Rene Mayrhofer

Rene Mayrhofer
Johannes Kepler University Linz | JKU · Institute of Networks and Security

Univ.-Prof. Dr.

About

133
Publications
32,645
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,076
Citations
Additional affiliations
February 2010 - September 2014
Fachhochschule Oberösterreich
Position
  • Professor (Full), Head of Research Lab
January 2010 - December 2012
February 2008 - January 2009
University of Vienna
Position
  • Professor for Mobile Computing

Publications

Publications (133)
Article
Full-text available
Digital identity documents provide several key benefits over physical ones. They can be created more easily, incur less costs, improve usability and can be updated if necessary. However, the deployment of digital identity systems does come with several challenges regarding both security and privacy of personal information. In this paper, we highlig...
Article
Full-text available
In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future access to services and applications. This type of interaction can make authentication schemes challenging in terms of secur...
Conference Paper
Full-text available
Every distributed system needs some way to list its current participants. The Tor network’s consensus is one way of tackling this challenge. But creating a shared list of participants and their properties without a central authority is a challenging task, especially if the system is constantly targeted by state level attackers. This work carefully...
Article
Full-text available
Fingerprinting smartphones based on acoustic characteristics of their loudspeaker may have a number of applications in device-to-device authentication as well as in forensic investigations. In this work we propose an efficient fingerprinting methodology by using the roll-off characteristics of the device speaker, i.e., the transition between the lo...
Conference Paper
Full-text available
Tor onion services are a challenging research topic because they were designed to reveal as little metadata as possible which makes it difficult to collect information about them. In order to improve and extend privacy protecting technologies, it is important to understand how they are used in real world scenarios. We discuss the difficulties assoc...
Conference Paper
Full-text available
Most state-of-the-art face detection algorithms are usually trained with full-face pictures, without any occlusions. The first novel contribution of this paper is an analysis of the accuracy of three off-the-shelf face detection algorithms (MTCNN, Retinaface, and DLIB) on occluded faces. In order to determine the importance of different facial part...
Conference Paper
Full-text available
Tor onion services utilize the Tor network to enable incoming connections on a device without disclosing its network location. Decentralized systems with extended privacy requirements like metadata-avoiding messengers typically rely on onion services. However, a long-lived onion service address can itself be abused as identifying metadata. Replacin...
Article
Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of...
Conference Paper
Full-text available
Token-based authentication is usually applied to enable single-sign-on on the web. In current authentication schemes, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future accesses to various services and applications. This type of intera...
Preprint
Full-text available
Mobile device authentication has been a highly active research topic for over 10 years, with a vast range of methods having been proposed and analyzed. In related areas such as secure channel protocols, remote authentication, or desktop user authentication, strong, systematic, and increasingly formal threat models have already been established and...
Article
Full-text available
Providing methods to anonymously validate user identity is essential in many applications of electronic identity (eID) systems. A feasible approach to realize such a privacy-preserving eID is the usage of group signature protocols or pseudonym-based signatures. However, providing a revocation mechanism that preserves privacy is often the bottleneck...
Chapter
Detection of unauthorized disclosure of sensitive data is still an open problem. Taint tracking is one effective approach to detect information disclosure attacks. In this paper, we give an overview of dynamic taint tracking systems for Android. First, we discuss systems and identify their shortcomings. The contribution of this paper is to present...
Technical Report
Full-text available
Contact tracing is one of the main approaches widely proposed for dealing with the current, global SARS-CoV-2 crisis. As manual contact tracing is error-prone and doesn't scale, tools for automated contact tracing, mainly through smart phones, are being developed and tested. While their effectiveness-also in terms of potentially replacing other, mo...
Poster
Full-text available
How can we use digital identity for authentication in the physical world without compromising user privacy? Enabling individuals to – for example – use public transport and other payment/ticketing applications, access computing resources on public terminals, or even cross country borders without carrying any form of physical identity document or tr...
Article
Full-text available
We address the secure pairing of mobile devices based on accelerometer data under various transportation environments, e.g., train, tram, car, bike, walking, etc. As users commonly commute by several transportation modes, extracting session keys from various scenarios to secure the private network of user’s devices or even the public network formed...
