Attacking Anonymity Set in Tornado Cash via Wallet Fingerprints
Ankit Gangwal,Martina Soleti,Mauro Conti
ACM Symposium on Applied Computing, SAC, 2025
@inproceedings{bib_Atta_2025, AUTHOR = {Ankit Gangwal, Martina Soleti, Mauro Conti}, TITLE = {Attacking Anonymity Set in Tornado Cash via Wallet Fingerprints}, BOOKTITLE = {ACM Symposium on Applied Computing}. YEAR = {2025}}
Tornado Cash is a decentralized application (dApp) that runs on Ethereum Virtual Machine (EVM) compatible networks to enhance users’ privacy in terms of user transaction history over the blockchain. This dApp achieves its goal by enabling users to deposit currencies into designated pools and subsequently withdraw them, severing
the link between depositor and withdrawer addresses. At deposit time, Tornado Cash communicates to users the level of privacy they will benefit from (anonymity set) by depositing currencies into one of its pools. Existing analyses have indicated discrepancies between the claimed anonymity set and the actual level of privacy provided, primarily attributed to users’ incorrect utilization of the dApp.
This paper explores the road towards a new way to challenge the dApp’s proposed anonymity set by examining wallet fingerprints, a factor not directly related to user behavior within the application. The findings of this research shed light on the potential for creating links between clusters of users in TC according to the new proposed approach and raise a privacy concern within the Ethereum network, resulting in 13203 transactions, over 66948, linkable to the wallet used to initialize them.
Swiss Cheese CAPTCHA: A Novel Multi-barrier Mechanism for Bot Detection
Ankit Gangwal,P Sahithi Reddy,Chilakala Yashoda Krishna Sagar
ACM Symposium on Applied Computing, SAC, 2025
@inproceedings{bib_Swis_2025, AUTHOR = {Ankit Gangwal, P Sahithi Reddy, Chilakala Yashoda Krishna Sagar}, TITLE = {Swiss Cheese CAPTCHA: A Novel Multi-barrier Mechanism for Bot Detection}, BOOKTITLE = {ACM Symposium on Applied Computing}. YEAR = {2025}}
A Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is one
of the primary barriers between notorious bots and legitimate human users. However, advancements in
Artificial Intelligence (AI) have enabled malicious bots to circumvent CAPTCHA challenges effectively.
As a result, several types of CAPTCHA have been rendered ineffective.
In this work, we introduce Swiss Cheese CAPTCHA, a novel sensor-based solution designed to be
easily solvable by humans while presenting multiple obstructions for bots (similar to the Swiss Cheese
Model) even when the sensor outputs can be predicted and interfered with. We leverage a range of
human cognitive abilities and Generic Sensor API in modern devices to provide robust protection against
automated attacks by making it more computationally expensive for bots to produce a valid answer within
a stipulated time.
We conducted two user studies to assess our proposal’s effectiveness: one involving 116 participants
to assess the likability and improvise the design, and the other, with 107 participants, to investigate the
impact of improvised design changes on cognitive abilities. Our results from these studies show an
average completion time of 4.76 seconds and 6.12 seconds, with a success rate of 90.3% and 83.25%,
respectively. By analyzing the 2141 resultant trajectories from both user studies, we assess the learnability,
error recovery rate, efficiency, and satisfaction of users using the scheme. Finally, we devise an automated
attack against our proposal to analyze its security in the real world; we find the probability of attack
success is low. We also make our dataset available for further research.
SharHSC: A Sharding-Based Hybrid State Channel to Realize Blockchain Scalability and Security
Yizhong Liu,Peiyuan Li,Dongyu Li,Chengqi Wu,Nan Jiang,Qianhong Wu,Ankit Gangwal,Prayag Tiwari,Mauro Conti
IEEE Transactions on Dependable and Secure Computing, TDSC, 2024
@inproceedings{bib_Shar_2024, AUTHOR = {Yizhong Liu, Peiyuan Li, Dongyu Li, Chengqi Wu, Nan Jiang, Qianhong Wu, Ankit Gangwal, Prayag Tiwari, Mauro Conti}, TITLE = {SharHSC: A Sharding-Based Hybrid State Channel to Realize Blockchain Scalability and Security}, BOOKTITLE = {IEEE Transactions on Dependable and Secure Computing}. YEAR = {2024}}
Addressing blockchain's insufficient throughput and scalability is imperative for practical viability. Off-chain approaches, such as state channels (including Hash Time Lock Contract (HTLC), virtual channels), demonstrate enhanced throughput by enabling parallel transaction processing.
