《计算机网络》课程教学资源（学习资料）Security and privacy issues of handheld and wearable wireless devices

74 September 2003/Vol. 46, No. 9 COMMUNICATIONS OF THE ACM

SECURITYAND PRUACY ISSUES of handheld and wearable wireless devices le are surrounded by a variety of appliances impor tant for our daily lives and that require our con- BY ROBERTO DI PIETRO stant attention, such as a wearable heart rate AND LUIGI V MANCINI monitor, a car outfitted with multiple sensors,a PDA, or a cell phone possibly equipped with a THE DISTINGUISHED GPS device. A few of these appliances can currently communicate with each other; their clever, simple, and CAPABILITIES OF ultimate integration is the dream of every user. THESE DEVICES Many consumers would buy new devices to fulfill such a dream Consider this scenario: One of the processors embedded in your car ARE ALSO THE VERY could signal your PDA that it's time for an oil change. The request REASONS THEY for an appointment is simultaneously received by your cell phone, which interacts transparently with the PDA to schedule both the REQUIRE SECURITY appointment and the oil change. This example indicates how hand held/wearable wireless(HWW) devices are particularly useful if they AND PRIVACY could directly interact with other appliances. To achieve such a goal, PROTECTIONS OF AN frequent communication must occur in a manner transparent to the user. This continuous activity constitutes a serious breach in the UNPRECEDENTED user's privacy and security, and could increase the possibility of theSCALE user being physically located, regardless of his/her actions. Here, we illustrate how the user's privacy and security appears at risk under HWW interoperability model Due to their small size and mobility requirements, the design and implementation of Hww devices must consider the following con- ILLUSTRATION BY TERRY MIURA COMMUNICATIONS OF THE ACM September 2003/VoL 46. No 9

COMMUNICATIONS OF THE ACM September 2003/Vol. 46, No. 9 75 We are surrounded by a variety of appliances impor￾tant for our daily lives and that require our con￾stant attention, such as a wearable heart rate monitor, a car outfitted with multiple sensors, a PDA, or a cell phone possibly equipped with a GPS device. A few of these appliances can currently communicate with each other; their clever, simple, and ultimate integration is the dream of every user. Many consumers would buy new devices to fulfill such a dream. Consider this scenario: One of the processors embedded in your car could signal your PDA that it’s time for an oil change. The request for an appointment is simultaneously received by your cell phone, which interacts transparently with the PDA to schedule both the appointment and the oil change. This example indicates how hand￾held/wearable wireless (HWW) devices are particularly useful if they could directly interact with other appliances. To achieve such a goal, frequent communication must occur in a manner transparent to the user. This continuous activity constitutes a serious breach in the user’s privacy and security, and could increase the possibility of the user being physically located, regardless of his/her actions. Here, we illustrate how the user’s privacy and security appears at risk under any HWW interoperability model. Due to their small size and mobility requirements, the design and implementation of HWW devices must consider the following con￾The distinguished capabilities of these devices are also the very reasons they require security and privacy protections of an unprecedented scale. SECURITY AND PRIVACY ISSUES illustration by terry miura of Handheld and Wearable Wireless Devices By Roberto Di Pietro and Luigi V. Mancini

straints [2]: battery depletion--while a PC is usually plugged, an HWw device may not be, thus energy- saving requirement must be addressed; hardware con- straints--small amount of RAM, slow processors, and usually no mass storage; limited communication range-the extent of the area covered by the wireless transmissions is usually limited both for technological reasons and for the energy-saving considerations; and transient communication--because of the mobility of the devices, the network can experience a high rate of communication failures The advertising of services, and the cooperation among HWW devices, requires a careful analysis of both technological and nontechnological issues. The technological issues to be addressed include the protocols, the algorithms, and the communication infrastructure to be employed. The main nontechno- logical issues include the design of new regulations for this virtually global environment, since the users per sonal privacy and security may be more exposed than WIRELESS hey day [1 Here, we discuss two models for the HWW para- gm along with the prevalent security issues and user COMMUNICATIONS privacy. concerns make physical HW