Conference Paper
Full-text available
This paper presents the design and open source implementation of CORMORANT, an Android authentication framework able to increase usability and security of mobile authentication. It uses transparent behavioral and physiological biometrics like gait, face, voice, and keystrokes dynamics to continuously evaluate the user's identity without explicit in...
Conference Paper
We propose a system for enabling auxiliary communication channels in which a node transmits a millimeter (mm) wave signal which is reflected off a deliberately vibrating surface of a second node and then received by the first node. Data sequences can be encoded in the modulation of the surface, and radar sensing techniques can be used to demodulate...
Article
People own and carry an increasing number of ubiquitous mobile devices, such as smartphones, tablets, and notebooks. Being small and mobile, those devices have a high propensity to become lost or stolen. Since mobile devices provide access to their owners' digital lives, strong authentication is vital to protect sensitive information and services a...
Preprint
Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of...
Conference Paper
Full-text available
Including electronic identities (eIDs), such as passports or driving licenses in smartphones transforms them into a single point of failure: loss, theft, or malfunction would prevent their users even from identifying themselves e.g. during travel. Therefore, a secure backup of such identity data is paramount, and an obvious solution is to store enc...
Article
In this work we propose a secure communication concept for the protection of critical power supply and distribution infrastructure. Especially, we consider the line current differential protection method for modern smart grid implementations. This protection system operates on critical infrastructure, and it requires a precise time behavior on the...
Chapter
Full-text available
There is a broad range of existing electronic identity (eID) systems which provide methods to sign documents or authenticate to online services (e.g. governmental eIDs, FIDO). However, these solutions mainly focus on the validation of an identity to a web page. That is, they often miss proper techniques to use them as regular ID cards to digitally...
Conference Paper
Full-text available
Providing methods to anonymously validate the user's identity is essential in many applications of electronic identity (eID) systems. A feasible approach to realize such a privacy-preserving eID is the usage of group signature protocols or pseudonym-based signatures. However, providing a revocation mechanism that preserves privacy is often the bott...
Conference Paper
In C, memory errors, such as buffer overflows, are among the most dangerous software errors; as we show, they are still on the rise. Current dynamic bug-finding tools that try to detect such errors are based on the low-level execution model of the underlying machine. They insert additional checks in an ad-hoc fashion, which makes them prone to omit...
Article
In C, memory errors, such as buffer overflows, are among the most dangerous software errors; as we show, they are still on the rise. Current dynamic bug-finding tools that try to detect such errors are based on the low-level execution model of the underlying machine. They insert additional checks in an ad-hoc fashion, which makes them prone to omit...
Article
Full-text available
Biometrics have become important for mobile authentication, e.g. to unlock devices before using them. One way to protect biometric information stored on mobile devices from disclosure is using embedded smart cards (SCs) with biometric match-on-card (MOC) approaches. However, computational restrictions of SCs also limit biometric matching procedures...
Article
Full-text available
Context: In C, low-level errors, such as buffer overflow and use-after-free, are a major problem, as they cause security vulnerabilities and hard-to-find bugs. C lacks automatic checks, and programmers cannot apply defensive programming techniques because objects (e.g., arrays or structs) lack run-time information about bounds, lifetime, and types....
Conference Paper
Full-text available
There is a broad range of existing electronic identity (eID) systems which provide methods to sign documents or authenticate to online services (e.g. governmental eIDs, FIDO). However, these solutions mainly focus on the validation of an identity to a web page. That is, they often miss proper techniques to use them as regular ID cards to digitally...
Article
Full-text available
Traditional authentication methods (e.g., password, PIN) often do not scale well to the context of mobile devices in terms of security and usability. However, the adoption of Near Field Communication (NFC) on a broad range of smartphones enables the use of NFC-enabled tokens as an additional authentication factor. This additional factor can help to...
Article
Full-text available
Today, mobile devices like smartphones and tablets have become an indispensable part of people's lives, posing many new questions e.g., in terms of interaction methods, but also security. In this paper, we conduct a large scale, long term analysis of mobile device usage characteristics like session length, interaction frequency, and daily usage in...
Article
This work evaluates the security strength of a smartphone-based gait recognition system against zero-effort and live minimal-effort impersonation attacks under realistic scenarios. For this purpose, we developed an Android application, which uses a smartphone-based accelerometer to capture gait data continuously in the background, but only when an...
