Hit enter after type your search item
Wzy Word

HERE ARE THE WORLD'S NEWS

Urs Hengartner • Breaking Three Defences Against Shoulder-Surfing Attacks

/
/
/
686 Views
img

okay for our second talk of the Cheriton symposium Urs Hengartner is our second Cheriton Faculty Fellow first arrived at Waterloo I believe in 2005 following a degree at DTH and then PhD at DTH and masters at CMU is that right undergrad the DTH PhD at CMU I go tthe order wrong oh okay I am sorry okay no problem and has been a professor here since and works in the area of security and privacy interface with HCI and we'll talk along those lines in a bit so thank you thank you for the introduction mark thanks to you for showing up and particular to David Cheriton showing up and for that fellowship so this is joint work with Hasan Khan who was my PhD student and then my postdoc and he's now an assistant prof at Guelph and also with Dan Vogle because who's not here may still be busy with the the CAI deadline so to me right so I'm a Chris member and Dan represents the was in charge of the kind of the usability of the HDI you know so shoulder surfing you've probably been affected by shoulder surfing in some way maybe you have been shoulder served or do you shoulder surfed somebody like we spent the last year in Montreal and so there we took the bus we took the metro to work and often these were very crowded and so basically it was hard not to shoulder surf sometimes so shoulder surfing seems to be a real-world problem and this has also been acknowledged in in a research study from a few years ago they did a field a field study so they asked people have you have you been shoulder served has there been a potential for shoulder surfing and so in 17% of the sample sessions that could have been shoulder surfing could have been a real threat and so this this study also asks the participants what do you what do you do to defend against shoulder surfing right and so these are their answers so the most common defense was tilting the screen away actually kind of if the observers standing to my left you kind of you tilt the screen of the smartphone away from the from your observer and you've probably all done this right and then there's also some some other defenses but yeah tilting that's the that's the most common one the most common defense applied in a real world and not surprisingly researchers have come up with their own defenses and giving three classes of defenses on this slide the first one is what we call indirect input and so considered that well but the user did is also wearing Google glass and so there is information displayed on Google glass in particular the layout of the of the pin of the of the keyboard right if you look at the phone itself there is the just the boxes but not the actual digits right so in order to be able to enter the code the user has to see the input on Google glass I'm sorry this works but of course you need a second device right Google glass and also it tends to be on the slow side right because you first have to figure out where is now if you want to enter five as your digit where is five on the keyboard and that takes time input obfuscation a very interesting idea what you do here is you um so each digit is either red or yellow and then you you enter your code by either choosing the red red or yellow box right and in addition there is an arrow and the arrow tells you how to swipe right for example if you want to enter an eight we choose the yellow box and swipe towards the right and so this of course is not totally secure against shoulder surfing but hopefully it makes shoulder surfing more difficult right so the attacker has to pay much more attention main problem similar to the indirect input problem is it takes longer right you have to first look at the digits and then figure out what I have is to do and another interesting idea is to use what we call a non observable channel and so there's two approaches and the first one is called a forced pin and so the idea here is you enter your PIN but for some of the pins you push harder right and so you basically you you increase you double the input space for your pins right and so that the expectation is that the shoulder somebody whose shoulder surfing can't see how hard you're pushing advantage of this solution is it's easy to do but it you can do this in common smart phones because smart phones when you push on the phone that it tells the operating system is able to measure how strong you push so we don't need any additional hardware the problem is that was a very short evaluation when it came to shoulder surfing and done by the authors of this paper and so we don't really know how how secure this solution actually is against shoulder surfing and the other solution is to use something called keystroke dynamics and so here the the observation is that different people enter text in different ways right for example it some people enter text very fast others are much much more slowly some people always push in the middle of a button some other people push towards the edge of a button right and so the hope is that a shoulder surfer won't be able to enter a user's pin even if the shoulder surfer knows the pin the shoulder surfer won't be able to enter the pin in the same way as the victim and so again this is easy to deploy but here there was absolutely no mimicry revelation done by the by the author so again we don't know is this actually secure that do does it defend against shoulder surfing which brings it to our contributions we basically we looked at tilting we looked at force pin and keystroke dynamics and and analyzed how secure they are actually are against shoulder surfing and so I might talk consists of two parts in the first part I'm going to look at tilting and force pin and then in the second part we'll go and look at the keystroke dynamics so the research questions that we studied here is how effective