor Zhang Kehuan at the Chinese University of Hong Kong (CUHK)’s information engineering department.

Date: 
Friday, July 10, 2015
Media: 
South China Morning Post
Media LInk: 
http://www.scmp.com/tech/social-gadgets/article/1835424/security-loopholes-andro…

中大揭Android保安漏洞 全球逾億用戶私隱堪虞

智能手機功能繁多,但保安漏洞亦愈揭愈多,防不勝防。中大一項研究發現,社交平台及Android內置的語音系統,均存在重大保安漏洞, 估計以億計用戶受影響;其中Android內置的語音系統,已成黑客新的攻擊渠道,黑客可在用戶不知情下,入侵用戶手機的應用程式,遙距指示語音系統讀取 用戶個人資料、行程表等,私隱完全曝光,估計影響全球逾5億名手機及平板電腦用戶,團隊指,需待官方推出新版本才有望解決問題。

Date: 
Friday, July 10, 2015
Media: 
am730
Media LInk: 
http://www.am730.com.hk/article-272186

Android社交網 中大揭保安漏洞

網絡世界資訊萬千,但獲取資訊同時亦有洩密風險。中文大學信息工程學系的科研團隊發現Android平台的語音系統,以及社交網站存在重大保安漏洞,黑客可趁用家不察,竊取用戶個人資料及訊息,預計全球數以億計用戶受影響。張克環說,已向Google反映問題,Google亦已修復部分問題。用戶的手機若設於鎖定狀態,黑客便無法攻擊。團隊研究了十二個主流社交網站,發現當中八個有相關問題。劉指,已向相關社交網站供應商建議加強保安,並正申請基金,期望未來一至兩年內建設測試平台,讓社交網站及應用程式供應商,測試網站及程式的安全。

Date: 
Friday, July 10, 2015
Media: 
Oriental Daily News
Media LInk: 
http://orientaldaily.on.cc/cnt/news/20150710/00176_077.html

學者揭手機社交網漏洞 黑客遙控語音功能盜私隱

中文大學兩名信息工程學系教授研究發現,智能手機系統 Android的內置語音「助手」功能,及不少社交平台授權第三方獲取用戶資料的系統,均有保安漏洞。黑客可透過Android這個漏洞獲取用戶的行事日 程、電話簿,甚至冒認用家發短訊、打電話或傳電郵。而社交網站的授權系統則容許黑客假裝成應用程式,竊取用戶的個人資料。學者指不少機構收到報告後已有修 正,但仍建議市民不要將敏感資料上傳到社交網站。

Date: 
Friday, July 10, 2015
Media: 
Ming Pao Daily News
Media LInk: 
http://news.mingpao.com/pns/%E5%AD%B8%E8%80%85%E6%8F%AD%E6%89%8B%E6%A9%9F%E7%A4%…

Information Engineering Professors Revealed Sweeping Security Loopholes in Mobile Devices and Social Media

Date: 
2015-07-09
Thumbnail: 
Body: 

Research teams of the Department of Information Engineering have recently revealed serious security loopholes in Android devices and social media.  The findings, which have been released in the ACM Conference on Computer and Communications Security 2014 and Black Hat USA 2014, have drawn wide attention in the research community, industry and media. 

Security Loophole in Android Voice Assistant 

Professor ZHANG Kehuan, Assistant Professor, Department of Information Engineering and his research team have identified a serious vulnerability lying in the Android built-in voice assistant module. A zero-permission malware installed on a user's smartphone could bring the Google Voice Search to the foreground and play some voice commands in the background.  Through voice feedback from Google Voice Search, a remote attacker could steal a user's private data without being noticed.  This attack method bypasses the Android permission protection mechanism.  It is estimated that over 550 million Android phones and tablets users are under threat. 

Professor Zhang’s team found that the zero-permission malware, named VoicEmployer,  once installed on a user's device, could invoke the Voice Dialer mode of Google Voice Search even though the device is locked with a password.  Through voice dialing commands, VoicEmployer can make phone calls to any arbitrary numbers.  The attacker can even send voice commands to make the victim's device send SMS/email and steal the user's private data (such as voicemail, calendar, location, etc.). For example, the attacker can send a voice command: ‘what is my next meeting?’, Google Voice Search, after recognizing the command, may give a voice feedback such as ‘your next calendar entry is ...’, 

Professor Zhang said, ‘We have reported this vulnerability and the corresponding attack schemes to the Google Security Team. The problem has been partly fixed in the subsequent versions of Google Voice Search.  We suggest smartphone users to use applications provided by the official stores only and not to install applications from untrusted sources.’ 

Security Problems in Authentication Protocol of Social Media

Professor LAU Wing-cheong, Associate Professor, Department of Information Engineering and his graduate students, HU Pili and YANG Ronghai, have revealed a series of security problems with the design, implementation and practical deployment of the Open Authentication protocol (OAuth 2.0) which is widely adopted by various online social networks (OSN) worldwide. Exploiting the vulnerabilities, hackers can pass themselves off as application developers to embezzle personal data from over 100 million users within a short period of time. 

OAuth 2.0 protocol has been widely adopted by OSN providers since its inception. Professor Lau’s team has recently discovered that it is vulnerable to the so-called App impersonation attack due to its provision of multiple authorization flows and token types.  Based on their study on 12 major OSN providers, the team found that App impersonation via OAuth 2.0, when combined with additional application-programming interface (API) design features or deficiencies, will enable large-scale exploitation and privacy leaks.  For example, it becomes possible for an attacker to completely crawl an OSN with more than 100 million users within a short period of time and harvest data like the status lists and friend lists which are expected to be private information. 

Professor Lau’s team has developed an automatic testing tool, OAuthTester, to systematically test the safety levels of various applications and social media. It is found that OAuth-related vulnerabilities have been widely spread.  Professor Lau said, ‘Our findings show that it is urgent for industrial practitioners to review their OAuth system design to protect users’ privacy. We have informed all the affected OSN providers and proposed solutions that can be readily deployed.’ 

CUHK Named World’s Most Impactful Research Institution in Telecoms 

The CUHK has recently been named by Thomson Reuters as one of the 10 research institutions in the world with the most impact on telecommunications. Amongst US and European universities, it is the only Asian institution on the list. The recognition was given to 10 institutions having the highest citation impact (research papers being the most highly cited by peers thereby indicating global influence) from 2004 to 2014. Details of the ranking are available in Thomson Reuters’ global innovation report ‘The Future Is Open: 2015 State of Innovation’. 

CUHK embarked on telecommunications research in 1970 when former Vice-Chancellor Professor Charles KAO founded the Department of Electronic Engineering. Professor Kao was the innovator of the ground breaking optical fibre communication that changed the world, and at the same time, he built a long-term research strategy focusing on electronic engineering, as well as information and communications technologies at CUHK. Today, both the departments of Electronic Engineering and Information Engineering have been making great strides in both theories and applications of telecommunications and network research, including but not limited to fiber-optic communications, wireless communications, network coding and network security.

Prof. LAU Wing-cheong (left) and Prof. ZHANG Kehuan revealed sweeping security loopholes in mobile devices and social media.

 

Filter: Dept: 
Faculty
IE
Media Release

中大電訊研究列全球十大

中大最近獲湯森路透社評選為全球十大在電訊研究方面最具影響力的大學之一,更同時是亞太地區唯一入選的大學。湯森路透社根據2004至2014年間各研究機構在電訊領域所發表論文之影響力作評選指標,入選機構之學術研究皆獲同儕學者所廣泛引用。 楊偉豪續指,特別是數據傳輸方面,他與信息工程學系教授劉紹強成功合作開發了兩項創新網絡編碼技術,解決數據傳輸過程中受電磁波干擾及無線傳輸

Date: 
Tuesday, July 7, 2015
Media: 
Hong Kong Commercial Daily
Media LInk: 
http://www.hkcd.com.hk/content/2015-07/03/content_3467299.htm

University makes right connections in communications

The Chinese University of Hong Kong has been named one of the world's top 10 research institutions with the most impact on communications.  Its department of information engineering was the only Asian institution on the Thomson Reuters list that published research papers that are the most highly cited by peers.  "I am very pleased to see that our research performance and applications in telecommunications are outstanding and well above international standards," said department chairman Chiu Dah-ming.  Chiu said that the faculty has always been committed to strengthening research in fiber-optic communications, wireless communications, digital signal processing and information theory.

Date: 
Friday, July 3, 2015
Media: 
The Standard
Media LInk: 
http://www.thestandard.com.hk/news_detail.asp?pp_cat=11&art_id=158650&con_type=1

以工程科學探究及修復生命建構

生命構造精密美妙,從器官宏觀的解剖生理學,到細胞納米結構的分子生物學,令人嘆為觀止的例子比比皆是。  舉一個例子 -- 關節的力學設計。一般人走路時,下肢關節 (如臗關節) 受力經常高至體重力的三倍。跑、轉、頓、上、下、蹲等日常生活常做的動作,牽涉複雜的運動力學,關節載荷更可高達體重力的五、六倍。

Date: 
Wednesday, June 17, 2015
Media: 
eTVonline
Media LInk: 
http://utalks.etvonline.hk/article117.php

Best Student Paper Award Featured in WiOpt 2015

Date: 
2015-07-01
Thumbnail: 
Body: 

A Game-Theoretic Analysis of User Behaviors in Crowdsourced Wireless Community Networks

The Network Communications and Economics Lab (NCEL) led by Prof. Jianwei Huang, Department of Information Engineering, CUHK, has recently made a comprehensive analysis of the user behaviors in crowd-sourced Wi-Fi community networks. The research team co-authored by Miss Qian MA, Dr. Lin GAO, and Prof. Jianwei Huang demonstrated that such a novel Wi-Fi network scenario can help to expand the Wi-Fi coverage with a low cost, by incentivizing individual users share their private home Wi-Fi Access Points (APs) with each other. This work won the Best Student Paper Award in IEEE WiOpt 2015, a leading wireless conference focusing on modeling and optimization of wireless networks. 

