Dr Ehsan Toreini
Academic and research departments
Computer Science Research Centre, Surrey Centre for Cyber Security.
ResearchResearch interests
My field of research is focused on physical security (electric hardware and non-electric components), trustworthy machine learning and web security. My research is strongly engineering-focused in nature, be it through designing real-world attacks or cost-effective and efficient mitigations. I have over 35 peer-reviewed publications in cyber security (including top journals and venues such as Usenix Security Symposium, PoPETS, ACM Transactions on Privacy and Security, IEEE Transactions on Information Forensics and Security) and I own two US patents on authentication of physical objects using internal structure (#US10680825,#US10841098). In particular, I am proud of my work(s) on instinct-based anti-counterfeiting technologies in different documents (paper sheets and polymer-based banknotes), smartphone sensor attacks and defences and trustworthy machine learning. Finally, leading international media outlets such as The Economist, Wall Street Journal, BBC, Guardian, E&T and ACM Communications have featured my research. I won national and international grants and prizes for my research including “the Economist and Kaspersky cybersecurity award” on using Blockchain for e-voting.
I also have a significant industrial impact during my research career, including my impact on (1) Mozilla Firefox deployed a fix on Firefox 46 (CVE-2016-2813), (2) Apple included a fix in iOS 9.3 (CVE-2016-1780), (3) W3C (the main international web standards organisation) has released a revised version of the motion and orientation specification with a security section citing our research (4) Safari patched the vulnerabilities discovered based on our research (bug report #14685058). I am also an invited expert on Device and Sensor Group in W3C.
Please see my Google Scholar and homepage for more detail.
Research interests
My field of research is focused on physical security (electric hardware and non-electric components), trustworthy machine learning and web security. My research is strongly engineering-focused in nature, be it through designing real-world attacks or cost-effective and efficient mitigations. I have over 35 peer-reviewed publications in cyber security (including top journals and venues such as Usenix Security Symposium, PoPETS, ACM Transactions on Privacy and Security, IEEE Transactions on Information Forensics and Security) and I own two US patents on authentication of physical objects using internal structure (#US10680825,#US10841098). In particular, I am proud of my work(s) on instinct-based anti-counterfeiting technologies in different documents (paper sheets and polymer-based banknotes), smartphone sensor attacks and defences and trustworthy machine learning. Finally, leading international media outlets such as The Economist, Wall Street Journal, BBC, Guardian, E&T and ACM Communications have featured my research. I won national and international grants and prizes for my research including “the Economist and Kaspersky cybersecurity award” on using Blockchain for e-voting.
I also have a significant industrial impact during my research career, including my impact on (1) Mozilla Firefox deployed a fix on Firefox 46 (CVE-2016-2813), (2) Apple included a fix in iOS 9.3 (CVE-2016-1780), (3) W3C (the main international web standards organisation) has released a revised version of the motion and orientation specification with a security section citing our research (4) Safari patched the vulnerabilities discovered based on our research (bug report #14685058). I am also an invited expert on Device and Sensor Group in W3C.
Please see my Google Scholar and homepage for more detail.
Publications
This article investigates the accessibility of cookie notices on websites for users with visual impairments (VI) via a set of system studies on top UK websites (n=46) and a user study (n=100). We use a set of methods and tools—including accessibility testing tools, text-only browsers, and screen readers—to perform our system studies. Our results demonstrate that the majority of cookie notices on these websites have some form of accessibility issue, including contrast issues, not having headings, and not being read aloud immediately when the page is loaded. We discuss how such practices impact the user experience and privacy and provide a set of recommendations for multiple stakeholders for more accessible websites and better privacy practices for users with VIs. To complement our technical contribution, we conduct a user study, finding that people with VIs generally have a negative view of cookie notices and believe our recommendations could help their online experience.
We proposed a novel method to generate a secret between two people using a smartphone gyroscope assisted by the Fast Fourier Transform~(FFT) without communicating between two smartphones for a secret agreement. The secret generation process requires natural smartphone movements while performing day-to-day activities. Our evaluation by implementing it on Android smartphones shows a success rate above 90% with entropy above 6/8 bits. The code implements the secret generation method and its evaluation in Python.
The code implements the Android App to generate a secret using smartphone gyroscope data. It uses the publically available FFT library and is written in Android Java.
Technology-facilitated Intimate Partner Violence (IPV) is especially pernicious because it is common for one person (assumed to be an abusive partner) to be responsible for setting up the household's technical infrastructure, which can be used to snoop over the victim. In this paper, we proposed a novel method to generate a secret between the victim and an external supportive agent using a smartphone gyroscope assisted by the Fast Fourier Transform (FFT) without any communication between two smartphones for secret agreement. The secret generation process requires natural smart-phone movements while performing day-today activities. Our evaluation by implementing it on Android smartphones shows a success rate between 90 − −99%. We proved the resilience of the generated secret under spoofing and brute-force attacks. Thus, the method allows IPV victims to generate a secret to encrypt their communication with an external supporting agent over conventional communication services in the presence of a powerful IPV adversary.