While virtual channels introduce execution complexity, HTLC suffers from high update delays. Moreover, existing methods face network attacks.
We present Sharding-based Hybrid State Channel (SharHSC) to address these issues. Firstly, we introduce a novel off-chain sharding architecture, which partitions proxy nodes into multiple shards. Thus, when the off-chain node count increases, adding shards enhances system throughput.
Secondly, each shard establishes a supervisory committee to record latest channel statuses to ensure accurate fund distribution upon channel closure.
Thirdly, we combine the strengths of HTLC and virtual channels. In particular, SharHSC constructs a single virtual channel across all the nodes involved in the payment by treating the nodes between payer and payee as an intermediate entity, which utilizes HTLC for fund routing. This realizes both low latency and streamlined complexity.
Finally, our work is substantiated by security analysis and experiments.
As the node number varies, compared with HTLC and virtual channels, the latency is reduced by 49.32% and 31.82%, and the throughput is increased by 8.93 and 1.89 times.
CSUM: A Novel Mechanism for Updating CubeSat while Preserving Authenticity and Integrity
Ankit Gangwal,Aashish Paliwal
IEEE Conference on Local Computer Networks, IEEE-LCN, 2024
@inproceedings{bib_CSUM_2024, AUTHOR = {Ankit Gangwal, Aashish Paliwal}, TITLE = {CSUM: A Novel Mechanism for Updating CubeSat while Preserving Authenticity and Integrity}, BOOKTITLE = {IEEE Conference on Local Computer Networks}. YEAR = {2024}}
The recent rise of CubeSat has revolutionized global space explorations, as it offers cost-effective solutions for low-orbit space applications (including climate monitoring, weather measurements, communications, and earth observation). A salient feature of CubeSat is that applications currently on-boarded can either be updated or entirely replaced by new applications via software updates, which allows reusing in-orbit hardware, reduces space debris, and saves cost as well as time. Securing software updates employing traditional methods (e.g., encryption) remains impractical mainly due to the low-resource capabilities of CubeSat. Therefore, the security of software updates for CubeSats remains a critical issue.
In this paper, we propose CubeSat Update Mechanism~(CSUM), a lightweight scheme to provide integrity, authentication, and data freshness guarantees for software update broadcasts to CubeSats using a hash chain. We empirically evaluate our proof of concept implementation to demonstrate the feasibility and effectiveness of our approach. CSUM can validate 50,000 consecutive updates successfully in less than a second. We also perform a comparative analysis of different cryptographic primitives. Our empirical evaluations show that the hash-based approach is at least 61× faster than the conventional mechanisms, even in resource-constrained environments.
De-authentication using Ambient Light Sensor
Ankit Gangwal,Aashish Paliwal,Mauro Conti
IEEE Access, ACCESS, 2024
@inproceedings{bib_De-a_2024, AUTHOR = {Ankit Gangwal, Aashish Paliwal, Mauro Conti}, TITLE = {De-authentication using Ambient Light Sensor}, BOOKTITLE = {IEEE Access}. YEAR = {2024}}
While user authentication happens before initiating or resuming a login session, de-authentication detects the absence of a previously-authenticated user to revoke her currently active login session. The absence of proper de-authentication can lead to well-known lunchtime attacks, where a nearby adversary takes over a carelessly departed user's running login session. The existing solutions for automatic de-authentication have distinct practical limitations, e.g., extraordinary deployment requirements or high initial cost of external equipment. In this paper, we propose "DE-authentication using Ambient Light sensor" (DEAL), a novel, inexpensive, fast, and user-friendly de-authentication approach. DEAL utilizes the built-in ambient light sensor of a modern computer to determine if the user is leaving her work-desk. DEAL, by design, is resilient to natural shifts in lighting conditions and can be configured to handle abrupt changes in ambient illumination (e.g., due to toggling of room lights). We collected data samples from 4800 sessions with 120 volunteers in 4 typical workplace settings and conducted a series of experiments to evaluate the quality of our proposed approach thoroughly. Our results show that DEAL can de-authenticate a departing user within 4 seconds with a hit rate of 89.15% and a fall-out of 7.35%. Finally, bypassing DEAL to launch a lunchtime attack is practically infeasible as it requires the attacker to either take the user's position within a few seconds or manipulate the sensor readings sophisticatedly in real-time.
AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers
Ankit Gangwal,Shubham Singh,Abhijeet Srivastava
BlackHat Europe, BlackHat, 2023
Abs | | bib Tex
@inproceedings{bib_Auto_2023, AUTHOR = {Ankit Gangwal, Shubham Singh, Abhijeet Srivastava}, TITLE = {AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers}, BOOKTITLE = {BlackHat Europe}. YEAR = {2023}}
Password managers (PMs) are becoming common and popular on mobile devices. The convenience of automatically filling user credentials into login forms, especially on small-screen devices, has further helped in increasing the adoption of PMs. Modern mobile OSes (such as Android; the focus of our work) facilitate system-wide autofill frameworks to enable autofilling on both browsers and apps. On the other side, mobile OSes enable apps to directly render web content via WebView controls, which: (1) prevents redirecting the user to the main browser; and (2) improves seamless user experience. We will focus on a common scenario, where a webpage is loaded into a mobile app using WebView controls. Some common examples include in-app opening of hyperlinks in Skype or Gmail mobile apps. Another key use of such in-app functionality is the "Login with Apple/Facebook/Google" button for user authentication within a third-party mobile app. Upon choosing such an option, the third-party app loads the corresponding login page in WebView. We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.
A First Look at Shill Looping in NFT Ecosystem
Ankit Gangwal,T V K Apoorva,Alessandro Brighente,Mauro Conti
International Workshop on Information Forensics and Security, WIFS, 2023
@inproceedings{bib_A_Fi_2023, AUTHOR = {Ankit Gangwal, T V K Apoorva, Alessandro Brighente, Mauro Conti}, TITLE = {A First Look at Shill Looping in NFT Ecosystem}, BOOKTITLE = {International Workshop on Information Forensics and Security}. YEAR = {2023}}
Abstract—Initially designed to represent ownership of various assets, Non-Fungible Tokens (NFTs) have emerged as a new tool in the blockchain domain for investment and trading. The NFT markets are rapidly budding with significant growth in trading volumes over the last few years. While the NFT ecosystem is continuously evolving, users are exploring astute trading practices to gain financial profits. In this paper, we uncover shill looping, a novel NFT trade practice that NFT owners can exploit to artificially inflate the price of an NFT token. We investigate shill looping and its primary effects in a multi-billion dollar NFT collection called BAYC, showing that approximately 50% of these NFTs exhibit shill looping. Our empirical analysis shows that shill looping significantly boosts the average NFT values by over 45% in the best case. Our initial results highlight the severeness of the shill looping phenomenon
On the Feasibility of Profiling Electric Vehicles through Charging Data
Ankit Gangwal,Aakash Jain,Mauro Conti
Network and Distributed System Security Symposium, NDSS, 2023
@inproceedings{bib_On_t_2023, AUTHOR = {Ankit Gangwal, Aakash Jain, Mauro Conti}, TITLE = {On the Feasibility of Profiling Electric Vehicles through Charging Data}, BOOKTITLE = {Network and Distributed System Security Symposium}. YEAR = {2023}}
Electric vehicles (EVs) represent the long-term green substitute for traditional fuel-based vehicles. To encourage EV adoption, the trust of the end-users must be assured. In this work, we focus on a recently emerging privacy threat of profiling and identifying EVs via the analog electrical data exchanged during the EV charging process. The core focus of our work is to investigate the feasibility of such a threat at scale. To this end, we first propose an improved EV profiling approach that outperforms the state-of-the-art EV profiling techniques. Next, we exhaustively evaluate the performance of our improved approach to profile EVs in real-world settings. In our evaluations, we conduct a series of experiments including 25032 charging sessions from 530 real EVs, sub-sampled datasets with different data distributions, etc. Our results show that even with our improved approach, profiling and individually identifying the growing number of EVs appear extremely difficult in practice; at least with the analog charging data utilized throughout the literature. We believe that our findings from this work will further foster the trust of potential users in the EV ecosystem, and consequently, encourage EV adoption.
