CSL researchers demonstrate IoT privacy concerns with ShoesHacker
With life-saving, safety-conscious, and performance-enhancing applications, smart shoes technology have a lot to offer. From monitoring the elderly for falls to analyzing the way a patient walks to correct their posture (and even analyzing force patterns as NBA players run up and down the court to help maximize their skills), there are a lot of scenarios where smart shoes might be employed. However, these benefits don’t come without a downside: the possibility that hackers could use sensing data to invade a user’s privacy and perhaps even determine his or her location.
In the ACM-published article, “ShoesHacker: Indoor Corridor Map and User Location Leakage Through Force Sensors in Smart Shoes,” graduate student Tuo Yu and CSL Director Klara Nahrstedt share how smart shoes are equipped front to back with force sensors, which then transmit data about force change to a cloud server so that the user can analyze their walking habits, posture, and more. But, as with other smart devices, this data is susceptible to hacking.
In smart shoes, large amounts of data can be leaked since the sensors not only record force, but also time, and potentially the location of when the measurement was taken. If smart shoes were to be used in medical decisions, a hack could mean compromising confidential health data, in addition to location-tracking risks.
“With this research, we wanted to explore the kind of information that could be extracted from this data, and how it could be dangerous to the user,” shared Yu, a computer science student. “If a hacker were to use this force sensor data and process it with machine learning models, the hacker would be able to estimate the walking trajectory of the user, and recreate the corridor map of the building that the user is in, as well as localize the user to one spot within the building.”
Transforming raw data into a comprehensive corridor map has its challenges, though. Machine learning models need substantial training data, which is something the hacker would likely not have. But there is one common thread between buildings and floorplans of all shapes and sizes that may allow hackers to build such a model – stairwells. Yu and Narstedt were able to extract data from the U-turns walkers must take within stairwells and use that data to develop a machine learning algorithm. Once the model is in place, a hacker could recreate the entire corridor map of the building and hone in on the user’s location.
“Shoes are very personal. When a user has large amounts of data from their own shoes, the user can create very good models classifying their walking patterns. A hacker, however, has raw data,” explained Nahrstedt, the Ralph M. and Catherine V. Fisher Professor of Computer Science. “So, they have to look for patterns in data.”
Yu said he believes that it is a researcher’s responsibility to review the possible danger of technologies like wearable devices.
“With a better understanding of the weaknesses, researchers can build better, more secure models from the get-go,” he said.
Future research for Yu and Nahrstedt could involve the use of smart shoes to provide a biometric signature of a person, similar to a retina scan or voice-recognition: the user’s gait. This concept has been depicted in James Bond, movies, for example.
Yu presented this research at UbiComp 2019 in London, inviting fellow industry researchers to take the perspective of a hacker as they conduct research moving forward.
“UbiComp is a top-notch conference in ubiquitous computing, and is highly visible,” said Nahrstedt. “Presenting at a conference such as this one not only offers tremendous benefit to researchers such as Yu and myself, but to our departments, our industry, and to future research and future solutions.”