Security and privacy in large-scale Infrastructure

Abstract

Large-scale and critical infrastructure systems face unique challenges: they are slow to evolve and difficult to modify, which is especially problematic in a connected world that demands ever shorter update cycles. Additionally, complex systems might behave unexpectedly compared to the behavior of their components. The latter can destructively interfere with security properties of the system as a whole. This thesis explores different emergent and systemic security challenges of large-scale systems by looking at security problems and solutions of power grids, mobile cell phone networks, building blocks such as ambiguity in data encoding, side-channels in privacyenhancing systems, and privacy in social networks. However, we do not solely describe attacks, but also engage in detection, mitigation, and defense efforts as well as standardization to improve the security of future systems. The five systems and components have been studied as follows: In power grids, we describe novel attack techniques vie the physical part of these cyber-physical systems. We demonstrate how connected devices can produce synchronized power-usage peaks that outperform the grids reaction abilities and can lead to blackouts. In mobile phone networks, we describe the ability to detect fake base stations (IMSI Catchers) and other attacks from both the customers and the operators side. We were able to evaluate our approaches on a real mobile network with 4 million subscribers. On mobile browsers, we examine side-channels that can lead to the leakage of private browsing history. With social networks and other picture databases rapidly proliferating photographs of individuals at large scale as well as enriching those pictures with metadata, we explore the possibilities to empower individuals to gain more control over their pictures.