Augmented Reality-based Mimicry Attacks on Behaviour-Based Smartphone Authentication

We develop an augmented reality-based app that resides on the attacker's smartphone and leverages computer vision and raw input data to provide real-time mimicry attack guidance on the victim's phone. Our approach does not require tampering or installing software on the victim's device, or specialized hardware. The app is demonstrated by attacking keystroke dynamics, a method leveraging the unique typing behaviour of users to authenticate them on a smartphone, which was previously thought to be hard to mimic. In addition, we propose a low-tech AR-like audiovisual method based on spatial pointers on a transparent film and audio cues. We conduct experiments with 31 participants and mount over 400 attacks to show that our methods enable attackers to successfully bypass keystroke dynamics for 87% of the attacks after an average mimicry training of four minutes. Our AR-based method can be extended to attack other input behaviour-based biometrics. While the particular attack we describe is relatively narrow, it is a good example of using AR guidance to enable successful mimicry of user behaviour---an approach of increasing concern as AR functionality becomes more commonplace.

[1]  Tovi Grossman,et al.  YouMove: enhancing movement training with an augmented reality mirror , 2013, UIST.

[2]  Cristiano Giuffrida,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2018, Lecture Notes in Computer Science.

[3]  Urs Hengartner,et al.  Itus: an implicit authentication framework for android , 2014, MobiCom.

[4]  Reihaneh Safavi-Naini,et al.  User Authentication Using Human Cognitive Abilities , 2015, Financial Cryptography.

[5]  David J. Crandall,et al.  PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces , 2014, NDSS.

[6]  David H. Douglas,et al.  ALGORITHMS FOR THE REDUCTION OF THE NUMBER OF POINTS REQUIRED TO REPRESENT A DIGITIZED LINE OR ITS CARICATURE , 1973 .

[7]  Tadayoshi Kohno,et al.  Securing Augmented Reality Output , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Hai Huang,et al.  You Are How You Touch: User Verification on Smartphones via Tapping Behaviors , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[9]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[10]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[11]  Ivan Martinovic,et al.  Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics , 2015, NDSS.

[12]  Nicolas Roussel,et al.  1 € filter: a simple speed-based low-pass filter for noisy input in interactive systems , 2012, CHI.

[13]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[14]  Sungzoon Cho,et al.  Keystroke dynamics-based authentication for mobile devices , 2009, Comput. Secur..

[15]  Michael Weber,et al.  P.I.A.N.O.: enhancing instrument learning via interactive projected augmentation , 2013, UbiComp.

[16]  Xiaojiang Chen,et al.  Cracking Android Pattern Lock in Five Attempts , 2017, NDSS.

[17]  Tao Feng,et al.  Continuous Mobile Authentication Using Virtual Key Typing Biometrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[18]  Jiang Zhu,et al.  KeySens: Passive User Authentication through Micro-behavior Modeling of Soft Keyboard Interaction , 2013, MobiCASE.

[19]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[20]  Shan Chang,et al.  ShakeIn: Secure User Authentication of Smartphones with Single-Handed Shakes , 2017, IEEE Transactions on Mobile Computing.

[21]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[22]  Heinrich Hußmann,et al.  Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance , 2014, NordiCHI.

[23]  Mauro Conti,et al.  I Sensed It Was You: Authenticating Mobile Users with Sensor-Enhanced Keystroke Dynamics , 2014, DIMVA.

[24]  Gary M. Weiss,et al.  Cell phone-based biometric identification , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[25]  Vitaly Shmatikov,et al.  No Escape From Reality: Security and Privacy of Augmented Reality Browsers , 2015, WWW.

[26]  Vir V. Phoha,et al.  Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings , 2013, TSEC.

[27]  Tadayoshi Kohno,et al.  Security and privacy for augmented reality systems , 2014, Commun. ACM.

[28]  Yuan Feng,et al.  Waving Authentication: Your Smartphone Authenticate You on Motion Gesture , 2015, CHI Extended Abstracts.

[29]  Ronald Azuma,et al.  A Survey of Augmented Reality , 1997, Presence: Teleoperators & Virtual Environments.

[30]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[31]  Debin Gao,et al.  I can be You: Questioning the use of Keystroke Dynamics as Biometrics , 2013, NDSS.

[32]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[33]  Vivek Jain,et al.  K-means++ vs. Behavioral Biometrics: One Loop to Rule Them All , 2018, NDSS.

[34]  Hui Zang,et al.  AdRob: examining the landscape and impact of android application plagiarism , 2013, MobiSys.

[35]  Hirokazu Kato,et al.  Augmented Reality Learning Experiences: Survey of Prototype Design and Evaluation , 2014, IEEE Transactions on Learning Technologies.

[36]  Urs Hengartner,et al.  Towards application-centric implicit authentication on smartphones , 2014, HotMobile.

[37]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[38]  Lei Yang,et al.  Unlocking Smart Phone through Handwaving Biometrics , 2015, IEEE Transactions on Mobile Computing.

[39]  Daniel Vogel,et al.  Targeted Mimicry Attacks on Touch Input Based Implicit Authentication Schemes , 2016, MobiSys.

[40]  Damon L. Woodard,et al.  Biometric Authentication and Identification using Keystroke Dynamics: A Survey , 2012 .

[41]  Alexander De Luca,et al.  Glass Unlock: Enhancing Security of Smartphone Unlocking through Leveraging a Private Near-eye Display , 2015, CHI.

[42]  Hanan Samet,et al.  A general approach to connected-component labeling for arbitrary image representations , 1992, JACM.

[43]  François Bérard,et al.  An Augmented Reality Based Learning Assistant for Electric Bass Guitar , 2003 .

[44]  Florian Alt,et al.  Understanding Shoulder Surfing in the Wild: Stories from Users and Observers , 2017, CHI.

[45]  Ivan E. Sutherland,et al.  A head-mounted three dimensional display , 1968, AFIPS Fall Joint Computing Conference.

[46]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[47]  N. Otsu A threshold selection method from gray level histograms , 1979 .

[48]  Florian Alt,et al.  Improving Accuracy, Applicability and Usability of Keystroke Biometrics on Mobile Touchscreen Devices , 2015, CHI.

[49]  Alessandro Neri,et al.  Keystroke dynamics authentication for mobile phones , 2011, SAC.

[50]  D. W. F. van Krevelen,et al.  A Survey of Augmented Reality Technologies, Applications and Limitations , 2010, Int. J. Virtual Real..

[51]  Michael R. Lyu,et al.  Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones , 2014, SOUPS.

[52]  Shridatt Sugrim,et al.  User-generated free-form gestures for authentication: security and memorability , 2014, MobiSys.

[53]  David Starobinski,et al.  Poster: gait-based smartphone user identification , 2011, MobiSys '11.

[54]  Armin Hammand,et al.  Telegeoinformatics: Location-based Computing and Services , 2004 .