Research Interests

Our lab’s research interest lies at the intersection of sensing/mobile systems and security and focuses on utilizing contextual information for security applications in the Internet-of-Things and Cyber-Physical Systems. Specifically, we study a variety of topics including and not limited to (1) Physics-guided Sensing Augmentation, (2) Side-Channel Attacks, and (3) Secure Authentication. Some of our keywords describing our research includes the following:

  • Sensing and Mobile Systems

  • Emerging Systems (Vehicles, Drones, Wireless, and Embedded Systems)

  • Internet-of-Things (IoT) and IoT Security

  • Cyber-Physical Systems (CPS) and CPS Security

  • Sensor and Actuator Networks

(1) Physics-guided Sensing Augmentation

Carousel imageCarousel image

LiquidHash [MobiSys'22]

We are witnessing a surge in the reported cases of counterfeit liquid products in the market including olive oil, honey, and alcohol. We propose LiquidHash, a novel counterfeit liquid food product detection system that only requires the use of a commodity smartphone to detect adulterated liquid products without opening the bottles. LiquidHash works by detecting and tracking the shape and movement of air bubbles that form inside the bottles.

[ paper | teaser | project website ]

Carousel imageCarousel imageCarousel image

LAPD [SenSys'21]

Hidden cameras are a threat to public safety, but they're incredibly difficult to find because of their small size. Commercially-available "hidden camera detectors" have high false positive rates, are difficult to use, and are an additional device to keep track of. LAPD is a hidden camera detection system that uses only your smartphone, and overcomes these limitations. Modern smartphones increasingly come with a time-of-flight (ToF) laser depth sensor, which LAPD uses to identify the tell-tale light reflections from hidden cameras.

[ paper* | slides | video | demo vid | teaser ]
*Most downloaded paper across all years of ACM SenSys publications until present [ link ]
*Top 3rd most downloaded paper across all years of ACM Sigmobile publications until present [ link ]
*Featured on several news/media including: Forbes, The Register, Y Combinator's Hacker News, and Techlog360.

EarWalk [HotMobile'22]

Stress on the knee is a major contributor to orthopedic disorders such as knee osteoarthritis (OA), a severe illness that can even lead to decreased ability to walk. One possible treatment for this problem is to have patients conduct gait modification, getting them to intentionally walk toe-in or toe-out, thereby reducing the stress on their knees. We propose EarWalk, a novel solution that utilizes commodity wireless earables to provide constant and real-time feedback on the patients' gait modification. EarWalk leverages the built-in accelerometer in earables to sense and ultimately differentiate normal, toe-in, and toe-out gait postures due to the minute differences in their vibrations.

[ paper | slides | video ]

(2) Side-Channel Attacks

Keynergy [Security'21, HotMobile'20]

We propose Keynergy, a stealthy offline attack that infers key bittings (or secret) by substantially extending and improving prior work that only utilizes a still image of the key. Keynergy effectively utilizes the inherent audible “clicks” due to a victim’s key insertion, together with video footage of the victim holding the key, in order to infer the victim’s key’s bittings. By means of this work, we hint at a new avenue of sensor side-channel attacks that combine information from different sensing modalities, which is a bigger threat today given the ubiquity of sensors in popular devices such as smartphones.

Security'21: [ paper | slides | video ]
HotMobile'20: [ paper | slides | video ]
*Featured on several news/media/blog posts including: ACM News, Forbes, The Telegraph, Mashable, Gizmodo, The Register, The Sun, Y Combinator's Hacker News, Slashdot,, Boan News (Korean), and Bruce Schneier's blog post.

LidarPhone [SenSys'20, SenSys'20 Poster*]

Could everyday devices that use lasers (like robot vacuum cleaners) secretly be listening to what you're saying? Lidarphone is a remote, stealthy, and scalable acoustic eavesdropping attack that shows that this is possible. It compromises the LIDAR (laser-based ranging) sensor in your robot vacuum cleaner, and repurposes it into a stealthy microphone by converting laser reflections into sound.
* Poster accompanied our full paper at SenSys'20.

[ paper | slides | teaser | video ]
*Featured on several news/media including: Forbes, ZDNet,, ThreatPost, Slashdot, Boan News (Korean), CNA (Singapore's mainstream news), and NUS News.

Moba [UbiComp'22]

We present a novel video-inference attack called Moba that allows adversaries to infer YouTube video titles by simply eavesdropping the broadcast messages of a primary cell of a targeted user's cellular phone. Our attack exploits a side channel, namely, the number of actively transmitting cells for each user in the carrier aggregation (or CA) feature present in modern cellular networks. We design an effective video-inference attack by augmenting the coarse-grained CA side-channel measurements with precise timing information and estimating the traffic bursts of encrypted video contents. We leverage this augmentation to compute the estimated burst sizes that faithfully proxy the actual burst sizes of the videos, which is shown to be useful for inferring YouTube video titles.

SLIC [Security'21]

We present SLIC (Stealthy Location Identification Attack Exploiting Carrier Aggregation) that achieves fine-grained location tracking of targeted cellular user devices in a passive manner. The attack exploits a new side channel in modern cellular systems through a universally available feature called carrier aggregation (CA). CA enables higher cellular data rates by allowing multiple base stations on different carrier frequencies to concurrently transmit to a single user. We discover that a passive adversary can learn the side channel — namely, the number of actively transmitting base stations for any user of interest in the same macrocell. We then show that a time series of this side channel can constitute a highly unique fingerprint of a walking path, which can be used to identify the path taken by a target cellular user.

[ paper | slides | video ]
Recognized as *GSMA Mobile Security Hall of Fame*

(3) Secure Authentication

FastZIP [MobiSys'21]

We propose FastZIP, a novel Zero Interaction Pairing (ZIP) scheme that significantly reduces pairing time while preventing offline and predictable context attacks. In particular, we adapt a recently introduced Fuzzy Password-Authenticated Key Exchange (fPAKE) protocol and utilize sensor fusion, maximizing their advantages. We instantiate FastZIP for intra-car device pairing to demonstrate its feasibility and show how the design of FastZIP can be adapted to other ZIP use cases.

[ paper | teaser | video ]

Perceptio [S&P'18]

Perceptio is a new context-based pairing mechanism that uses time as the common factor across differing sensor types. By focusing on the event timing, rather than the specific event sensor data, Perceptio creates event fingerprints that can be matched across a variety of IoT devices. We propose Perceptio based on the idea that devices co-located within a physically secure boundary (e.g., single-family house) can observe more events in common over time, as opposed to devices outside. Devices make use of the observed contextual information to provide entropy for Perceptio’s pairing protocol.

[ paper | slides | video ]

SoundUAV [DroNet'19, MobiSys'19 Poster]

We propose SoundUAV, a second-factor authentication of drones that leverages differences in the acoustic noise characteristics of drones to fingerprint them. Manufacturing processes involve some randomness, due to which no two instances of the same component are perfectly identical. This property ensures the structural uniqueness of motors across different drones, which in turn produce subtle differences in vibrations on the drones’ bodies.

[ paper | poster | poster abstract ]