Network Models he concept of Web presence [10] can be eavesdropping almost defined by transposing the services on the Web that a physical object offers, and by undetectable adding transparent communications to other imilar abstractions present in the Web Flat Web presence. Web presence requires the solution of major research problems. Consider, for example, the implementation of the anywhere- anytime paradigm for the HWw devices, which requires protocols and algorithms to provide wide spread access to an open set of services supplied by almost every useful HWw device [10]. A HWW device must resort to some sort of intelligent, context- aware agent [8 that should prune the services deemed worthless to a particular user. The pru process should also decrease the overall traffic thus resulting in savings in both communications and battery consumption The feasibility of this scenario Ires a netwo infrastructure pervasive and distributed to an extent not experienced by the Internet to date. Hierarchical Web presence. Restricting the scope of the Web presence of a service can reduce the com plexity and the traffic load of the previously described network infrastructure. The hierarchical Web pres ence is based solely on local interoperability among HWW devices. Multihop communications are allowed on demand by relaying on some sort of back- OF THE ACM

76 September 2003/Vol. 46, No. 9 COMMUNICATIONS OF THE ACM straints [2]: battery depletion—while a PC is usually plugged, an HWW device may not be, thus energy￾saving requirement must be addressed; hardware con￾straints—small amount of RAM, slow processors, and usually no mass storage; limited communication range—the extent of the area covered by the wireless transmissions is usually limited both for technological reasons and for the energy-saving considerations; and transient communication—because of the mobility of the devices, the network can experience a high rate of communication failures. The advertising of services, and the cooperation among HWW devices, requires a careful analysis of both technological and nontechnological issues. The technological issues to be addressed include the protocols, the algorithms, and the communication infrastructure to be employed. The main nontechno￾logical issues include the design of new regulations for this virtually global environment, since the user’s per￾sonal privacy and security may be more exposed than they are today [1]. Here, we discuss two models for the HWW para￾digm along with the prevalent security issues and user privacy concerns. HWW Network Models T he concept of Web presence [10] can be defined by transposing the services on the Web that a physical object offers, and by adding transparent communications to other similar abstractions present in the Web. Flat Web presence. Web presence requires the solution of major research problems. Consider, for example, the implementation of the anywhere￾anytime paradigm for the HWW devices, which requires protocols and algorithms to provide wide￾spread access to an open set of services supplied by almost every useful HWW device [10]. A HWW device must resort to some sort of intelligent, context￾aware agent [8] that should prune the services deemed worthless to a particular user. The pruning process should also decrease the overall traffic load, thus resulting in savings in both communications and battery consumption. The feasibility of this scenario requires a network infrastructure pervasive and distributed to an extent not experienced by the Internet to date. Hierarchical Web presence. Restricting the scope of the Web presence of a service can reduce the com￾plexity and the traffic load of the previously described network infrastructure. The hierarchical Web pres￾ence is based solely on local interoperability among HWW devices. Multihop communications are allowed on demand by relaying on some sort of back￾WIRELESS COMMUNICATIONS make physical eavesdropping almost undetectable

bone. Such an approach simplifies the design of the HWw paradigm while pointing out the potential network infrastructure preserving the push paradigm limitations in their use among directly connected HWw devices. The access Cryptography. The two types of cryptography o nonlocal services is on demand only, and follows currently available are symmetric and public-key cryp the pull paradigm. The backbone supports the look- tography(PKC). In symmetric cryptography, two up function for remote services devices must share their secret key in order to com- Direct interoperability. Both models presented municate securely. Thus two points arise: How to ere must support direct interoperability, which is exchange the secret key securely; and if n devices must how the hww devices interact when in direct com- communicate with each other. a total number of munication range. The direct