A Systematic Evaluation of System-level Threats and User Perceptions on Data Security and Privacy

Abstract

An immense amount of data is produced every day thus creating a global digital economy that relies primarily on this data. This provokes misconduct in the form of threats to data security and privacy. For instance, adversaries are motivated to extract user data targeting personal devices on their way to compromising data confidentiality and evading detection. Thus compromising lower levels of the computing stack is attractive to attackers since malware that resides in layers that span firmware and hardware are notoriously difficult to detect and remove. On the other hand, online service providers are aggressively evolving the digital systems around us into surveillance platforms. From voice assistants that listen to every conversation, to apps that share sensitive location information, privacy experts have raised concerns about how such data is being abused. Such behavior raises concerns about how service providers leverage privacy policies to legitimately appropriate private data. In this work, we explore the risks associated with application security in the presence of untrusted firmware. We present a novel firmware attack that leverages system management cycles to covertly collect data from the application layer. We show that system interrupts that are used for managing the platform, can be leveraged to extract sensitive application data from outgoing requests even when the HTTPS protocol is used. We evaluate the robustness of our attack under diverse and stressful application usage condition. Furthermore, we examine user attitudes and perceptions towards privacy policies as the legal contract governing data privacy. We analyze user perceptions based on data collected from 655 participants. We use this information to identify different motivators and blockers that can influence the user’s willingness towards reading privacy policies. We also examine the impact of previous user experiences such as cyber attacks, as well as, online data sharing practices on reading such policies. Moreover, we evaluate the ability of users to comprehend the content presented in privacy policies and the impact technical jargon has on the readability of such documents.