POSTER: Compromising Cloaking-based Location Privacy Preserving Mechanisms with Location Injection Attacks Lei Jin School of Information Sciences University of Pittsburgh Pittsburgh, PA, USA lej17@pitt.edu Balaji Palanisamy School of Information Sciences University of Pittsburgh Pittsburgh, PA, USA bpalan@pitt.edu James Joshi School of Information Sciences University of Pittsburgh Pittsburgh, PA, USA jjoshi@apitt.edu ABSTRACT Cloaking-based location privacy preserving mechanisms have been widely adopted to protect users’ location privacy while traveling on road networks. However, a fundamental limitation of such mecha- nisms is that users in the system are inherently trusted and assumed to always report their true locations. Such vulnerability can lead to a new class of attacks called location injection attacks which can successfully break users’ anonymity among a set of users through the injection of fake user accounts and incorrect location updates. In this paper, we characterize location injection attacks, demon- strate their effectiveness through experiments on real-world geo- graphic maps and discuss possible defense mechanisms to protect against location injection attacks. Categories and Subject Descriptors H.2.7 [Database Management]: Database Administration—Se- curity, integrity, and protection; H.2.8 [Database Management]: Database Applications—Spatial databases and GIS General Terms Experimentation, Security Keywords Location Cloaking, Location Privacy, Location k-Anonymity, Lo- cation Injection Attack 1. INTRODUCTION Location privacy threats refer to the risks that an adversary can obtain unauthorized access to raw location data by locating a trans- mitting device and identifying the subject (person) using the mobile device. Examples of such risks include spamming users with un- wanted advertisements, drawing sensitive inferences from victims’ visits to clinics and doctors’ offices and learning one’s religious activities and political beliefs. Location privacy is a system-level capability of location-based systems, which control the access to Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage, and that copies bear this notice and the full ci- tation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). Copyright is held by the author/owner(s). CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA. ACM 978-1-4503-2957-6/14/11. http://dx.doi.org/10.1145/2660267.2662386. Figure 1: Trusted anonymizer architecture. location information at different spatial granularities and different temporal and continuity scales, rather than stopping all access to location information. In the past, cloaking-based location privacy preserving mecha- nisms (CLPMs) have been proposed as one of the most effective location privacy preserving mechanisms for users traveling on the road networks [1, 2, 4]. As shown in Figure 1, when a user requests a location-based service (e.g. searching for the nearest coffee shop) from a Location-based Service Provider (LSP), he first sends the request to a trusted Anonymization Server (AZ) which launches a location cloaking algorithm to reduce the precision of the user’s location and generates a cloaked region under the required granu- larity level. The AZ then sends the cloaked location to the LSP to obtain the required location-based service. Here, the LSP can be a potential adversary and can be either curious or malicious. In general, any cloaking-based location privacy preserving mech- anism (CLPM) guarantees the in-distinguishability of a given user among a set of other users. Location k-Anonymity [1] refers to the property that ensures that the location of a given subject (user) is indistinguishable from that of k - 1 other users. In addition to location k-Anonymity, several extensions to the basic CLPMs have been proposed to strengthen the privacy guarantees includ- ing POI (points of interest) l-Diversity [1] which ensures the in- distinguishability of a user’s location from a set of POIs and Seg- ment s-Diversity [4] which guarantees the in-distinguishability of a user’s location from a set of road segments. However, in all exist- ing CLPMs, a fundamental limitation is that all users are inherently trusted by the AZ and assumed to always report their true locations. In this work, we show that such vulnerability can lead to a new class of attacks called location injection attacks which can successfully violate users’ privacy in terms of in-distinguishability among a set of users. In this paper, we first characterize the location injection attack and then demonstrate its effectiveness for CLPMs through experiments on real-world geographic maps (Section 2). Finally, we discuss the potential solutions which can be utilized to identify and mitigate location injection attacks (Section 3).