Mimicry Attacks on Smartphone Keystroke Authentication

Keystroke behaviour-based authentication employs the unique typing behaviour of users to authenticate them. Recent such proposals for virtual keyboards on smartphones employ diverse temporal, contact, and spatial features to achieve over 95% accuracy. Consequently, they have been suggested as a second line of defense with text-based password authentication. We show that a state-of-the-art keystroke behaviour-based authentication scheme is highly vulnerable against mimicry attacks. While previous research used training interfaces to attack physical keyboards, we show that this approach has limited effectiveness against virtual keyboards. This is mainly due to the large number of diverse features that the attacker needs to mimic for virtual keyboards. We address this challenge by developing an augmented reality-based app that resides on the attacker’s smartphone and leverages computer vision and keystroke data to provide real-time guidance during password entry on the victim’s phone. In addition, we propose an audiovisual attack in which the attacker overlays transparent film printed with spatial pointers on the victim’s device and uses audio cues to match the temporal behaviour of the victim. Both attacks require neither tampering or installing software on the victim’s device nor specialized hardware. We conduct experiments with 30 users to mount over 400 mimicry attacks. We show that our methods enable an attacker to mimic keystroke behaviour on virtual keyboards with little effort. We also demonstrate the extensibility of our augmented reality-based technique by successfully mounting mimicry attacks on a swiping behaviour-based continuous authentication system.

[1]  Florian Alt,et al.  Understanding Shoulder Surfing in the Wild: Stories from Users and Observers , 2017, CHI.

[2]  Yuan Feng,et al.  Waving Authentication: Your Smartphone Authenticate You on Motion Gesture , 2015, CHI Extended Abstracts.

[3]  Shan Chang,et al.  ShakeIn: Secure User Authentication of Smartphones with Single-Handed Shakes , 2017, IEEE Transactions on Mobile Computing.

[4]  Urs Hengartner,et al.  Towards application-centric implicit authentication on smartphones , 2014, HotMobile.

[5]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[6]  Debin Gao,et al.  I can be You: Questioning the use of Keystroke Dynamics as Biometrics , 2013, NDSS.

[7]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[8]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[9]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[10]  Vivek Jain,et al.  K-means++ vs. Behavioral Biometrics: One Loop to Rule Them All , 2018, NDSS.

[11]  Gary M. Weiss,et al.  Cell phone-based biometric identification , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[12]  Hong Li,et al.  A liveness detection method for face recognition based on optical flow field , 2009, 2009 International Conference on Image Analysis and Signal Processing.

[13]  Sungzoon Cho,et al.  Keystroke dynamics-based authentication for mobile devices , 2009, Comput. Secur..

[14]  David A. Wagner,et al.  Are You Ready to Lock? , 2014, CCS.

[15]  B. Kocher [Are you ready?]. , 1986, Krankenpflege. Soins infirmiers.

[16]  Xiang-Yang Li,et al.  SilentSense: silent user identification via touch and movement behavioral biometrics , 2013, MobiCom.

[17]  SametHanan,et al.  A general approach to connected-component labeling for arbitrary image representations , 1992 .

[18]  David Starobinski,et al.  Poster: gait-based smartphone user identification , 2011, MobiSys '11.

[19]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Jiang Zhu,et al.  KeySens: Passive User Authentication through Micro-behavior Modeling of Soft Keyboard Interaction , 2013, MobiCASE.

[21]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Daniel Vogel,et al.  Targeted Mimicry Attacks on Touch Input Based Implicit Authentication Schemes , 2016, MobiSys.

[23]  Tao Feng,et al.  TIPS: context-aware implicit user identification using touch screen in uncontrolled environments , 2014, HotMobile.

[24]  Tovi Grossman,et al.  YouMove: enhancing movement training with an augmented reality mirror , 2013, UIST.

[25]  S. Holm A Simple Sequentially Rejective Multiple Test Procedure , 1979 .

[26]  Nicolas Roussel,et al.  1 € filter: a simple speed-based low-pass filter for noisy input in interactive systems , 2012, CHI.

[27]  Lei Yang,et al.  Unlocking Smart Phone through Handwaving Biometrics , 2015, IEEE Transactions on Mobile Computing.

[28]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 1999, CCS '99.

[29]  Einar Snekkenes,et al.  Spoof Attacks on Gait Authentication System , 2007, IEEE Transactions on Information Forensics and Security.

[30]  Damon L. Woodard,et al.  Biometric Authentication and Identification using Keystroke Dynamics: A Survey , 2012 .

[31]  Vir V. Phoha,et al.  Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings , 2013, TSEC.

[32]  Daniel Vogel,et al.  Augmented Reality-based Mimicry Attacks on Behaviour-Based Smartphone Authentication , 2018, MobiSys.

[33]  Florian Alt,et al.  Improving Accuracy, Applicability and Usability of Keystroke Biometrics on Mobile Touchscreen Devices , 2015, CHI.

[34]  Xiao Wang,et al.  Towards continuous and passive authentication across mobile devices: an empirical study , 2017, WISEC.

[35]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[36]  N. Otsu A threshold selection method from gray level histograms , 1979 .

[37]  Paul C. van Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[38]  Klaus H. Hinrichs,et al.  An implicit author verification system for text messages based on gesture typing biometrics , 2014, CHI.

[39]  Tao Feng,et al.  Continuous Mobile Authentication Using Virtual Key Typing Biometrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[40]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[41]  David H. Douglas,et al.  ALGORITHMS FOR THE REDUCTION OF THE NUMBER OF POINTS REQUIRED TO REPRESENT A DIGITIZED LINE OR ITS CARICATURE , 1973 .

[42]  Hanan Samet,et al.  A general approach to connected-component labeling for arbitrary image representations , 1992, JACM.

[43]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[44]  Achintya Prakash,et al.  Crowdsourcing Attacks on Biometric Systems , 2014, SOUPS.

[45]  Tom Poiker,et al.  Reflection Essay: Algorithms for the Reduction of the Number of Points Required to Represent a Digitized Line or its Caricature , 2011 .

[46]  Alessandro Neri,et al.  Keystroke dynamics authentication for mobile phones , 2011, SAC.