You Cannot Sense My PINs: A Side-Channel Attack Deterrent Solution Based on Haptic Feedback on Touch-Enabled Devices

In this paper, we introduce a novel and secure solution to mitigate side-channel attacks to capture the PINs like touchID and other credentials of touch-enabled devices. Our approach can protect haptic feedback enabled devices from potential direct observation techniques such as cameras and motion sense techniques including such as accelerometers in smart-watch. Both attacks use the concept of shoulder surfing in social engineering and were published recently (CCS'14 and CCS'15). Hand-held devices universally employ small vibration motors as an inexpensive way to provide haptic feedback. The strength of the haptic feedback depends on the brand and the device manufacturer. They are usually strong enough to produce sliding movement and make audible noises if the device is resting on the top of a desk when the vibration motor turns. However, when the device is held in the hand the vibration can only be sensed by the holder; it is usually impossible or uncertain for an observer to know when the vibration motor turns. Our proposed solution uses the haptic feedback to inform the internal state of the keypad to the user and takes advantage of the fact that the effect of haptic feedback can be easily cloaked in such a way that direct observation techniques and indirect sensing techniques will fail. We develop an application on Android cell phones to demonstrate it and invite users to test the code. Moreover, we use real smart-watch to sense the vibration of Android cell phones. Our experimental results show that our approach can mitigate the probability of sensing a 4-digit or 6-digit PINs using smart-watch to below practical value. Our approach also can mitigate the probability of recognizing a 4-digit or 6-digit PINs using a camera within 1 meter to below practical value because the user does not need to move his or her hand during the internal states to input different PINs.

[1]  Sebastian Risi,et al.  Deep-Spying: Spying using Smartwatch and Deep Learning , 2015, ArXiv.

[2]  Chun Liu,et al.  An evaluation of fake fingerprint databases utilizing SVM classification , 2015, Pattern Recognit. Lett..

[3]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[4]  Jan-Michael Frahm,et al.  iSpy: automatic reconstruction of typed input from compromising reflections , 2011, CCS '11.

[5]  Hong-Xia Wang,et al.  A fingerprint-based audio authentication scheme using frequency domain statistical characteristic , 2012, Multimedia Tools and Applications.

[6]  Ravi Kuber,et al.  Feasibility study of tactile-based authentication , 2010, Int. J. Hum. Comput. Stud..

[7]  Ani Nahapetian,et al.  WristSnoop: Smartphone PINs prediction using smartwatch motion sensors , 2015, 2015 IEEE International Workshop on Information Forensics and Security (WIFS).

[8]  Ian Oakley,et al.  The haptic wheel: design & evaluation of a tactile password system , 2010, CHI EA '10.

[9]  Guofei Gu,et al.  Shadow attacks: automatically evading system-call-behavior based malware detection , 2011, Journal in Computer Virology.

[10]  Ravi Kuber,et al.  Toward tactile authentication for blind users , 2010, ASSETS '10.

[11]  Ian Oakley,et al.  Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry , 2012, Interact. Comput..

[12]  Cheng-Jung Tsai,et al.  A graphical-based password keystroke dynamic authentication system for touch screen handheld mobile devices , 2012, J. Syst. Softw..

[13]  Markus G. Kuhn,et al.  Electromagnetic Eavesdropping Risks of Flat-Panel Displays , 2004, Privacy Enhancing Technologies.

[14]  Ian Oakley,et al.  Spinlock: A Single-Cue Haptic and Audio PIN Input Technique for Authentication , 2011, HAID.

[15]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[16]  Kameswara Rao,et al.  Novel Shoulder-Surfing Resistant Authentication Schemes using Text-Graphical Passwords , 2012 .

[17]  Stephanie Schuckers,et al.  Texture Modeling for Synthetic Fingerprint Generation , 2013, 2013 IEEE Conference on Computer Vision and Pattern Recognition Workshops.

[18]  Martin Welk,et al.  Tempest in a Teapot: Compromising Reflections Revisited , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Rajesh Kumar,et al.  Toward Robotic Robbery on the Touch Screen , 2016, ACM Trans. Inf. Syst. Secur..

[20]  Claudia Picardi,et al.  User authentication through keystroke dynamics , 2002, TSEC.

[21]  Zhen Ling,et al.  Blind Recognition of Touched Keys on Mobile Devices , 2014, CCS.

[22]  Xiangyu Liu,et al.  When Good Becomes Evil: Keystroke Inference with Smartwatch , 2015, CCS.

[23]  Giacomo Boracchi,et al.  A fast eavesdropping attack against touchscreens , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[24]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Abdulmotaleb El-Saddik,et al.  Haptic-Based Biometrics: A Feasibility Study , 2006, 2006 14th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems.