@inproceedings{bib_Atta_2025, AUTHOR = {Ankit Gangwal, Martina Soleti, Mauro Conti}, TITLE = {Attacking Anonymity Set in Tornado Cash via Wallet Fingerprints}, BOOKTITLE = {ACM Symposium on Applied Computing}. YEAR = {2025}}

Tornado Cash is a decentralized application (dApp) that runs on Ethereum Virtual Machine (EVM) compatible networks to enhance users’ privacy in terms of user transaction history over the blockchain. This dApp achieves its goal by enabling users to deposit currencies into designated pools and subsequently withdraw them, severing the link between depositor and withdrawer addresses. At deposit time, Tornado Cash communicates to users the level of privacy they will benefit from (anonymity set) by depositing currencies into one of its pools. Existing analyses have indicated discrepancies between the claimed anonymity set and the actual level of privacy provided, primarily attributed to users’ incorrect utilization of the dApp. This paper explores the road towards a new way to challenge the dApp’s proposed anonymity set by examining wallet fingerprints, a factor not directly related to user behavior within the application. The findings of this research shed light on the potential for creating links between clusters of users in TC according to the new proposed approach and raise a privacy concern within the Ethereum network, resulting in 13203 transactions, over 66948, linkable to the wallet used to initialize them.

@inproceedings{bib_Swis_2025, AUTHOR = {Ankit Gangwal, P Sahithi Reddy, Chilakala Yashoda Krishna Sagar}, TITLE = {Swiss Cheese CAPTCHA: A Novel Multi-barrier Mechanism for Bot Detection}, BOOKTITLE = {ACM Symposium on Applied Computing}. YEAR = {2025}}

A Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is one of the primary barriers between notorious bots and legitimate human users. However, advancements in Artificial Intelligence (AI) have enabled malicious bots to circumvent CAPTCHA challenges effectively. As a result, several types of CAPTCHA have been rendered ineffective. In this work, we introduce Swiss Cheese CAPTCHA, a novel sensor-based solution designed to be easily solvable by humans while presenting multiple obstructions for bots (similar to the Swiss Cheese Model) even when the sensor outputs can be predicted and interfered with. We leverage a range of human cognitive abilities and Generic Sensor API in modern devices to provide robust protection against automated attacks by making it more computationally expensive for bots to produce a valid answer within a stipulated time. We conducted two user studies to assess our proposal’s effectiveness: one involving 116 participants to assess the likability and improvise the design, and the other, with 107 participants, to investigate the impact of improvised design changes on cognitive abilities. Our results from these studies show an average completion time of 4.76 seconds and 6.12 seconds, with a success rate of 90.3% and 83.25%, respectively. By analyzing the 2141 resultant trajectories from both user studies, we assess the learnability, error recovery rate, efficiency, and satisfaction of users using the scheme. Finally, we devise an automated attack against our proposal to analyze its security in the real world; we find the probability of attack success is low. We also make our dataset available for further research.

@inproceedings{bib_Shar_2024, AUTHOR = {Yizhong Liu, Peiyuan Li, Dongyu Li, Chengqi Wu, Nan Jiang, Qianhong Wu, Ankit Gangwal, Prayag Tiwari, Mauro Conti}, TITLE = {SharHSC: A Sharding-Based Hybrid State Channel to Realize Blockchain Scalability and Security}, BOOKTITLE = {IEEE Transactions on Dependable and Secure Computing}. YEAR = {2024}}

Addressing blockchain's insufficient throughput and scalability is imperative for practical viability. Off-chain approaches, such as state channels (including Hash Time Lock Contract (HTLC), virtual channels), demonstrate enhanced throughput by enabling parallel transaction processing. While virtual channels introduce execution complexity, HTLC suffers from high update delays. Moreover, existing methods face network attacks. We present Sharding-based Hybrid State Channel (SharHSC) to address these issues. Firstly, we introduce a novel off-chain sharding architecture, which partitions proxy nodes into multiple shards. Thus, when the off-chain node count increases, adding shards enhances system throughput. Secondly, each shard establishes a supervisory committee to record latest channel statuses to ensure accurate fund distribution upon channel closure. Thirdly, we combine the strengths of HTLC and virtual channels. In particular, SharHSC constructs a single virtual channel across all the nodes involved in the payment by treating the nodes between payer and payee as an intermediate entity, which utilizes HTLC for fund routing. This realizes both low latency and streamlined complexity. Finally, our work is substantiated by security analysis and experiments. As the node number varies, compared with HTLC and virtual channels, the latency is reduced by 49.32% and 31.82%, and the throughput is increased by 8.93 and 1.89 times.