are the two defenses I mentioned namely tilting and force pin and also if attackers are successful what were the strategies that they used and so to do this we we conducted a study with and with 30 participants so what was our threat model for the tilting we assumed that the phone is tilted such that the attacker won't be able to see the screen and the tip of the finger for the first pin the defense the the attacker could sue could see everything all right so the attacker could see the entire screen so the thing and including the fingers where the user is typing right basically this is the same problem same problem same threat model as used in the in your in the original paper for the evaluation we looked at a four digit PIN because most people who use a pin have a four digit pin we had four conditions the first one was the baseline pin right so we have somebody enter the pin and then we analyze how I can we can shoulder surf the pin so no defense and then all the other three conditions are used one of these or a combination of the defense's so force pin is for some of the digits you apply more pressure for tilt you tilt away the phone and force pin tilt is a combination of the two approaches we had a few additional factors of that the viewing angle either the viewing angle is from the top or from the from the from the from the side of course this applies only for the force pin and the baseline right for the for the tilting defense you can't actually see the screen and another factor was that the viewing distance so the attacker is very close maybe the attacker is walking behind your back and so meaning 60 centimeters or the second condition the attacker is far away so the attacker is shoulder surfing you from from across the room so about 6 meters away and then we proceeded together to get some victim data and so we asked 30 participants mainly graduate students to basically to enter a pin on their phones and we videotape them right so we first asked them hey um here's a phone set up a pin practice a little bit practice entering this pin a little bit so that you become familiar with it and then after the the the victim or victim managed to authenticate 10 times we then shot the video of the of the victim entering this pin in terms of the interface it was identical to the Android 60 interface for force pin what we did is we gave sorry we chose empirically a threshold so what is high pressure low pressure we just asked a few small number of users to apply a pressure a lot don't pressure a lot and what's the what's the threshold if you also dissimilar to the original paper we decided to give them haptic feedback the user pushed hard right so basically that if you enter a high digit pressure the phone would vibrate a little so that the user knows this is a I entered a high pressure digit I press I pressured sufficiently hard the potential problem there is that we videotape these victims things and so vibrating also results in some noise so that could have been a side channel so while while showing this video to the attackers we that we muted the video and what else for tilting we did not tell we did not tell the victims to to use a certain tilt angle instead we just told them hey you can use your own tilt angle right so that we basically wanted to explore what's the tilt angle yeah but what are the tilt angles the people choose in in the real world yeah an interesting observation right so this force pin system right obviously it's not used in a real world so we have no experience about it and so we asked right the participants to use this for spin system like just set it up for yourself and so an interesting question is how many digits are what we call pressure digits right there how many digits in the pin are these pressure digits where the victims push hard and not necessarily surprisingly most victims choose just one pressure digit and a much smaller number choose um chose two or three pressure digits what about the tilt angle as I mentioned this is left up to the users to do to chose their to choose their tilt angle and so we have four example shots here right so the first one is there's not much tilting and then here there's a lot of tilting like close to 90 degrees and some in-between angles and so those are the results so a small number of people 11% don't tilt much similarly a small and same percentage of people tilt a lot 90 degrees close to 90 degrees and most people do something in between you can think about yourself what's your behaviour how much do you tilt and see whether this corresponds to that to your behaviour okay then the actual attack so now we have the victim data let's run the attack so again we had 30 participants so there was some overlap between the attackers and the victims but of course a victim so in an attacker never attacked himself herself right that would have been silly we gave the the attacker the opportunity in particular the ones who weren't victims before we gave them the opportunity to familiarize themselves with the system by going through the training the same training as done by their by the victims we wish and then we showed them the video and controlled it such that the device of the size of the device on the screen was the same as a real-world device and then each attacker had to undergo 24 attacks right so for pin 1 for a top and for side 4 for side view same for force pin and for tilt it was they of course the top it wouldn't have made any sense so it's just 4 for each for each variant of tilting the actual protocol right so we played the video to the attackers and then they asked them hey do you want to guess do you want to tell us what what you think the pin is and then if they were confident they could do so but they could also tell you I'm not sure can I see the video again and I think they could watch the video up to three times and that if they gave us the wrong pin we would tell them it's