interoperability requires O(?)secret keys must be exchanged. The manage- the provision of several functionalities that include ment of such a number of secret keys should consider service discovery-the HWw devices look for possi- the scalability issues ble services providers in their direct communication In PKC, both the aforementioned problems are range; service advertising-the HWw devices offer solved, since the partners in the communication do their services to other HWw devices(a push para- not require exchanging any secret keys digm seems more suitable to implement such a service According to these considerations, PKC eems the 3]); and service providingthe HWw devices ideal candidate to enforce confidentiality. Indeed, deliver the offered service many security mechanisms in the wired paradigm are The possible implementation choices may depend based on such technology [6]. However, such a solu on the resources the devices can dispose of. Note tion does not fit the Hww paradigm, since the com that the availability of an Object Request Broker putation needed to encrypt and decrypt messag (ORB) paradigm can simplify the design of all three using PKC is overwhelming with respect to the com- putation required by symmetric cryptography. This fact renders PKC infeasible for the HWw paradign Security Challenges due to the poor processing power of the HWw he successful deployment of Hww devices device. Indeed, the amount of time required to requires a satisfactory level of security. To encrypt/decrypt could be the bottleneck of the sys- certain extent, it seems reasonable to export tem. Moreover, the required computation contradicts the solutions identified for the wired envi- the need to save battery power. ronment in the wireless field. However, this Thus, symmetric cryptography should be used in approach is not always feasible because of the differ- the Hww paradigm even with the drawback that ences between the two models. For example, because symmetric cryptography implies, such as the key of the hardware limitations of the HWW devices, no exchange and the key-refresh issues [3. 5 large routing tables can be maintained on these Message Authentication Code(MAC). The idea devices, thus increasing the risk of a denial-of-service underlying MAC is the sender obtains a digital fin- attack. Moreover, the attacks that require access to gerprinting f of a message m by applying a one-way the physical media are simpler. Indeed, wireless com- hash function to m. If the fingerprint received with munications make physical eavesdropping almost the message matches the one recalculated by the receiver, then the received message has not been mod Despite their differences, the two models share ified during the transmission and is kept, otherwise three basic security requirements: confidentiality- the message is discarded information is disclosed only to legitimate entities or As for digital fingerprint implementations, two processes; integrity--unauthorized modification of standards--MD5 and SHA-1--are leading the pack. information is prevented; and availability--autho- Note that custom solutions to digital fingerprinting, if rized entities can access a service provided they have not carefully devised, could result in a weak MAC, for the wireless tion Code(MAC)and cryptography, and availability evolve pl.suggs These issues have been enforced through different work field demonstrate [1] architectural choices. The wired paradigm can deliver Access control. We can identify two main subtasks confidentiality through the use of access control tech- related to an issue: authentication among niques [12] and the use of cryptography; integrity devices, and grant and revoke of privileges; how to through the combined use of a Message Authentica- assign permissions and how this set of permissions can through the implementation of service replication For the wired paradigm, these issues are covered in Here, we present the mechanisms suitable to the [6, 12]. Due to their hardware constraints, access con- COMMUNICATIONS OF THE ACM September 2003/Vol 46. No 9 77

COMMUNICATIONS OF THE ACM September 2003/Vol. 46, No. 9 77 bone. Such an approach simplifies the design of the network infrastructure preserving the push paradigm among directly connected HWW devices. The access to nonlocal services is on demand only, and follows the pull paradigm. The backbone supports the look￾up function for remote services. Direct interoperability. Both models presented here must support direct interoperability, which is how the HWW devices interact when in direct com￾munication range. The direct interoperability requires the provision of several functionalities that include service discovery—the HWW devices look for possi￾ble services providers in their direct communication range; service advertising—the HWW devices offer their services to other