The Secure & Transparent Systems Laboratory

The STS Lab confronts issues of security and transparency in computer systems and networks. Within this broad area, we investigate challenges in various domains of computing including operating systems, the cloud, and the Internet of Things. Our recent work has evaluated the security of IoT services, introduced mechanisms that defend against USB-based attacks, and designed security-enhanced provenance-aware systems that are capable of reliably tracking and explaining system intrusions.

Note: We will be looking to recruit new graduate students this upcoming admissions season! If you are a prospective graduate student that is interested in our group, please click here for more information.

A few weeks ago at USENIX Security’18, we reported on an emerging threat vector in the Internet of Things – voice-controlled devices like the Amazon Echo will sometimes misinterpret commands, a fact that can be exploited by an attacker to trick them into using a malicious app. Sean Gallagher, an IT Editor for Ars Techica, released an article today about this study. In a piece he calls [Mad Skills] (we’re so angry we didn’t think of that as our paper title!), he profiles our work and also discusses some other recent findings pointing to the fact that voice-controlled device interfaces are increasingly insecure. Congrats to student authors Riccardo, Deepak, and Paul Murley for this awesome work and well-deserved exposure!

Posted 31 Aug 2018 by Adam

As students returned to town for the start of the Fall semester, we were glad to be able to get the word about our USENIX Security’18 paper that exposes the potential privacy risks of fitness trackers. Heather Schlitz of The Daily Illini, our campus newspaper, wrote a piece up about the work urging students to think before they post their exercise online. Additionally, [Jodi Heckel] of The News-Gazette wrote up a column on fitness trackers. We hear that Jodi has the ear of the jogging community around Champaign-Urbana, so we were particular excited about the long and detailed piece she released about our research. We hope that these articles will help athletes to better understand the privacy and safety risks of fitness trackers before they post workouts online.

Posted 28 Aug 2018 by Adam

The STS Lab has been analyzing the privacy mechanisms offered by fitness tracking services to see if they are effective. Unfortunately; they’re not – we uncovered that 95.1% of moderately active users of the popular “Privacy Zone” feature are at risk of having their protected locations broadcast to the Internet. Today, Professor Bates sat down with WAND TV to discuss the problem of fitness tracking privacy. You can find the news segment based on that discussion here.

Posted 20 Aug 2018 by Adam

For the past two years or so, we’ve been analyzing the privacy mechanisms offered by fitness tracking services like Strava and Garmin Connect to see if they are effective. Unfortunately; they’re not – we uncovered that 95.1% of moderately active users of the popular “Privacy Zone” feature are at risk of having their protected locations broadcast to the Internet. You can read more about our findings in the full USENIX Security paper, which is now online. There will also shortly be a video recording of Wajih’s conference presentation at that link too!

We’re very excited about some recent media coverage of this work, which will help us get the word out to athletes about this potential risk. The Illinois College of Engineering’s Marketing and Commmunications office published an article this week about our study. We’ve also been working with several fitness tracking companies to address this problem; Strava and MapMyTracks have written up blog posts about the issue and how they’ve worked to mitigate it. There’s likely more to come here; we’ll add an additional news post when there is more to share.

Posted 16 Aug 2018 by Adam