wrong so just yes or no so we wouldn't tell them what is wrong but because a phone also if the attacker had done this on a real phone the outcome would also be binary and no feedback and at the very end we asked the attackers hey what was your strategy how did how did you try to break the pin and so this these are the results this is my condition and yeah I think these don't yeah this is only for the side view and so we have the four conditions here we have the success rate on the y axis and for each condition we have four bars the dark bar is the other cases where the attacker manages to guess all pins the the medium bar is the bar where the attacker guessed at least four digits in the right sequence and then the the bar on the right side is other cases where the attacker managed to guess at least one correct digits so let's talk about the results so the baseline no defenses right very high rate of success not necessarily surprising you can maybe have experienced this yourself by doing shoulder surfing here it gets really interesting for force pin there's not much of a difference right it's more than 90% of the succeed completely and for partial guesses it is close to one hundred percent so it looks like you're not getting much security from this from this proposed defence and I'll come back to this result later on and and to tell you what exactly is happening but let's look at the tilting first tilting does give you some give you some additional security right in the majority of the cases the attackers failed to get to guess the the entire pin all right that said there's still a significant number of cases very more often more than half of the cases we can get like 70% of the cases we can guess at least three digits meaning this enables guessing attacks right so the attacker can start guessing because typically we have if you enter PIN on the phone you have a few attempts until the phone locks you out or tells you hey now you have to wait a minute before you can proceed so we can still do guessing attacks so tilting helps but it's not it doesn't give total security and the results for the combination of force pin they are very similar to the results for tilt looks like it's a little bit more secure but if you take a close close look at the result is not actually some statistically significant so we can't say much we can't say which one is better system is a stronger so in as a summary our tilting definitely helps but force pin doesn't and by view right remember side view top view no difference at all for for the pin for the baseline doesn't really matter doesn't matter for where the attacker is watching and for force pin the result is very similar there is a small difference but again no statistic no statistically significant difference what about the other factor distance so this is quite interesting in that we would think if the attacker is further away it becomes harder to do shoulder surfing and yes it does indeed become a little bit harder but not much all right it's still hard more than 80-percent I'm not I'm kind of wondering myself this is an artifact because we used graduate students right so they're young have good eyes if I had been the attacker or we people like me had been most of the attackers it may be the results may look different but yeah so keep this in mind when you enter your PIN and you somebody's across the room he or she may still be able to shoulder surf you so force pin there it's basically it doesn't help at all right and distance even if the attacker is far away it's still plausible and totally plausible and again the reason may relate to the to the fundamental weakness of a force pin which I'll come back to in a minute and similarly for tilting right we think the attacker it's already quite hard and so just their being away a few meters more it really doesn't make the attack significantly harder than being close to the victim okay incorrect guesses right we we if you remember the attack protocol yet the attackers may have made an incorrect guess and then they could have repeated and turns out there weren't very there weren't a lot of incorrect guesses right for PIN and force pin there weren't any incorrect guesses at all and even for tilt and force pin most of the people of 60% they were successful in the first attempt and 90% were successful for three attempts right this is remember the guessing right it's the guessing attacks are definitely feasible with um force pin oh sorry tilting not force pin what about a partially correct guess right so due to reasons that the victims always no the attackers always failed for them again the most of them were guessed the most digits in the first attempt at least for force and for pin and force pin number of observations remember the attack protocol we we show them the video of the victim once and then we ask and do you want to guess do you or do you want to watch the video again and so for the um for pin and force pin 40% of the successful attacks they required only one attempt so they sorry only one they wanted to watch the video only once and for force pin not surprisingly the the number is smaller 20% however for 80% of the correct guesses they had to watch only twice right so keep this in mind right so you when you if you think about the attacker model right maybe on the bus you enter the pin only once but if it's a long bus ride you may enter the pin multiple times twice and so that's that's sufficient for the attacker to figure out what's happening even for tilt and force pin most attacks needed four or fewer attacks which of course again may happen on a longer bus ride train ride another interesting question is the tilt angle how does it affect the success probability and so if there is not much of an angle up to 20% ninety-three percent of the attacks were successful and the non successful ones at least resulted in partially correct guesses and then not surprisingly as