Article
Full-text available
Channel based clock synchronization in packet switched networks (PSNs) is considered for, but not limited to, the time and safety/security critical application of power system protection. The synchronization accuracy requirement of power system protection devices used for line current differential protection is 10 mus, which could be achieved in t...
Conference Paper
Full-text available
There are many systems that provide users with an electronic identity (eID) to sign documents or authenticate to online services (e.g. governmental eIDs, OpenID). However, current solutions lack in providing proper techniques to use them as regular ID cards that digitally authenticate their holders to another physical person in the real world. We e...
Conference Paper
Gait authentication using a cell phone based accelerometer sensor offers an unobtrusive, user-friendly, and a periodic way of authenticating individuals to their smartphones. In this paper, we present a GMM-UBM based gait recognition approach for a realistic scenario (when the phone is placed inside the trouser pocket and the user is walking) by us...
Conference Paper
Full-text available
Biometrics have become important for authentication on mobile devices, e.g. to unlock devices before using them. One way to protect biometric information stored on mobile devices from disclosure is using embedded smart cards (SCs) with biometric match-on-card (MOC) approaches. Computational restrictions of SCs thereby also limit biometric matching...
Conference Paper
Mobile developers tend to use source code obfuscation to protect their code against reverse engineering. Unfortunately, some developers rely on the idea that obfuscated applications also provide additional security. But that is not the case since mistakes in design are still present and can be used for arbitrary attacks. However, manually analyzing...
Conference Paper
Full-text available
Mobile devices offer access to our digital lives and thus need to be protected against the risk of unauthorized physical access by applying strong authentication, which in turn adversely affects usability. The actual risk, however, depends on dynamic factors like day and time. In this paper we discuss the idea of using location-based risk assessmen...
Conference Paper
Line Current Differential Protection is an increasingly important protection scheme due to the fast and absolutely selective detection of faults. The essential part of the Line Current Differential Protection, also known as 87L protection according to ANSI/IEEE C37.2-2008, is the communication and the related time synchronization for synchronous sa...
Article
Full-text available
As users start carrying multiple mobile devices, we propose a novel, token based mobile device unlocking approach. Mobile devices are conjointly shaken to transfer the authentication state from an unlocked token device to another device to unlock it. A common use case features a wrist watch as token device, which remains unlocked as long as it is s...
Conference Paper
Mobile devices, ubiquitous in modern lifestyle, embody and provide convenient access to our digital lives. Being small and mobile, they are easily lost or stole, therefore require strong authentication to mitigate the risk of unauthorized access. Common knowledge-based mechanism like PIN or pattern, however, fail to scale with the high frequency bu...
Conference Paper
Full-text available
Users usually authenticate to mobile devices before using them (e.g. PIN, password), but devices do not do the same to users. Revealing the authentication secret to a non-authenticated device potentially enables attackers to obtain the secret, by replacing the device with an identical-looking malicious device. The revealed authentication secret cou...
Article
Full-text available
Purpose – The purpose of this article is to improve detection of common movement. Detecting if two or multiple devices are moved together is an interesting problem for different applications. However, these devices may be aligned arbitrarily with regards to each other, and the three dimensions sampled by their respective local accelerometers can th...
Article
Full-text available
Purpose The usage of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing, or mobile digital identities, has continuously risen in recent years. This development makes the protection of personal and security sensitive data on mobile devices more important than ever. Design/methodol...
Conference Paper
Full-text available
Nowadays, people own and carry an increasing number of mobile devices, such as smartphones and smartwatches. Since these devices store and provide access to sensitive information, authentication is required to prevent unauthorized access. Widely used mechanisms like PIN and password, however, don't scale well with the growing number of devices and...
Article
Full-text available
In this paper, we study the concept of security zones as an intermediate layer of compartmentalization on mobile devices. Each of these security zones is isolated against the other zones and holds a different set of applications and associated user data and may apply different security policies. From a user point of view, they represent different c...
Conference Paper
Gait authentication using mobile phone based accelerometer sensors offers an implicit way of authenticating users to their mobile devices. This study explores gait authentication performance under a realistic scenario if gait template and gait test data belongs to left and right side front pocket of the trousers. To simulate this scenario, we used...
Article
Full-text available
In a wireless world, users can establish ad hoc virtual connections between devices that are unhampered by cables. This process is known as spontaneous device association. A wide range of interactive protocols and techniques have been demonstrated in both research and practice, predominantly with a focus on security aspects. In this article, we sur...
