Uncategorized

MarkMatch: Same-Hand Stuffing Detection.
Fei Zhao, Runlin Zhang, Chengcui Zhang, and Nitesh Saxena
IEEE International Conference on Multimedia and expo (ICME), June 30-July 4th, 2025.

SPIES Lab’s study, led by Zengrui Liu (former SPIES), Jimmy Dani and Nitesh Saxena, provides the first evidence of the use of browser fingerprints for online tracking. The researchers discovered that websites are covertly employing browser fingerprinting — a technique that uniquely identifies a web browser — to track users across browsing sessions and sites.

Read our full paper here.

Media outlets featuring our browser fingerprinting work include:

• Your browser is snitching on you, The Kim Komando Show
• New Research Reveals How Websites Secretly Track Users Without Cookies, Israel Homeland Security (iHSL)
• Your web browser may be spying on you — Even without cookies, Knowridge Science Report
• VPNs cannot protect against browser fingerprinting – but this new web browser could be the fix, msn.com
• Researchers Link Browser Fingerprints to Ad Targeting, Undermining Online Privacy Promises, Digital Information world
• Websites are secretly tracking you using your browser’s ‘fingerprint’, Earth.com
• Websites Are Tracking You Via Browser Fingerprinting, Hacker News
• Websites Are Tracking You Via Browser Fingerprinting, researchers show, Tech Xplore
• Psylo browser tries to obscure digital fingerprints by giving every tab its own IP address, The Register
• The browser reveals its identity. Why is this a problem?, gazeta na niedzielę (GNN)
• Risky Bulletin: Russian hackers abuse app-specific passwords to bypass MFA, RISKY.BIZ
• Researchers relate browser fingerprints to ad targeting, undermining promises of online privacy., Consultant ALEX BARBOSA
• VPNs cannot protect against browser fingerprinting – but this new web browser could be the fix, Tech Radar, June 21, 2025

Building and Testing a Hidden-Password Online Password Manager
Mohammed Jubur, Chistopher Price, Maliheh Shirvanian, Stanislaw Jarecki, Hugo Krawczyk and Nitesh Saxena
In IEEE Transactions on Information Forensics and Security (TIFS), 2025.

SPIES Lab’s study, led by Zengrui Liu (former SPIES), Jimmy Dani and Nitesh Saxena, provides the first evidence of the use of browser fingerprints for online tracking. The researchers discovered that websites are covertly employing browser fingerprinting — a technique that uniquely identifies a web browser — to track users across browsing sessions and sites.

Read our full paper here.

Websites Are Tracking You Via Browser Fingerprinting, Department of Computer Science & Engineering, Texas A&M University

SoK: Inaccessible & Insecure: An Exposition of Authentication Challenges Faced by Blind and Visually Impaired Users in State-of-the-Art Academic Proposals
Md Mojibur Rahman Redoy Akanda, Amanda Lacy, Nitesh Saxena
In 34th USENIX Security Symposium, August 2025.

• A Machine Learning-Based Framework for Assessing Cryptographic Indistinguishability of Lightweight Block Ciphers
  Jimmy Dani, Kalyan Nakka, Nitesh Saxena
  In 22nd Annual International Conference on Privacy, Security, and Trust (PST), August 2025.

• Encryption Struggles Persist: When Tech-Savvy Students Face Challenges with PGP in Thunderbird
  Md Imanul Huq, Ahmed Tanvir Mahdad, Nitesh Saxena
  In 22nd Annual International Conference on Privacy, Security, and Trust (PST), August 2025.

Tanvir Ahmad Mahdad successfully defended his PhD dissertation. SPIES Lab’s 17th PhD graduate. Congratulations! Next Stop: Ohio University.

New Study Uncovers Privacy Risks: VR Headsets Can Secretly Monitor Your Blood Pressure

College Station, TX — May 2025

SHARE THIS

A team of researchers from Temple University, Texas A&M University, Rutgers University and New Jersey Institute of Technology has uncovered a serious privacy vulnerability in consumer virtual reality (VR) headsets. The study reveals that built-in motion sensors, typically used to enhance immersive VR experiences, can be covertly exploited to continuously infer users’ blood pressure without their knowledge or consent. The full findings are being presented at the 2025 IEEE Symposium on Security and Privacy (S&P), one of the leading conferences in cybersecurity and privacy research.

The attack, dubbed BPSniff, demonstrates that blood-pressure-related vibrations—specifically ballistocardiogram (BCG) signals generated by blood flow—can be detected by high-frequency motion sensors embedded in devices like Meta Quest and Meta Quest 2. By analyzing these subtle physiological movements, attackers can estimate both systolic and diastolic blood pressure with a level of accuracy comparable to clinical-grade devices.

Unlike traditional health monitoring systems that require user calibration or consent, BPSniff bypasses both. The research shows that malicious apps or web-based scripts can access motion sensor data from VR headsets without explicit permissions. This allows adversaries to passively collect highly sensitive biometric data in real time, raising alarms about user surveillance in metaverse environments.

BPSniff utilizes advanced machine learning models, combining variational autoencoders (VAE) and long short-term memory (LSTM) networks, to reconstruct blood flow patterns from sensor data. These reconstructions are then used to estimate blood pressure continuously, achieving mean errors of just 1.75 mmHg (systolic) and 1.34 mmHg (diastolic)—well within FDA and AAMI medical standards.

The researchers tested the attack across multiple use cases, including various physical postures, headset models, and user movements. Even with noise introduced by normal VR activity like gaming or walking, BPSniff remained effective. The system’s robustness was further confirmed through an eight-week longitudinal study with 37 participants.

The implications are broad and alarming. Unauthorized access to blood pressure data can reveal information about a person’s health status, stress levels, emotional states, and reactions to stimuli—potentially enabling manipulation, discrimination, or psychological profiling. This threat escalates when combined with identity linkage from other data sources, opening the door to highly personalized and invasive surveillance.

To mitigate the risk, the researchers advocate for stronger privacy controls on motion sensor access, including real-time usage monitoring, permission-based frameworks, and AI-driven auditing tools within VR platforms. As the metaverse grows into a space for entertainment, collaboration, and even healthcare, this study highlights the urgent need to secure embedded sensors against misuse.

Read more stories like this on AI Spies News.

We’re excited to introduce the AI Spies News Channel, where the latest updates, insights, and breakthroughs from the SPIES research lab are transformed into engaging, media-style stories generated fully using AI (after necessary reviews and corrections by SPIES researchers).

Visit the AI Spies News Channel

“Alexa, Is Dynamic Content Safe?” Understanding the risks of Dynamic Content
Nathan McClaran, Payton Walker, Zhao Zheng, Yangyong Zhang, Nitesh Saxena and Guofei Gu
In the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), June/July 2025.