@inproceedings{bib_CSUM_2024, AUTHOR = {Ankit Gangwal, Aashish Paliwal}, TITLE = {CSUM: A Novel Mechanism for Updating CubeSat while Preserving Authenticity and Integrity}, BOOKTITLE = {IEEE Conference on Local Computer Networks}. YEAR = {2024}}

The recent rise of CubeSat has revolutionized global space explorations, as it offers cost-effective solutions for low-orbit space applications (including climate monitoring, weather measurements, communications, and earth observation). A salient feature of CubeSat is that applications currently on-boarded can either be updated or entirely replaced by new applications via software updates, which allows reusing in-orbit hardware, reduces space debris, and saves cost as well as time. Securing software updates employing traditional methods (e.g., encryption) remains impractical mainly due to the low-resource capabilities of CubeSat. Therefore, the security of software updates for CubeSats remains a critical issue. In this paper, we propose CubeSat Update Mechanism~(CSUM), a lightweight scheme to provide integrity, authentication, and data freshness guarantees for software update broadcasts to CubeSats using a hash chain. We empirically evaluate our proof of concept implementation to demonstrate the feasibility and effectiveness of our approach. CSUM can validate 50,000 consecutive updates successfully in less than a second. We also perform a comparative analysis of different cryptographic primitives. Our empirical evaluations show that the hash-based approach is at least 61× faster than the conventional mechanisms, even in resource-constrained environments.

@inproceedings{bib_De-a_2024, AUTHOR = {Ankit Gangwal, Aashish Paliwal, Mauro Conti}, TITLE = {De-authentication using Ambient Light Sensor}, BOOKTITLE = {IEEE Access}. YEAR = {2024}}

While user authentication happens before initiating or resuming a login session, de-authentication detects the absence of a previously-authenticated user to revoke her currently active login session. The absence of proper de-authentication can lead to well-known lunchtime attacks, where a nearby adversary takes over a carelessly departed user's running login session. The existing solutions for automatic de-authentication have distinct practical limitations, e.g., extraordinary deployment requirements or high initial cost of external equipment. In this paper, we propose "DE-authentication using Ambient Light sensor" (DEAL), a novel, inexpensive, fast, and user-friendly de-authentication approach. DEAL utilizes the built-in ambient light sensor of a modern computer to determine if the user is leaving her work-desk. DEAL, by design, is resilient to natural shifts in lighting conditions and can be configured to handle abrupt changes in ambient illumination (e.g., due to toggling of room lights). We collected data samples from 4800 sessions with 120 volunteers in 4 typical workplace settings and conducted a series of experiments to evaluate the quality of our proposed approach thoroughly. Our results show that DEAL can de-authenticate a departing user within 4 seconds with a hit rate of 89.15% and a fall-out of 7.35%. Finally, bypassing DEAL to launch a lunchtime attack is practically infeasible as it requires the attacker to either take the user's position within a few seconds or manipulate the sensor readings sophisticatedly in real-time.

@inproceedings{bib_Auto_2023, AUTHOR = {Ankit Gangwal, Shubham Singh, Abhijeet Srivastava}, TITLE = {AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers}, BOOKTITLE = {BlackHat Europe}. YEAR = {2023}}

Password managers (PMs) are becoming common and popular on mobile devices. The convenience of automatically filling user credentials into login forms, especially on small-screen devices, has further helped in increasing the adoption of PMs. Modern mobile OSes (such as Android; the focus of our work) facilitate system-wide autofill frameworks to enable autofilling on both browsers and apps. On the other side, mobile OSes enable apps to directly render web content via WebView controls, which: (1) prevents redirecting the user to the main browser; and (2) improves seamless user experience. We will focus on a common scenario, where a webpage is loaded into a mobile app using WebView controls. Some common examples include in-app opening of hyperlinks in Skype or Gmail mobile apps. Another key use of such in-app functionality is the "Login with Apple/Facebook/Google" button for user authentication within a third-party mobile app. Upon choosing such an option, the third-party app loads the corresponding login page in WebView. We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.

