Don ’ t touch a word ! A practical input eavesdropping attack against mobile touchscreen devices

Spying on a person is a subtle, yet easy and reliable method to obtain sensitive information. Even if the victim is well protected from digital attacks, spying may be a viable option. In addition, the pervasiveness of mobile devices increases an attacker’s opportunities to observe the victims while they are accessing or entering sensitive information. This risk is exacerbated by the remarkable user-friendliness of modern, mobile graphical interfaces, which, for example, display visual feedback to improve the user experience and make common tasks, e.g., typing, more natural. Unfortunately, this turns into the well-known trade-off between usability and security. In this work, we focus on how usability of modern mobile interfaces may affect the users’ privacy. In particular, we describe a practical eavesdropping attack, able to recognize the sequence of keystrokes from a low-resolution video, recorded while the victim is typing on a touchscreen. Our attack exploits the fact that modern virtual keyboards, as opposed to mechanical ones, often display magnified, virtual keys in predictable positions. To demonstrate the feasibility of this attack we implemented it against 2010’s most popular smart-phone, i.e., the iPhone. Our approach works under realistic conditions, because it tracks and rectifies the target screen according to the victim’s natural movements, before performing the keystroke recognition. On real-world settings, our attack can automatically recognize up to 97.07% (91.03% on average) of the keystrokes, with a 1.15% error rate and a speed between 37 and 51 keystrokes per minute. This work confirms that touchscreen keyboards that magnify keys make automatic eavesdropping attacks easier than in classic mobile keyboards.

[1]  J. G. Semple,et al.  Algebraic Projective Geometry , 1953 .

[2]  H. M. Karara,et al.  Direct Linear Transformation from Comparator Coordinates into Object Space Coordinates in Close-Range Photogrammetry , 2015 .

[3]  N. Otsu A threshold selection method from gray level histograms , 1979 .

[4]  Robert C. Bolles,et al.  Random sample consensus: a paradigm for model fitting with applications to image analysis and automated cartography , 1981, CACM.

[5]  I. Johnstone,et al.  Ideal spatial adaptation by wavelet shrinkage , 1994 .

[6]  Bernhard P. Wrobel,et al.  Multiple View Geometry in Computer Vision , 2001 .

[7]  Andrew Zisserman,et al.  Multiple View Geometry in Computer Vision (2nd ed) , 2003 .

[8]  Massimo Piccardi,et al.  Background subtraction techniques: a review , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[9]  Desney S. Tan,et al.  Spy-resistant keyboard: more secure password entry on public touch screen displays , 2005, OZCHI.

[10]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[11]  Luc Van Gool,et al.  Speeded-Up Robust Features (SURF) , 2008, Comput. Vis. Image Underst..

[12]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[14]  Tyler Moore,et al.  Information security: where computer science, economics and psychology meet , 2009, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[15]  Roberto Brunelli,et al.  Template Matching Techniques in Computer Vision: Theory and Practice , 2009 .

[16]  J. P. Lewis Fast Normalized Cross-Correlation , 2010 .