the tilt angle increases the probability for the correct guesses goes up and the probability for it goes down and a probability for the partially correct guesses goes up until the the 90-degree where the probability for a correct guess is quite low and so kind of the the obvious reaction to this result may be and always use a tilt angle of close to 90% now think about you using this defense at at home you want your spouse do you want to prevent your spouse from learning your PIN or maybe even at the workplace right so you want to prevent your colleagues from from being able to learn your PIN and so right so your spouse is standing next to you and the venue on to the pin you kind of you you kind of killed if you tilt the phone significantly away from her right so if your spouse may get suspicious why are you doing this this is something you want to hide from me whereas you tilt the phone only slightly there then you may you're less likely to run into this problem right so this is an interesting point of view yeah yeah an interesting point of view so so what what or kind of this is a challenge right to address so what what do we do here in terms of social implications so the big questions that you probably have and haven't answered is what what's wrong with post for spin what's happening so what we did is we looked at how long does it take for users to authenticate using for spin as opposed to pin turns out it takes longer significally long to authenticate and in particular the users they spend more time on that on the digit on a pressure digits right so they push harder and turns out when you push harder they'd also takes longer for most participants it takes longer to push in the first place and so this is a side channel right so dealin and the attackers they can observe how long somebody is pushing a digits and this is how the attack was inferred the the code yeah and so like this is obviously there's statistical a difference between the key the key press intervals for normal and high-pressure digits so that was the side channel we also looked at what we also asked the participants hey what what did you do how did you break the what was your attack strategy we came up with three different strategies there the first one is what we call the landmark strategy and so there's kinda kind of the participants have like a landmark that it can be an edge on the screen or a corner of the screen and how the how far away that the finger is from the firmest corner from this edge the keyboard strategy that's kind of the obvious one the victims or sorry attackers have a kind of an the invasion the layout of the keyboard and then try to map this layout to the to the air to the finger where it is pad on strategy this is a relative strategy so your finger how your finger is moving across the keyboard and then the final strategy was a combination of the landmark and the Patos presents pad pattern strategy and this was in particularly useful for the few cases where people managed to break the schemes for for 90-degree tilting because they're right there if you think about it there's still one edge that is relatively close to the vector that let the left the left column or the right column right is that this is one column that is still relatively close to the victim and using this strategy they managed to figure out at least the digits that were intended that were in the first column if any at all okay so let me summarize the first part of my talk for spin it might basically provides no security because of these timings I Channel tilting provides some some some some defenses as long as you tilt a lot but then of course you were running to this potential and social implications that are hinted at and shoulder surfing attacks from the distance there they are effective okay so this was part 2 let's move on to our third one let's move on to part 2 our security evaluation of keystroke dynamics so behavioral diametric so I'd leave for many of you know about biometrics and are probably even or maybe in be using them on your smartphone on your laptop right for example you you use your fingerprint to authenticate to your phone what are behavioral biometrics they exploit the way your you're behaving or Val using the phone right for example they exploit a very how you're swiping on your phone or that way you're entering text right to things like how long do you hold the key what's the interest rogue interval between two and the hope is that different people as they have enough differences such that if we can actually exploit this for authenticating them and so this is not just some researchers have come up with or some real-world deployment of this this idea samsung has a solution and also several startups in the area one of them is amiss company called typing DNA and they have this interesting statement on their website typing biometrics verification is very difficult to spoof you'd also be probably surprised how easy it's very criminal to duplicate your voice using spoofing software that's actually true the sort of that it's it's quite easy to uh to spoof voice some of you may have read about the recent attack or somebody's the attacker spoofed somebody that spoofed the voice of somebody's supervisor and then told the employee to transfer money and to this to the attacker and the attack worked so yeah voice I think the authentication is not as secure as many people think it is and there's a similar problem with fingerprints like all right you believe we leave our fingerprints all over the place it's relatively easy to get access to somebody's fingerprint and so then of course the big question is is the claim made by the company true is it really hard to spoof typing biometrics and that that's what we did what we took a closer look at in particular we looked at typing biometrics in a context of password hardening right so the assumption is the attacker knows somebody's password and so in addition to the defend against the attack me also we also look at that the input behavior while while entering the password and if you have a case there the password matches but there is the keystroke behavior mismatches this is a potential compromise so what's our threat model we assume the attacker has gained gotten access to somebody's password and they also assume that the attacker has gotten access to somebody's behavior while entering the this password I'll come back to this point in a minute and then the attacker uses this knowledge to launch a mimicry attack meaning that tracker tries to behave like the victim while entering the password and so the attack really consists of two steps the attack the first has to get access to this behavior and then once the attacker has his information the attacker has to try to reproduce this behavior and so the focus of our work was on the on the second part that said I do want to spend some time on the first part because this is where we often get questions this is like this is a realistic assumption that the attacker gains access to this information our argument is yes it is in particular there are two scenarios we are worried about the attacker has no control over the apps and victim installs on his or her phone and so this makes the attack hard about not infeasible for example imagine as a biometric database a few weeks ago there was this company in South Korea that developed a behavioral authentication system and they used fingerprints and their fingerprint database leaked and so 1 million fingerprints leaked to the entire world and so imagine we now use keyboard input behavior we've stored it in a database and this database leaks all right so that's certainly a possibility there are also other attacks maybe the attacker can convince the victim to go to a website and then a website asks the user to do to perform certain and input actions and then this malicious website just recalls these actions and builds a profile of the user or if I'm close to the victim if I am the attacker and am close to the victim I can take my phone prepare it give it to the victim and ask the victim hey enter some text on my phone and while the victim is doing this my phone is recording how the victim is behaving and of course if the attacker is able to install apps on the victims phone things become easier for example I can tell the victim hey install this app it's really cool of course it's a malicious app and records what the victim is doing how it's the victim is behaving or I can take potentially take the victim's phone at some point get rid of his or her instant messaging app and replace it with a cloned cloned and tampered app that recalls the behavior an interesting challenge is and what can we do if we can't record the victim while the victim is entering his or her passwords we can record the victim only while here she's entering I don't know irregular text for example turns out we can still do bigrams placing right we can take the bigrams entered while entering regular text and use them as bigrams for the fourth that the password consists of that actually works I may come back to it later on okay and what about reproducing the victims behavior there's basically two scenarios the first one is where the user authenticates to a website and so there we could potentially use a bot but we just intake the victims device install a bot on the victims device and have the bot authenticate to the device so that wasn't the scenario interested we were that was not the scenario we were interested in we were interest in the second scenario where the user has to authenticated to the device right and so we assume the device is locked and that the victim so the attacker is not able to install a bot or something like that on the device so what was the solution that we came up to deal with this situation if this set up we use an augmented reality based solution so we have two devices the one that the victim is holding and the attacker's device the attacker's device is put on the table and turned around so that the camera sees that the victims device and then the camera off the attackers device displays the screen of the victims device to the attacker and basically tells the attacker where the attacker has to push the digits and so of course but this does not require any tampering with the victims device so that's the basic idea so let's talk about the implementation turns out keystroke behavior has been around for quite a while it's not a new idea it has been done for physical keywords for quite a while and then more recently the smartphone keyboards schemes have become more sophisticated they use more features one of the most recent ones the ones the one we used it would uses 24 features some temporal features like how long do you hold the key contact features how much pressure do you apply for example and spatial features like very exactly on the key do you push the key and so we have two what are the challenges right the the victim has to replicate all these features sorry the attacker has to attack all these feature has to mimic all these attack features during attack and this has to be quite fine-grained what are we talking about milliseconds level here and so the objective was we wanted to build as this augmented reality based system to attack and to alter mimic device interaction behavior and the case study case study was this password entry behavior but what the envision is that the same kind of framework could potentially also be used to attack other systems and to do this we pursued a two-stage approach we first trained the attackers on the attackers device and once the attackers were ready we gave them the victims device and used AR augmented reality to guide them by during the attack on the victims device and so let's talk about each of the two steps the training step first remember we have 24 features and so