PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos

This paper studies leakage of user passwords and PINs based on observations of typing feedback on screens or from projectors in the form of masked characters that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work [4]. In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper.

[1]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Kari Pulli,et al.  Real-time computer vision with OpenCV , 2012, Commun. ACM.

[3]  Yan Wang,et al.  Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN , 2016, AsiaCCS.

[4]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2005, CCS '05.

[5]  Yunhao Liu,et al.  Context-free Attacks Using Keyboard Acoustic Emanations , 2014, CCS.

[6]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[7]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[8]  Stephanie Schuckers,et al.  Shared research dataset to support development of keystroke authentication , 2014, IEEE International Joint Conference on Biometrics.

[9]  Gang Wang,et al.  The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services , 2018, CODASPY.

[10]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[11]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[12]  Xiaoming Liu,et al.  On Continuous User Authentication via Typing Behavior , 2014, IEEE Transactions on Image Processing.

[13]  Ardeshir Goshtasby,et al.  On the Canny edge detector , 2001, Pattern Recognit..

[14]  Fernando Pérez-Cruz,et al.  PassGAN: A Deep Learning Approach for Password Guessing , 2017, ACNS.

[15]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[16]  Yejin Choi,et al.  Keystroke Patterns as Prosody in Digital Writings: A Case Study with Deceptive Reviews and Essays , 2014, EMNLP.

[17]  Roberto Manduchi,et al.  Bilateral filtering for gray and color images , 1998, Sixth International Conference on Computer Vision (IEEE Cat. No.98CH36271).

[18]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[19]  Mauro Conti,et al.  Don't Skype & Type!: Acoustic Eavesdropping in Voice-Over-IP , 2016, AsiaCCS.

[20]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[21]  Bojan Cukic,et al.  Evaluating the Reliability of Credential Hardening through Keystroke Dynamics , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[22]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[23]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[24]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Jan-Michael Frahm,et al.  Seeing double: reconstructing obscured typed input from repeated compromising reflections , 2013, CCS.

[26]  Mauro Conti,et al.  SILK-TV: Secret Information Leakage from Keystroke Timing Videos , 2018, ESORICS.

[27]  Rui Zhang,et al.  VISIBLE: Video-Assisted Keystroke Inference from Tablet Backside Motion , 2016, NDSS.