HWW devices (a push para￾digm seems more suitable to implement such a service [3]); and service providing—the HWW devices deliver the offered service. The possible implementation choices may depend on the resources the devices can dispose of. Note that the availability of an Object Request Broker (ORB) paradigm can simplify the design of all three functionalities. Security Challenges T he successful deployment of HWW devices requires a satisfactory level of security. To certain extent, it seems reasonable to export the solutions identified for the wired envi￾ronment in the wireless field. However, this approach is not always feasible because of the differ￾ences between the two models. For example, because of the hardware limitations of the HWW devices, no large routing tables can be maintained on these devices, thus increasing the risk of a denial-of-service attack. Moreover, the attacks that require access to the physical media are simpler. Indeed, wireless com￾munications make physical eavesdropping almost undetectable. Despite their differences, the two models share three basic security requirements: confidentiality— information is disclosed only to legitimate entities or processes; integrity—unauthorized modification of information is prevented; and availability—autho￾rized entities can access a service provided they have appropriate privileges. These issues have been enforced through different architectural choices. The wired paradigm can deliver confidentiality through the use of access control tech￾niques [12] and the use of cryptography; integrity through the combined use of a Message Authentica￾tion Code (MAC) and cryptography; and availability through the implementation of service replication. Here, we present the mechanisms suitable to the HWW paradigm while pointing out the potential limitations in their use. Cryptography. The two types of cryptography currently available are symmetric and public-key cryp￾tography (PKC). In symmetric cryptography, two devices must share their secret key in order to com￾municate securely. Thus two points arise: How to exchange the secret key securely; and if n devices must communicate with each other, a total number of O(n2 ) secret keys must be exchanged. The manage￾ment of such a number of secret keys should consider the scalability issues. In PKC, both the aforementioned problems are solved, since the partners in the communication do not require exchanging any secret keys. According to these considerations, PKC seems the ideal candidate to enforce confidentiality. Indeed, many security mechanisms in the wired paradigm are based on such technology [6]. However, such a solu￾tion does not fit the HWW paradigm, since the com￾putation needed to encrypt and decrypt messages using PKC is overwhelming with respect to the com￾putation required by symmetric cryptography. This fact renders PKC infeasible for the HWW paradigm due to the poor processing power of the HWW device. Indeed, the amount of time required to encrypt/decrypt could be the bottleneck of the sys￾tem. Moreover, the required computation contradicts the need to save battery power. Thus, symmetric cryptography should be used in the HWW paradigm even with the drawback that symmetric cryptography implies, such as the key exchange and the key-refresh issues [3. 5]. Message Authentication Code (MAC). The idea underlying MAC is the sender obtains a digital fin￾gerprinting f of a message m by applying a one-way hash function to m. If the fingerprint received with the message matches the one recalculated by the receiver, then the received message has not been mod￾ified during the transmission and is kept, otherwise the message is discarded. As for digital fingerprint implementations, two standards—MD5 and SHA-1—are leading the pack. Note that custom solutions to digital fingerprinting, if not carefully devised, could result in a weak MAC, easy to forge, as the experiences in the wireless net￾work field demonstrate [1]. Access control. We can identify two main subtasks related to such an issue: authentication among devices, and grant and revoke of privileges; how to assign permissions and how this set of permissions can evolve. For the wired paradigm, these issues are covered in [6, 12]. Due to their hardware constraints, access con-