Driven by the explosive growth of smart mobile device (such as smartphones and tablets) and bandwidth-hunger applications (such as mobile video streaming and Web/File/VoIP), Wi-Fi networks are playing an increasingly important role in carrying a significant amount of mobile data traffic. According to the forecast of Cisco VNI, by the year of 2019, the amount of traffic from smartphones carried by Wi-Fi networks will be 54%, and the amount of traffic from tablets carried by Wi-Fi networks will be 70%.The fast growth of Wi-Fi technology and network is due to several factors, including the low costs of Wi-Fi APs, simple installation, easy management, and high transmission data rates. However, the deployment of large-scale and seamless Wi-Fi networks is often restricted by the limited coverage of each single Wi-Fi AP (typically tens of meters indoors). Hence, despite of the low cost of each Wi-Fi AP, it is often very expensive to deploy enough Wi-Fi APs to entirely cover a large area such as a city or a nation.

The crowd-sourced Wi-Fi community network turns out as a promising solution to expand the Wi-Fi coverage with a low cost. The key idea is to encourage individuals (users) to share their private owned Wi-Fi APs with each other, hence crowdsource the coverage of these private Wi-Fi APs. Such a novel network scenario can fully utilize the capacity of millions of private Wi-Fi APs already installed, hence reducing the requirement of new installations by any single operator. Meanwhile, each user also benefits from joining such a community network, as he can use not only his own AP when staying at home, but also other users' APs when traveling.

One prominent commercial example of such a Wi-Fi community networks is FON, the world largest Wi-Fi operator, which has more than 15 million member Wi-Fi APs globally by May 2015. In FON, the operator incentivizes its customers (users) to share their private home APs with others, by using two different incentive schemes, corresponding to two kinds of memberships: Linus and Bill. As a Linus, a user can use other FON members' APs free of charge, and cannot receive any compensation when other users access his AP. As a Bill, a user needs to pay for using other APs, and meanwhile can receive certain compensation when other users access his AP. Moreover, the above community network is also open for users without owning APs, often called Aliens, who needs to pay for using any AP in the FON network.

Clearly, the success of such a crowd-sourced Wi-Fi network greatly depends on the active participations and contributions of many individual users with private Wi-Fi APs, and hence requires the careful design of a proper economic incentive mechanism. Through the study of user behaviors in crowd-sourced wireless community networks, Prof. Jianwei Huang and his team hope to reveal insight into the underlying economic principles in the crowd-sourced wireless community networks, provide some guideline for the operator to design pricing and incentive mechanism, and eventually promote the long-term and sustainable development of such a novel network scenario.

User Behavior Analysis in the Crowd-sourced Wi-Fi Community Network

A comprehensive analysis of user behaviors is essential for the success of a crowd-sourced Wi-Fi community network. The CUHK research team proposes a two-stage dynamic game model to study user behaviors, where stage I is the users’ membership selections and stage II is the users’ Wi-Fi connection time decisions. In this two-stage dynamic game model proposed by Prof. Huang and his team, users choose the memberships of Linus or Bill in stage I, by comparing the achievable benefits under the two different memberships. Then in stage II, users decide the Wi-Fi connection time on each Wi-Fi AP that he is traveling, taking the network congestion into consideration. The study explores how different users choose different decisions in their membership selections and network connections. The results show that a user with a more popular home location, a smaller travel time, or a smaller network access evaluation is more likely to choose the Bill membership type. The results also show that the Wi-Fi AP with a larger data rate or a smaller price will attract users to connect to it for a longer time.

Through the two-stage dynamic game model, users are able to make the best choices of their memberships when joining the crowd-sourced network, and the best choices of their Wi-Fi connection times when roaming at others’ APs considering the network congestion level. The community network operator is able to design the best pricing and incentive mechanism, hence achieving a win-win situation.

About Network Communications and Economics Lab

The Network Communications and Economics Lab (NCEL) was formed in 2007 by Prof. Jianwei Huang, focusing on the interdisciplinary research among communications, networking, and economics.  The NCEL team has published around 180 papers in top international journals and conferences, with a total citation of around 5000 times. The NCEL's research results have received 8 Best Papers Awards in international venues, including the 2011 IEEE Marconi Prize Paper Award in Wireless Communications from IEEE Communications Society and IEEE Signal Processing Society. Four papers from NCEL are among the ESI Highly Cited Papers in the field of Computer Science, which are the 1% top papers in terms of citations within the field according to Essential Science Indicators from Web of Science. 

The co-authors of this awarding winning work also include Ms. Qian Ma, Dr. Lin Gao, and Prof. Yafeng Liu (from Chinese Academy of Science). Ms. Ma is a PhD student under the supervision of Prof. Jianwei Huang. Dr. Lin Gao is a Postdoc Research Fellow in Prof. Jianwei Huang’s team, and received the Best Paper Awards from IEEE WiOpt in 2015, 2014, and 2013.

 

 

(from left) Prof. Jianwei Huang, Miss Qian Ma, and Dr. Lin Gao

 

Filter: Dept: 
Faculty
IE

Pages