Imagine you want to prove that you’ve been somewhere. Insurance adjustors, salespeople and security guards could all fit into this category. The GPS chips built into most modern phones could easily do the job. Another route would be to log the communications between a phone and nearby cell towers. The trouble is, both of these methods can be “spoofed” with devices that cost a few dollars on eBay. Meanwhile, most workers are uncomfortable (to put it mildly) with the idea of their employers watching their every move.
In 2012, the U.S. Department of Homeland Security gave UAB computer scientist Ragib Hasan, Ph.D., a $583,000 grant to find a solution. This past December, Hasan, director of the UAB SECuRE and Trustworthy Computing Lab (SECRETLab) and an assistant professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences, unveiled his answer at the 2014 Department of Homeland Security Science and Technology Showcase in Washington, D.C. It’s called WORAL, or Witness Oriented Asserted Location Provenance.
Tap to Authenticate
WORAL is designed to run as an app on a user’s phone. At any established location, “the user simply pushes a button on the app and it talks to a ‘location authority device'” — a WiFi router — “which ensures you are within a certain distance,” said Hasan. To validate the accuracy of the proof, WORAL seeks out a “witnessing user” — another person with the app running in the background on his or her phone, such as the receptionist in an office, Hasan says.
All of these communications are encrypted and collusion-resistant, and are stored in a precise order that preserves an individual’s location history. (If no third-party witness is available, the system still works, although with a lower level of validation, Hasan says.) “It’s always better if you can deploy security features on the devices that people already have,” Hasan said.
Equally important, the user’s location data is stored entirely on his or her phone, not on a central server. Users can reveal their locations at several levels of detail, from state to city to ZIP code to full street address. “WORAL ensures that you are in control of your location history,” Hasan said. “You get a proof only when you want to, and your information is not stored on a centralized server.” WORAL also could be used to securely track anything from fish to pharmaceuticals as they move through a supply chain, Hasan notes.
The system includes auditing software that automatically identifies any discrepancies between a user’s stated locations and the sequence recorded on the phone. “A user can eliminate locations, but the auditor can see that something has been eliminated,” Hasan explained.
On the Market
The WORAL project has already been vetted and approved by Exelis, a third-party testing and verification group that contracts with DHS. “They went through the code, looking at usability, security and how hard it is to deploy,” said Rasib Khan, a doctoral student in Hasan’s lab. That stamp of approval means that WORAL can be used by government agencies and contractors, Khan explains.
SECRETLab’s project is one of only 34 funded by the DHS from more than 1,000 initial proposals. It also is one of the first funded projects to be ready for deployment in the real world. The entire WORAL system fits on a memory card. That card can be loaded onto tiny, cheap Raspberry Pi computers, which can be deployed throughout an organization’s facilities to serve as location authorities. “We have a finished product,” Hasan said.
The researchers also developed an app for Google Glass and Android-based smartwatches. Rewriting the code to add support for Apple, BlackBerry or Windows Phone would be a simple task, they say.
The theoretical advances behind WORAL have resulted in four publications, including a top journal of the Institute of Electrical and Electronics Engineers, and presentations at top security conferences in Japan and Austria. “There is no other technology like this out there,” Hasan said.