trol for the HWW environment is still an open issue. mation among the Hww devices around us. Such a n particular, a single point of access control in the continuous flow of information among devices takes HWW paradigm cannot be identified due to the place in a transparent way, and could constitute a seri- dynamic nature of the HWW architecture. In addi- ous breach in our privacy, at least concerning the pos- tion,the access control data structures cannot be sibility of being located. Here, we show how privacy stored on a single hww device, unless for a very lim- is at risk in both the hierarchical and the flat Web d number of subjects. Moreover, once a certain presence models HWW device has been scrutinized to be no more In the flat Web presence, we have global connec trusting, the revocation of grants must be addressed. tivity of Hww devices. The aim of this model is to Therefore, the access control for the HWW net- make each object in the real world Web present. Flat work requires distributed solutions that increase the Web presence could threaten privacy by automatically exposure to attacks. Perhaps, algorithms for sharing creating virtual paths between HWw devices logi- responsibilities, and based on cooperation [4] could cally unrelated. As an example, imagine the interac help in addressing security in an HWW network. tion between a user PDa and the embedded main System security. Each of the basic security require- control of a car--not the user's car. These HWW nents previous ly exposed focuses on a particular devices will exchange information, and the PDA aspect of the security for HWW devices. Some fur- could receive the license plate number of the car, thus her threats are related mainly to the system security resulting in a privacy violation at least as far as the and include routing, where communica ns among location of the car is concerned. Moreover, collecti HWW devices not in direct communication range such information for a certain period of time on a occur via multihop. Each of the participating ele- specific car could allow the tracking of the user's dri- ments can be a threat to communication security. ving path. Hence, the issue arises about the commt Moreover, the length of the communication path nication range of the HWW devices increases the probability of an attack, such as the In the hierarchical Web presence, we have local man-in-the-middle attack. Finally, consider applica- connectivity of the devices. Each device creates a local tion flaws, where programs running on an HWw vision of other devices it is in direct communication device can be hacked as in the wired paradigm. Hack- with. This local vision is communicated to other ing can be performed exploiting a flaw in the design HWw devices to provide flexible and efficient sup- of the application or in the implementation. Since the port for mobility. Indeed, when a HWW enters a applications for the HWw environment are designed zone, it could have already loaded the information with tight hardware constraints, these applications about the local vision for that zone. In this case,a can be inherently weaker than those developed for the threat to the privacy similar to the previous example wired paradigm. For example, runtime bound check- can arise. However, with local connectivity, the exten- ing may be eliminated to save computational power sion to which privacy-sensitive information is and memory space, thus exposing the applications to exported may be limited buffer overflow attacks It is worth noting that such a structural weakness Possible Solutions cannot be easily overcome by resorting to additional wo possible scenarios can be identified to tools. For instance, an intrusion detection system preserve the user's personal privacy in the (IDS) could be employed to monitor the correct HWW paradigm: the first is based on the extra computing power, which are the most con- concept and may require the redesign of the(uip behavior of the applications. However, to deploy a logical borders mechanism; the second IDS on an HWw device requires extra storage and ased on anonymous user current strained resources network infrastructure A logical border is intended to limit the propaga tion of a Web presence. In a simple implementation is often translated as confidentiality. of the logical borders, Web-presence advertising privacy in its dictionary- should be allowed only up to the limit specified by he freedom of not having the user, leaving the definition of the logical borders someone or something to interfere in our to the user. Placing such a burden on the user con life without our permission trasts with basic requirements for the HWw HWW devices are particularly useful if connected devices--simple configuration and high usability. to other appliances [10]. In a probable future sce a better implementation of the l logical borders nario, there could be a continuous exchange of infor- should support a user system profile. Such a profile 78 OF THE ACM

