Preventing shoulder surfing using randomized augmented reality keyboards

Shoulder surfing or adversarial eavesdropping to infer users' keystrokes on physical QWERTY keyboards continues to be a serious privacy threat. Despite this, practical and efficient countermeasures against such attacks are still lacking. In this paper, we propose keyboard randomization as a simple, yet effective, countermeasure against various types of keystroke inference attacks. Our proposal consists of several keyboard randomization strategies which randomizes or changes the position of keys on the keyboard. The randomized keyboard is then projected to the typing user by means of an augmented reality wearable device. As the randomized keyboard is visually superimposed over the actual physical keyboard, and is visible only to the typing user through the augmented reality device, it acts as an effective countermeasure against both side-channel and visual-channel based keystroke inference attacks. We implement our proposed solution on a commercially available augmented reality device and conduct preliminary evaluations to validate its performance and effectiveness.

[1]  S. Hart,et al.  Development of NASA-TLX (Task Load Index): Results of Empirical and Theoretical Research , 1988 .

[2]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[3]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[4]  Ralf Dörner,et al.  Accuracy in optical tracking with fiducial markers: an accuracy function for ARToolKit , 2004, Third IEEE and ACM International Symposium on Mixed and Augmented Reality.

[5]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[6]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[7]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[8]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[9]  R. A. Bailey,et al.  Design of comparative experiments , 2008 .

[10]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[11]  Do Hyong Koh,et al.  Usability evaluation of randomized keypad , 2010 .

[12]  Patrick Traynor,et al.  (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers , 2011, CCS '11.

[13]  Arash Habibi Lashkari,et al.  Security Evaluation for Graphical Password , 2011, DICTAP.

[14]  Yang Zhang,et al.  Fingerprint attack against touch-enabled devices , 2012, SPSM '12.

[15]  Robert H. Deng,et al.  Designing leakage-resilient password entry on touchscreen mobile devices , 2013, ASIA CCS '13.

[16]  Taekyoung Kwon,et al.  Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[17]  Wei Wang,et al.  Keystroke Recognition Using WiFi Signals , 2015, MobiCom.

[18]  Anindya Maiti,et al.  Smartwatch-Based Keystroke Inference Attacks and Context-Aware Protection Mechanisms , 2016, AsiaCCS.