AutoSpill: Credential Leakage from Mobile Password Managers
Ankit Gangwal,Shubham Singh,Abhijeet Srivastava
ACM Conference on Data and Application Security and Privacy, CODASPY, 2023
@inproceedings{bib_Auto_2023, AUTHOR = {Ankit Gangwal, Shubham Singh, Abhijeet Srivastava}, TITLE = {AutoSpill: Credential Leakage from Mobile Password Managers}, BOOKTITLE = {ACM Conference on Data and Application Security and Privacy}. YEAR = {2023}}
Password managers (PMs) are becoming increasingly popular on mobile devices, especially on small-screen devices, mainly due to the convenience of automatically filling credentials into login forms. Modern mobile OSes advocate for system-wide autofill frameworks to support autofilling on browsers as well as other apps. Mobile OSes also empower apps to directly render web content within WebView controls without redirecting users to the main browser. par We present a novel technique, called AutoSpill, to leak users' saved credentials during an autofill operation on a webpage loaded into an app's WebView. AutoSpill conveniently dodges the secure autofill process. The majority of popular Android PMs considered in our experiments were found vulnerable to AutoSpill; even when the app hosting the WebView is not actively participating in the leak. Android intermediates in the autofill process because of its app sandboxing. Hence, the responsibility for any credential leakage is often stranded between PMs and the Android system. We investigate the root causes of AutoSpill and propose countermeasures to fundamentally fix AutoSpill for both the parties. We responsibly disclosed our findings to the affected PMs and Android security team.
On the Feasibility of Profiling Electric Vehicles through Charging Data
Ankit Gangwal,Aakash Jain, Mauro Conti
Technical Report, arXiv, 2022
@inproceedings{bib_On_t_2022, AUTHOR = {Ankit Gangwal, Aakash Jain, Mauro Conti}, TITLE = {On the Feasibility of Profiling Electric Vehicles through Charging Data}, BOOKTITLE = {Technical Report}. YEAR = {2022}}
Electric vehicles (EVs) represent the long-term green substitute for traditional fuel-based vehicles. To encourage EV adoption, the trust of the end-users must be assured. In this work, we focus on a recently emerging privacy threat of profiling and identifying EVs via the analog electrical data exchanged during the EV charging process. The core focus of our work is to investigate the feasibility of such a threat at scale. To this end, we first propose an improved EV profiling approach that outperforms the state-of-the-art EV profiling techniques. Next, we exhaustively evaluate the performance of our improved approach to profile EVs in real-world settings. In our evaluations, we conduct a series of experiments including 25032 charging sessions from 530 real EVs, sub-sampled datasets with different data distributions, etc. Our results show that even with our improved approach, profiling and individually identifying the growing number of EVs appear extremely difficult in practice; at least with the analog charging data utilized throughout the literature. We believe that our findings from this work will further foster the trust of potential users in the EV ecosystem, and consequently, encourage EV adoption.