trol for the HWW environment is still an open issue. In particular, a single point of access control in the HWW paradigm cannot be identified due to the dynamic nature of the HWW architecture. In addi￾tion, the access control data structures cannot be stored on a single HWW device, unless for a very lim￾ited number of subjects. Moreover, once a certain HWW device has been scrutinized to be no more trusting, the revocation of grants must be addressed. Therefore, the access control for the HWW net￾work requires distributed solutions that increase the exposure to attacks. Perhaps, algorithms for sharing responsibilities, and based on cooperation [4] could help in addressing security in an HWW network. System security. Each of the basic security require￾ments previously exposed focuses on a particular aspect of the security for HWW devices. Some fur￾ther threats are related mainly to the system security and include routing, where communications among HWW devices not in direct communication range occur via multihop. Each of the participating ele￾ments can be a threat to communication security. Moreover, the length of the communication path increases the probability of an attack, such as the man-in-the-middle attack. Finally, consider applica￾tion flaws, where programs running on an HWW device can be hacked as in the wired paradigm. Hack￾ing can be performed exploiting a flaw in the design of the application or in the implementation. Since the applications for the HWW environment are designed with tight hardware constraints, these applications can be inherently weaker than those developed for the wired paradigm. For example, runtime bound check￾ing may be eliminated to save computational power and memory space, thus exposing the applications to buffer overflow attacks. It is worth noting that such a structural weakness cannot be easily overcome by resorting to additional tools. For instance, an intrusion detection system (IDS) could be employed to monitor the correct behavior of the applications. However, to deploy a IDS on an HWW device requires extra storage and extra computing power, which are the most con￾strained resources. Privacy Issues P rivacy is often translated as confidentiality. Here, we stress privacy in its dictionary￾based meaning: the freedom of not having someone or something to interfere in our life without our permission. HWW devices are particularly useful if connected to other appliances [10]. In a probable future sce￾nario, there could be a continuous exchange of infor￾mation among the HWW devices around us. Such a continuous flow of information among devices takes place in a transparent way, and could constitute a seri￾ous breach in our privacy, at least concerning the pos￾sibility of being located. Here, we show how privacy is at risk in both the hierarchical and the flat Web presence models. In the flat Web presence, we have global connec￾tivity of HWW devices. The aim of this model is to make each object in the real world Web present. Flat Web presence could threaten privacy by automatically creating virtual paths between HWW devices logi￾cally unrelated. As an example, imagine the interac￾tion between a user PDA and the embedded main control of a car—not the user’s car. These HWW devices will exchange information, and the PDA could receive the license plate number of the car, thus resulting in a privacy violation at least as far as the location of the car is concerned. Moreover, collecting such information for a certain period of time on a specific car could allow the tracking of the user’s dri￾ving path. Hence, the issue arises about the commu￾nication range of the HWW devices. In the hierarchical Web presence, we have local connectivity of the devices. Each device creates a local vision of other devices it is in direct communication with. This local vision is communicated to other HWW devices to provide flexible and efficient sup￾port for mobility. Indeed, when a HWW enters a zone, it could have already loaded the information about the local vision for that zone. In this case, a threat to the privacy similar to the previous example can arise. However, with local connectivity, the exten￾sion to which privacy-sensitive information is exported may be limited. Possible Solutions T wo possible scenarios can be identified to preserve the user’s personal privacy in the HWW paradigm: the first is based on the logical borders mechanism; the second is based on anonymous user identity (UID) concept and may require the redesign of the current network infrastructure. A logical border is intended to limit the propaga￾tion of a Web presence. In a simple implementation of the logical borders, Web-presence advertising should be allowed only up to the limit specified by the user, leaving the definition of the logical borders to the user. Placing such a burden on the user con￾trasts with basic requirements for the HWW devices—simple configuration and high usability. A better implementation of the logical borders should support a user system profile. Such a profile 78 September 2003/Vol. 46, No. 9 COMMUNICATIONS OF THE ACM