Article
Full-text available
Smartphones and tablets are an indispensable part of modern communication and people spend considerable time interacting with their devices every day. While substantial research has been conducted concerning smartphone usage, little is known about how tablets are used. This paper studies mobile device usage characteristics like session length, inte...
Article
Full-text available
The inherent weakness of typical mobile device unlocking approaches (PIN, password, graphic pattern) is that they demand time and attention, leading a majority of end users to disable them, effectively lowering device security. We propose a method for unlocking mobile devices by shaking them together, implicitly passing the unlocked state from one...
Article
Gait authentication using a cell phone based accelerometer sensor offers an unobtrusive, user-friendly, and periodic way of authenticating individuals on their cell phones. In this study, we present an approach to deal with inevitable errors induced by continuously changing sensor orientation and other noise under a realistic scenario (when the pho...
Conference Paper
Full-text available
With the increasing popularity of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing, or mobile digital identities, challenges for the protection of personal and security sensitive data of these use cases emerged. A common approach for the protection of sensitive data is to use ad...
Conference Paper
Full-text available
Detecting if two or multiple devices are moved together is an interesting problem for different applications. However, these devices may be aligned arbitrarily with regards to each other, and the three dimensions sampled by their respective local accelerometers can therefore not be directly compared. The typical approach is to ignore all angular co...
Conference Paper
Full-text available
We analyze locked and unlocked mobile device usage of 1 960 Android smartphones. Based on approximately 10 TB of mobile device data logs collected by the Device Analyzer project, we derive 6.9 million usage sessions using a screen power state machine based approach. From these session we examine the number of interactions per day, the average inter...
Conference Paper
Full-text available
Current efforts to increase the security of the boot sequence for mobile devices fall into two main categories: (i) secure boot: where each stage in the boot sequence is evaluated, aborting the boot process if a non expected component attempts to be loaded; and (ii) trusted boot: where a log is maintained with the components that have been loaded i...
Conference Paper
Current efforts to increase the security of the boot sequence for mobile devices fall into two main categories: (i) secure boot: where each stage in the boot sequence is evaluated, aborting the boot process if a non expected component attempts to be loaded; and (ii) trusted boot: where a log is maintained with the components that have been loaded i...
Article
Full-text available
Purpose – The purpose of this paper is to address the design, implementation, performance and limitations of an environment that emulates a secure element for rapid prototyping and debugging. Today, it is difficult for developers to get access to a near field communication (NFC)-secure element in current smartphones. Moreover, the security constrai...
Article
Full-text available
Mobile devices such as smart phones have become one of the preferred means of accessing digital services, both for consuming and creating content. Unfortunately, securing such mobile devices is inherently difficult for a number of reasons. In this article, we review recent research results, systematically analyze the technical issues of securing mo...
Article
Full-text available
Drug compliance and adverse drug reactions (ADR) are two of the most important issues regarding patient safety throughout the worldwide healthcare sector. ADR prevalence is 6.7 % throughout hospitals worldwide, with an international death rate of 0.32 ...
Book
This is the first issue of Volume 10 of the International Journal of Pervasive Computing and Communication, which commences the tenth year of this journal which has served a large community of researchers and academics around the world with the highest quality articles reporting on the state-of-the-art research results and scientific findings in th...
Conference Paper
Full-text available
Biometric gait authentication using Personal Mobile Device (PMD) based accelerometer sensors offers a user-friendly, unobtrusive, and periodic way of authenticating individuals on PMD. In this paper, we present a technique for gait cycle extraction by incorporating the Piecewise Linear Approximation (PLA) technique. We also present two new approach...
Conference Paper
Full-text available
Creating Java Card applications for Near Field Communication's card emulation mode requires access to a secure smartcard chip (the secure element). Today, even for development purposes, it is difficult to get access to the secure element in most current smart phones. Therefore, it would be useful to have an environment that emulates a secure elemen...
Conference Paper
Full-text available
The ongoing evolution of mobile phones to "pocket computers" generated a demand for more and more applications to be ported to the mobile phone. Because a full security assessment for a whole mobile operating system would be prohibitively costly, currently security critical applications can not be implemented. We address this challenge by introduci...