Stealing PINs via mobile sensors: actual risk versus user perception

In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.

[1]  Martin Fodslette Møller,et al.  A scaled conjugate gradient algorithm for fast supervised learning , 1993, Neural Networks.

[2]  Mario Huemer,et al.  Key Generation Based on Acceleration Data of Shaking Processes , 2007, UbiComp.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[5]  Mani B. Srivastava,et al.  Privacy risks emerging from the adoption of innocuous wearable sensors in the mobile environment , 2011, CHI.

[6]  Andre Charland,et al.  Mobile application development , 2011, Commun. ACM.

[7]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[8]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[9]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[10]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[11]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[12]  Hao Chen,et al.  On the Practicality of Motion Based Keystroke Inference Attack , 2012, TRUST.

[13]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[14]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.

[15]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[16]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[17]  Rosdiadee Nordin,et al.  On the Best Sensor for Keystrokes Inference Attack on Android , 2013 .

[18]  Guevara Noubir,et al.  Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning , 2014, WiSec '14.

[19]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[20]  Jong Kim,et al.  Exploring and mitigating privacy threats of HTML5 geolocation API , 2014, ACSAC '14.

[21]  Gabi Nakibly,et al.  Mobile Device Identification via Sensor Fingerprinting , 2014, ArXiv.

[22]  Raphael Spreitzer,et al.  PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices , 2014, SPSM@CCS.

[23]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[24]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[25]  Daniel Vogel,et al.  Usability and Security Perceptions of Implicit Authentication: Convenient, Secure, Sometimes Annoying , 2015, SOUPS.

[26]  Laura A. Dabbish,et al.  "My Data Just Goes Everywhere: " User Mental Models of the Internet and Implications for Privacy and Security , 2015, SOUPS.

[27]  Matthew L. Hale,et al.  A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services , 2015, 2015 IEEE World Congress on Services.

[28]  Heinrich Hußmann,et al.  I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones , 2015, CHI.

[29]  He Wang,et al.  MoLe: Motion Leaks through Smartwatch Sensors , 2015, MobiCom.

[30]  Nikita Borisov,et al.  Exploring Ways To Mitigate Sensor-Based Smartphone Fingerprinting , 2015, ArXiv.

[31]  Feng Hao,et al.  TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript , 2015, AsiaCCS.

[32]  Mitsuaki Akiyama,et al.  Understanding the Inconsistencies between Text Descriptions and the Use of Privacy-sensitive Resources of Mobile Apps , 2015, SOUPS.

[33]  Feng Hao,et al.  TouchSignatures: Identification of user touch actions and PINs based on mobile sensor data via JavaScript , 2016, J. Inf. Secur. Appl..

[34]  Xiaohui Liang,et al.  When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals , 2016, CCS.

[35]  Feng Hao,et al.  Stealing PINs via mobile sensors: actual risk versus user perception , 2016, International Journal of Information Security.