training the the attack was to learn alt to mimic all 24 features that could have been hard so we try to get rid of some of the features that they had to train for and we also try to come up with this simple training interfaces and so how did you get rid of some of the features we realized some features basically depend on each other like here the jump feature how much do you jump between two digits well it simply depends on another feature meaning the the X coordinate of the two keys so we don't we don't drill into all the features and so basically at the high level what we did is we did that we analyzed the correlation between the two features right and so basically if you see a dark dot this means that two features are highly correlated so we really don't need to explicitly train for both of them and so this was basically result we ended up with six features only starting off from the original 24 features even six features can be a lot if you have to train for each key separately so we did another analysis which features are key independent turns out three of the features are key independent so regardless which key you press push you always look for most people always apply the same or very similar amount of pressure same for touch area of the key hold interval and so only three for only three features you have to train in a more in any key specific way which lead us led us to these three to this training interfaces so there's a the first interface that we gave to the attackers that they had to do first was the training interface for the key independent features and so it's right so that we ask and tap anywhere on the screen and then we also told them the target pressure the target area and then gave them feedback yes this is good or maybe try again because you didn't push hard enough and then once they had managed this interface we gave them the the second interface for training the key specific features so like we told them hey click push on this key and push exactly at this position and then they would move ahead to the other digits till of the password and then we also gave them some feedback I think the green means you push too you were too fast red means you were too slow and light blue means you did you did well enough it sufficiently close and so we did this week we gave we take this training and then we are basically here and asked we also to perform the actual attack right so after the participants had completed this training we ask them now please put down the phone that you used for the training wait 30 seconds pick it up pick it up and try again and this simulates an attack right the attacker trains on the attackers phone puts the attackers phone down picks up the victims phone and launches the actual attack but so that's what is simulated what was the result most of the attackers managed to successfully complete the training 80% or at least 80% for we had three passwords the ones shown there at least 80% for each of the three passwords so that's good but then then they put the phone down and launch the attack after 30 seconds only or most 25% of the attacks were successful in the first attack right even though before 80% had been successful but now they pick they try again after 30 seconds and now most of them fail and even if things improve if they gave the multum attempts but still 20 up to 30% of the attacks still fail even if they have multiple attempts so this is not led us to introduce real-time guidance during the attack like the AR based approach the RAF into that already alright so they can't so this is the victims device we put a little piece of paper on the on the victims device that's the only kind of tampering required this is simply to a this is this is helping our computer vision algorithm the device placement we've already seen this and so this is what the attacker sees right and see the attacker sees hey this is where I have to push the key and in addition the attacker this is what during the actual attack we also blend in there the attackers fingers and so this is all based on on a computer vision I'm not going through indeed into dividual steps running out of time and I'm not a computer vision person myself just for the people who are who are into this kind of stuff if you if you care you can download this this software and play around with it we also developed a second approach a much more basic approach just to to compare the other plot the AR based approach what we did is we took the victim's phone and used an erasable marker to draw where that the attacker should push the keys and then we used the second phone that that beep blade beep sounds for the time information right this is this beep you should switch to the next key beep you should switch to the next key and then the attack was similar to the attack already mentioned that didn't use a guide or the same as the attack already I already mentioned that did not use any guidance and so obviously what we all care about what are the results so ninety-seven percent of the cases so in 90% of this off of the cases where the training was successful the attacks also succeeded all right so the black bar is the bar showing the cases where the training succeeded and then the other part shows the cases where the attacks were successful and so we have three three bars the first attack was successful the second attack was successful and the third attack was successful right and so it's nearly reaches the it's nearly as high as the bar with the showing all the cases where all training succeeded right so 90% of the attacks now succeed and 80% of the successful attacks they required only one attempt remember it was the number was much much lower for the unguided attacks so this definitely helps how much time did you spend on training turns out not much about three to four minutes first about two minutes for the key independent features and then another two minutes or so