@inproceedings{bib_A_Fi_2023, AUTHOR = {Ankit Gangwal, T V K Apoorva, Alessandro Brighente, Mauro Conti}, TITLE = {A First Look at Shill Looping in NFT Ecosystem}, BOOKTITLE = {International Workshop on Information Forensics and Security}. YEAR = {2023}}

Abstract—Initially designed to represent ownership of various assets, Non-Fungible Tokens (NFTs) have emerged as a new tool in the blockchain domain for investment and trading. The NFT markets are rapidly budding with significant growth in trading volumes over the last few years. While the NFT ecosystem is continuously evolving, users are exploring astute trading practices to gain financial profits. In this paper, we uncover shill looping, a novel NFT trade practice that NFT owners can exploit to artificially inflate the price of an NFT token. We investigate shill looping and its primary effects in a multi-billion dollar NFT collection called BAYC, showing that approximately 50% of these NFTs exhibit shill looping. Our empirical analysis shows that shill looping significantly boosts the average NFT values by over 45% in the best case. Our initial results highlight the severeness of the shill looping phenomenon

@inproceedings{bib_On_t_2023, AUTHOR = {Ankit Gangwal, Aakash Jain, Mauro Conti}, TITLE = {On the Feasibility of Profiling Electric Vehicles through Charging Data}, BOOKTITLE = {Network and Distributed System Security Symposium}. YEAR = {2023}}

Electric vehicles (EVs) represent the long-term green substitute for traditional fuel-based vehicles. To encourage EV adoption, the trust of the end-users must be assured. In this work, we focus on a recently emerging privacy threat of profiling and identifying EVs via the analog electrical data exchanged during the EV charging process. The core focus of our work is to investigate the feasibility of such a threat at scale. To this end, we first propose an improved EV profiling approach that outperforms the state-of-the-art EV profiling techniques. Next, we exhaustively evaluate the performance of our improved approach to profile EVs in real-world settings. In our evaluations, we conduct a series of experiments including 25032 charging sessions from 530 real EVs, sub-sampled datasets with different data distributions, etc. Our results show that even with our improved approach, profiling and individually identifying the growing number of EVs appear extremely difficult in practice; at least with the analog charging data utilized throughout the literature. We believe that our findings from this work will further foster the trust of potential users in the EV ecosystem, and consequently, encourage EV adoption.

@inproceedings{bib_Auto_2023, AUTHOR = {Ankit Gangwal, Shubham Singh, Abhijeet Srivastava}, TITLE = {AutoSpill: Credential Leakage from Mobile Password Managers}, BOOKTITLE = {ACM Conference on Data and Application Security and Privacy}. YEAR = {2023}}

Password managers (PMs) are becoming increasingly popular on mobile devices, especially on small-screen devices, mainly due to the convenience of automatically filling credentials into login forms. Modern mobile OSes advocate for system-wide autofill frameworks to support autofilling on browsers as well as other apps. Mobile OSes also empower apps to directly render web content within WebView controls without redirecting users to the main browser. par We present a novel technique, called AutoSpill, to leak users' saved credentials during an autofill operation on a webpage loaded into an app's WebView. AutoSpill conveniently dodges the secure autofill process. The majority of popular Android PMs considered in our experiments were found vulnerable to AutoSpill; even when the app hosting the WebView is not actively participating in the leak. Android intermediates in the autofill process because of its app sandboxing. Hence, the responsibility for any credential leakage is often stranded between PMs and the Android system. We investigate the root causes of AutoSpill and propose countermeasures to fundamentally fix AutoSpill for both the parties. We responsibly disclosed our findings to the affected PMs and Android security team.

@inproceedings{bib_On_t_2022, AUTHOR = {Ankit Gangwal, Aakash Jain, Mauro Conti}, TITLE = {On the Feasibility of Profiling Electric Vehicles through Charging Data}, BOOKTITLE = {Technical Report}. YEAR = {2022}}

Electric vehicles (EVs) represent the long-term green substitute for traditional fuel-based vehicles. To encourage EV adoption, the trust of the end-users must be assured. In this work, we focus on a recently emerging privacy threat of profiling and identifying EVs via the analog electrical data exchanged during the EV charging process. The core focus of our work is to investigate the feasibility of such a threat at scale. To this end, we first propose an improved EV profiling approach that outperforms the state-of-the-art EV profiling techniques. Next, we exhaustively evaluate the performance of our improved approach to profile EVs in real-world settings. In our evaluations, we conduct a series of experiments including 25032 charging sessions from 530 real EVs, sub-sampled datasets with different data distributions, etc. Our results show that even with our improved approach, profiling and individually identifying the growing number of EVs appear extremely difficult in practice; at least with the analog charging data utilized throughout the literature. We believe that our findings from this work will further foster the trust of potential users in the EV ecosystem, and consequently, encourage EV adoption.