A survey of Layer-two blockchain protocols
Ankit Gangwal,Gangavalli Haripriya Ravali,Tvk Apoorva
Journal on Network and Computer Applications, JNCA, 2022
@inproceedings{bib_A_su_2022, AUTHOR = {Ankit Gangwal, Gangavalli Haripriya Ravali, Tvk Apoorva}, TITLE = {A survey of Layer-two blockchain protocols}, BOOKTITLE = {Journal on Network and Computer Applications}. YEAR = {2022}}
After the success of the Bitcoin blockchain, came several cryptocurrencies and blockchain solutions in the last decade. Nonetheless, Blockchain-based systems still suffer from low transaction rates and high transaction processing latencies, which hinder blockchains’ scalability. An entire class of solutions, called Layer-1 scalability solutions, have attempted to incrementally improve such limitations by adding/modifying fundamental blockchain attributes. Recently, a completely different class of works, called Layer-2 protocols, have emerged to tackle the blockchain scalability issues using unconventional approaches. Layer-2 protocols improve transaction processing rates, periods, and fees by minimizing the use of underlying slow and costly blockchains. In fact, the main chain acts just as an instrument for trust establishment and dispute resolution among Layer2 participants, where only a few transactions are dispatched to the main chain. Thus, Layer-2 blockchain protocols have the potential to transform the domain. However, rapid and discrete developments have resulted in diverse branches of Layer2 protocols. In this work, we systematically create a broad taxonomy of such protocols and implementations. We discuss each Layer-2 protocol class in detail and also elucidate their respective approaches, salient features, requirements, etc. Moreover, we outline the issues related to these protocols along with a comparative discussion. Our thorough study will help further systematize the knowledge dispersed in the domain and help the readers to better understand the field of Layer-2 protocols. Index Terms—Blockchain, Layer-2, Off-chain, Scalability.
Analyzing Price Deviations in DeFi Oracles
Ankit Gangwal,Valluri Rahul,Mauro Conti
Cryptology and Network Security, CANS, 2022
Abs | | bib Tex
@inproceedings{bib_Anal_2022, AUTHOR = {Ankit Gangwal, Valluri Rahul, Mauro Conti}, TITLE = {Analyzing Price Deviations in DeFi Oracles}, BOOKTITLE = {Cryptology and Network Security}. YEAR = {2022}}
Decentralized Finance (DeFi) promises to transform the traditional financial systems into fair and transparent protocols that do not require trusted third parties. To circumvent the high volatility of crypto-assets, DeFi protocols advocate collateralizing their assets against conventional financial instruments. To do so, these protocols require access to external or off-chain data, such as asset exchange rates. DeFi protocols rely on oracles to access such information. Importing external data onto the chain via oracles consists of multiple data processing and aggregation stages. Thus, it is critical to minimize errors or deviations while the ground truth data moves through these stages. In this paper, we investigate the degree of price deviations at different levels between the data source and the final output rendered to an on-chain requester. In particular, we focus on Chainlink’s oracle network for ETH-USD pricing. Our results …
BLEWhisperer: Exploiting BLE Advertisements for Data Exfiltration.
Ankit Gangwal,Shubham Singh,Riccardo Spolaor,Abhijeet Srivastava
European Symposium on Research in Computer Security, ESORICS, 2022
@inproceedings{bib_BLEW_2022, AUTHOR = {Ankit Gangwal, Shubham Singh, Riccardo Spolaor, Abhijeet Srivastava}, TITLE = {BLEWhisperer: Exploiting BLE Advertisements for Data Exfiltration.}, BOOKTITLE = {European Symposium on Research in Computer Security}. YEAR = {2022}}
Bluetooth technology has enabled short-range wireless communication for billions of devices. Bluetooth Low-Energy (BLE) variant aims at improving power consumption on battery-constrained devices. BLE-enabled devices broadcast information (e.g., as beacons) to nearby devices via advertisements. Unfortunately, such functionality can become a double-edged sword at the hands of attackers. In this paper, we primarily show how an attacker can exploit BLE advertisements to exfiltrate information from BLE-enable devices. In particular, our attack establishes a communication medium between two devices without requiring any prior authentication or pairing. We develop a proof-of-concept attack framework on the Android ecosystem and assess its performance via a thorough set of experiments. Our results indicate that such an exfiltration attack is indeed possible though with a limited data rate. Nevertheless, we also demonstrate potential use cases and enhancements to our attack that can further its severeness. Finally, we discuss possible countermeasures to prevent such an attack.