Extracting Private Info from Public Services
Dave Levin
IRB 0318 (Gannon) or https://umd.zoom.us/j/97919102992?pwd=LbSBM2MZy4QpVfnj92ukT5AIqyTYaO.1#success
Friday, August 30, 2024, 11:00 am-12:00 pm 
Abstract
In this talk, we will present public services that expose previously-hidden client devices, making them measurable and vulnerable. First, we will show that by participating in the NTP Pool—a public, volunteer-run collection of Network Time Protocol servers—we can learn billions of live, mostly client IPv6 devices. Using this dataset, we show that the transition from v4 to v6 has resulted in the removal of the de facto firewall of the Internet—NAT boxes—thus permitting us to connect to more phones, lights, and printers over v6 than is possible over v4. Second, we will show that Apple's public WiFi-based Positioning System reveals the locations and BSSIDs of billions of WiFi access points around the world, permitting us to track the locations of high-value targets like military deployments across the world. Collectively, these findings demonstrate the dangers of public services and the challenges involved in using them safely.
Bio
Dave Levin is an Associate Professor of Computer Science at the University of Maryland. Dave studies network security, and his work has been recognized with the IEEE Cybersecurity Award for Innovation, an NSF CAREER award, multiple IETF Applied Networking Research Prizes, and multiple best-paper awards. He also serves on the National Academies of Sciences, Engineering, and Medicine Forum on Cyber Resilience. Finally, Dave is dedicated to expanding diversity and inclusion in undergraduate research, for which he received an NCWIT Undergraduate Research Mentoring Award.
This talk is organized by Samuel Malede Zewdu