for the key dependent features and they're depending on the past or the amount of time is slightly different so three to four minutes so not very long quickly some other observations what about attackers that typed fast versus attacker that typed slowly turns out attackers that type fast they are better right they they can they can emulate both victims that type fast and also victims that type slowly there's attackers that typed slowly they have a much harder time at emulating or mimicking victims that type hard um there we didn't much see much of a difference between AR based augmented reality based and the audio-video based attacks the only difference we saw it that the the number of people that succeeded in the first attempt was higher for the AV based attack then for the AR based attack and our thinking is that if for the AR based attack they look at the attackers device and then they see the the victims device to see the scream but the screen is slightly smaller on the screen and so this may have thrown them off the first time and so they need multiple at times well we don't have this problem for the for the AV based attack okay so this is all in the in the business paper some our recent findings that I want to quickly mention you may have your argument may have been if you looked at the past what's a little bit more closely hey these are all very simple passwords not very hard turns out even complex passwords are quite easy to mimic and I mentioned the bigrams placing a possibility right if the attacker is not able to capture the the input behavior for the actual password but only the import behavior for some other text that is being entered by the victim and so has to use these bigrams placing and turns out that actually works too another interesting question is what if the attacker doesn't have the same device as the victim like the victim victims device has a different brand make or different screen size turns out for at least the temporal feature and the space and features it's relatively easy to do map between two devices that it may be harder to do this for the contact features but that's still somewhat of an open question and turns out you can use the AR based approach also to mimic other kinds of input behavior in particular we looked at the mimicry of swiping behavior so it's it's potentially quite a powerful tool our our AR based attack okay I'm out of time so let's conclude the talk so these are the things if you take away from this talk so real world defenses like tilting they don't help much against shoulder surfing and research-based strategies force pin they they don't help at all and so I think what's important here is that we educate users about the flaws of tilting right it's a widely used offense so we should tell users hey be careful like it may not work as you expect we can use we can mimic keep our input behavior using our AR Augmented tool and yeah as I hinted that it would be really cool to do to do apply this kind of attack also to other scenarios okay thanks for your attention are there any questions [appluase] oh so one of the things that they come down here is that the the attacker needs to have a little bit of skill at that reproduction is it a reasonable scenario that the attacker would actually be a big device obviously we can make a device cell phone and electric press keys and would that kind of thing actually work with difficulty but to put in appropriate patterns so people have actually used a built a Lego robot that managed to mimics the victims swiping pattern so yeah maybe we don't even need a human to perform the attack maybe we can we can make the robot and have the robot perform the attack it has been done for swiping I think it hasn't been done for keyboard input behavior barely shortened so motivated by excusing these correct horse batteries they are password that's a pretty long password did the mimicry drift and get worse over time so if you have a longer password like twenty eight characters is it we did not look at passphrases and the reason is that if pass phrases are kind of painful to enter in particular on a smartphone and so the number of people who uses the passphrase on a small it on a phone is very low but I keep in mind for the even for that forum for the slightly longer password for complex password it's still feasible so if I remember correctly you said that you muted the video when the attackers were watching it but maybe I miss understand the study but isn't it the video supposed to sort of simulate the attacker literally shoulder surfing as I currently am Dan so in that scenario wouldn't they be able to hear noise yeah yeah totally I mean then it would have been super easy but well our argument then is basically too easy all right I mean if you right and also right this is just this is just proposed by the researchers to do to use haptics you don't necessarily need to do haptics in particular if you care about security yeah time for one more question mhm so these different kinds of mechanisms for seeing your biometrics to see how fast you swipe and stuff you're focusing on an attacker trying to mimic that mhm how much variability has to be in these systems because individuals sometimes have different patterns like if I'm very tired or something then my my way I swipe is going to be different or if I'm drunk or something then how do I swipe that will be a fun research study to perform excellent questions excellent questions and so I'm not aware of any research doing this doing this kind of analysis in the long term and looking at people and like how they behave throughout the day yeah again if you're interested in doing this kind of work I mean talk to me would be fun I mean maybe maybe not necessarily the drunk part but yeah okay and with that I would like to thank Urs for a very interesting talk [applause]

Source: Youtube

This div height required for enabling the sticky sidebar