has embedded meaningful logical borders that can be could surround a user. The enforcement of such a refined by autonomous context-aware agents. This profile could be a means to preserve the user's personal approach presents some open issues including the privacy. management of a mobile personal profile, and the An alternative solution to preserve privacy could ecurity and the trustability of the autonomous base the main functionalities of the Hww paradigm agents. However, note that some threats to user pri- on anonymous IDs. This solution may require racy still persist, for instance, even turning off the redesigning a part of the current network infrastruc- HWW device could provide information useful to ture, and finding convenient trade-offs between pri undermine the user privacy to some extent. Indeed, vacy and security issues. C the most obvious piece of information is that the user probably does not want to be traced. With the logical REFERENCES order approach a major threat to privacy can there- 1. Borisov, N. et al. Intercepting mobile co ions: The insecurity fore be identified in traffic analysis [7] of 802.11. In Proceedings ofACMHIEEE MOBICOM 2001: 180-189 2. Carman, D W. et al. Constraints and approaches for distributed sensor As for anonymous UIDs, they could be the default network security. NAI Labs Technical Report.(Sept. 2000) operating mode of any HWw devices, that is anonymI ity should be a basic building block of the 3. Chan, H et al. Random key predistribution schemes for sensor net- network infrastructure. In other words, the main (May 2003, Oakland, CA) orks. In Proceedings of the IEEE Symposium on Security and Privacy functionalities of the HWw paradigm--service dis- 4. Coulouris, G et al. Distributed Sytem: Concepts and Deign. Addison covery, advertising, and providing-should be based Wesley, Reading. PA, 2001 5. Di Pietro, R et al. Providing secre ment protocols for Note that the use of anonymous UiDs does not imply 6. Foxe, .irand rbe, s, Security n the move indrect puthe that users would never be identified, since for exam- sing Kerberos. In Proceedings of ACMIIEEE MOB/COM 1996 ple, a user could always prove his/her own identity, at 55-164. 7. Guan, Y et al. Preventing east at the application layer, if so desired. The imple networks. In Proceedings of IEEE Milcom(Nov. 1999), 744-750 mentation of anonymous IDs may require redesign 8. Harter. A. et al. The ing the algorithms and protocols of the current 9. Hermann, R et al. DEAPspace-Transicnt ad hoc networking of per- network infrastructure. Moreover, the redesign asive devices. Computer Networks 35 (2001), 411-4 process should consider the trade-off between privacy 10 Kindberg, Tet al d monet 2 Peopl 2 0a2, thing A.Pcb b5-s7c. for the re and security in the network infrastructure. Indeed, 11. Myers, B.A. Using handhelds and PCs together. Commun. ACM44,11 anonymous IDs could expose any HWW device to (Noy, 2001), 34-41 anonymou Is attacks that could be very difficult to mandatory and discretionary access control policies. ACM Tn trace. On the other hand, a finer control over all the and System Security 3, 2(May 2000)85-100 HWW communications could guarantee a higher level of security but might represent a threat to the user privacy ROBERTo DI PIETRO(dipietro@dsi. uniromal it)is a Ph. D student in the Department of Computer Science at the University of Conclusion Rome "La Sapienza, "Italy. LUIGI V. MANCIN acini@dsi uniromal This article discussed the emergence of networks of Department of Computer Science at the University of Rome"La HWW devices, and the models that could enable Sapienza, " Italy their pervasive and d deployment. Furthe more. a few issues of the to the security of the and of the network如kk时hB:E5h infrastructure, as well as to the user personal privacy cure Information Systems, Fairfax, VA are addressed Permission to make digital or hard copies of all or part of this work for per It appears security concerns can partially benefit for profit or commercial advantage and that copies bear this notice and the full citation from the model and solutions already deployed in the o list, ise args Tor spe fih rewrmeis :iore aulas fe post an servers or to redstribus wired paradigm. In addition, the issues regarding user privacy are more complex and pervasive and require new solutions and further investigation. To our nowledge, research efforts in this direction are not even planned Finally, we emphasize the need for an easy to con- figure and manageable personal profile to control the interactions among the many HWw devices that o 2003 ACM 0002-0782/03/0900$5.00 COMMUNICATIONS OF THE ACM September 2003/Vol 46. Ne. 9 79

has embedded meaningful logical borders that can be refined by autonomous context-aware agents. This approach presents some open issues including the management of a mobile personal profile, and the security and the trustability of the autonomous agents. However, note that some threats to user pri￾vacy still persist, for instance, even turning off the HWW device could provide information useful to undermine the user privacy to some extent. Indeed, the most obvious piece of information is that the user probably does not want to be traced. With the logical border approach a major threat to privacy can there￾fore be identified in traffic analysis [7]. As for anonymous UIDs, they could be the default operating mode of any HWW devices, that is, anonymity should be a basic building block of the network infrastructure. In other words, the main functionalities of the HWW paradigm—service dis￾covery, advertising, and providing—should be based on an anonymous UID not related to the real user. Note that the use of anonymous UIDs does not imply that users would never be identified, since for exam￾ple, a user could always prove his/her own identity, at least at the application layer, if so desired. The imple￾mentation of anonymous IDs may require redesign￾ing the algorithms and protocols of the current network infrastructure. Moreover, the redesign process should consider the trade-off between privacy and security in the network infrastructure. Indeed, anonymous IDs could expose any HWW device to anonymous attacks that could be very difficult to trace. On the other hand, a finer control over all the HWW communications could guarantee a higher level of security but might represent a threat to the user privacy. Conclusion This article discussed the emergence of networks of HWW devices, and the models that could enable their pervasive and integrated deployment. Further￾more, a few issues of the HWW environment related to the security of the system, and of the network infrastructure, as well as to the user personal privacy are addressed. It appears security concerns can partially benefit from the model and solutions already deployed in the wired paradigm. In addition, the issues regarding user privacy are more complex and pervasive and require new solutions and further investigation. To our knowledge, research efforts in this direction are not even planned. Finally, we emphasize the need for an easy to con￾figure and manageable personal profile to control the interactions among the many HWW devices that could surround a user. The enforcement of such a profile could be a means to preserve the user’s personal privacy. An alternative solution to preserve privacy could base the main functionalities of the HWW paradigm on anonymous IDs. This solution may require redesigning a part of the current network infrastruc￾ture, and finding convenient trade-offs between pri￾vacy and security issues. References 1. Borisov, N. et al. Intercepting mobile communications: The insecurity of 802.11. In Proceedings of ACM/IEEE MOBICOM 2001; 180–189. 2. Carman, D.W. et al. Constraints and approaches for distributed sensor network security. NAI Labs Technical Report. (Sept. 2000); www.nai.com/research/nailabs/cryptographic/a-communications-secu￾rity.asp 3. Chan, H. et al. Random key predistribution schemes for sensor net￾works. In Proceedings of the IEEE Symposium on Security and Privacy (May 2003, Oakland, CA). 4. Coulouris, G. et al. Distributed Systems: Concepts and Design. Addison Wesley, Reading, PA., 2001. 5. Di Pietro, R. et al. Providing secrecy in key management protocols for large wireless sensor networks. J. Adhoc Networks. To appear. 6. Fox, A. and Gribble, S. Security on the move: Indirect authentication using Kerberos. In Proceedings of ACM/IEEE MOBICOM 1996; 155–164. 7. Guan, Y. et al. Preventing traffic analysis for real-time communication networks. In Proceedings of IEEE Milcom (Nov. 1999), 744–750. 8. Harter, A. et al. The anatomy of a context-aware application. In Pro￾ceedings of ACM/IEEE MOBICOM 1999; 59–68. 9. Hermann, R. et al. DEAPspace—Transient ad hoc networking of per￾vasive devices. Computer Networks 35 (2001), 411–428. 10. Kindberg, T. et al. People, places, things: Web presence for the real world. MONET 7, 5 (Oct. 2002), Kluwer A.P., 365–376. 11. Myers, B.A. Using handhelds and PCs together. Commun. ACM 44, 11 (Nov. 2001), 34–41. 12. Sandhu, R. et al. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Info. and System Security 3, 2 (May 2000) 85–106. Roberto Di Pietro (dipietro@dsi.uniroma1.it) is a Ph.D. student in the Department of Computer Science at the University of Rome “La Sapienza,” Italy. Luigi V. Mancini (mancini@dsi.uniroma1.it) is a professor in the Department of Computer Science at the University of Rome “La Sapienza,” Italy. This work was partially funded by the WEB-MINDS project supported by the Italian MIUR under the FIRB program and by the EU IST-2001-34734 EYES project. This work was written during the authors’ visit to George Mason University’s Center for Secure Information Systems, Fairfax, VA. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. © 2003 ACM 0002-0782/03/0900 $5.00 c COMMUNICATIONS OF THE ACM September 2003/Vol. 46, No. 9 79