skip to main content
research-article

Mimicry Attacks on Smartphone Keystroke Authentication

Authors Info & Claims
Published:05 February 2020Publication History
Skip Abstract Section

Abstract

Keystroke behaviour-based authentication employs the unique typing behaviour of users to authenticate them. Recent such proposals for virtual keyboards on smartphones employ diverse temporal, contact, and spatial features to achieve over 95% accuracy. Consequently, they have been suggested as a second line of defense with text-based password authentication. We show that a state-of-the-art keystroke behaviour-based authentication scheme is highly vulnerable against mimicry attacks. While previous research used training interfaces to attack physical keyboards, we show that this approach has limited effectiveness against virtual keyboards. This is mainly due to the large number of diverse features that the attacker needs to mimic for virtual keyboards. We address this challenge by developing an augmented reality-based app that resides on the attacker’s smartphone and leverages computer vision and keystroke data to provide real-time guidance during password entry on the victim’s phone. In addition, we propose an audiovisual attack in which the attacker overlays transparent film printed with spatial pointers on the victim’s device and uses audio cues to match the temporal behaviour of the victim. Both attacks require neither tampering or installing software on the victim’s device nor specialized hardware. We conduct experiments with 30 users to mount over 400 mimicry attacks. We show that our methods enable an attacker to mimic keystroke behaviour on virtual keyboards with little effort. We also demonstrate the extensibility of our augmented reality-based technique by successfully mounting mimicry attacks on a swiping behaviour-based continuous authentication system.

References

  1. Mansour Alsaleh, Mohammad Mannan, and Paul C. van Oorschot. 2012. Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Depend. Secure Comput. 9, 1 (2012), 128--141.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Fraser Anderson, Tovi Grossman, Justin Matejka, and George Fitzmaurice. 2013. YouMove: Enhancing movement training with an augmented reality mirror. In Proceedings of the 26th Annual ACM Symposium on User Interface Software and Technology. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Salil P. Banerjee and Damon L. Woodard. 2012. Biometric authentication and identification using keystroke dynamics: A survey. J. Pattern Recogn. Res. 7, 1 (2012), 116--139.Google ScholarGoogle ScholarCross RefCross Ref
  4. Wei Bao, Hong Li, Nan Li, and Wei Jiang. 2009. A liveness detection method for face recognition based on optical flow field. In Proceedings of the International Conference on Image Analysis and Signal Processing. IEEE, 233--236.Google ScholarGoogle Scholar
  5. BehavioSec. 2017. A supplement to Authentication in an Internet Banking Environment. Retrieved rom https://www.behaviosec.com/financial-services/.Google ScholarGoogle Scholar
  6. Karissa Bell. 2017. New ARKit iPhone app will help your learn to be a better dancer. Retrieved from https://mashable.com/2017/07/09/dance-reality-arkit-app.Google ScholarGoogle Scholar
  7. Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. What the app is that? Deception and countermeasures in the android user interface. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Cheng Bo, Lan Zhang, Xiang-Yang Li, Qiuyuan Huang, and Yu Wang. 2013. SilentSense: Silent user identification via touch and movement behavioral biometrics. In Proceedings of the 19th Annual International Conference on Mobile Computing 8 Networking. ACM, 187--190.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Matthew Boyle, Avraham Klausner, David Starobinski, Ari Trachtenberg, and Hongchang Wu. 2011. Poster: Gait-based smartphone user identification. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. ACM, New York, NY.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ulrich Burgbacher and Klaus Hinrichs. 2014. An implicit author verification system for text messages based on gesture typing biometrics. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Daniel Buschek, Alexander De Luca, and Florian Alt. 2015. Improving accuracy, applicability and usability of keystroke biometrics on mobile touchscreen devices. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Géry Casiez, Nicolas Roussel, and Daniel Vogel. 2012. 1-Euro filter: A simple speed-based low-pass filter for noisy input in interactive systems. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2527--2530.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chih-Chung Chang and Chih-Jen Lin. 2011. LIBSVM: A library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 3 (2011), 27.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Nathan L. Clarke and S. M. Furnell. 2007. Authenticating mobile phone users using keystroke analysis. Int. J. Info. Secur. 6, 1 (2007), 1--14.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Michael B. Dillencourt, Hanan Samet, and Markku Tamminen. 1992. A general approach to connected-component labeling for arbitrary image representations. J. ACM 39, 2 (1992), 253--280.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. David H. Douglas and Thomas K. Peucker. 1973. Algorithms for the reduction of the number of points required to represent a digitized line or its caricature. Cartographica: Int. J. Geogr. Info. Geovisual. 10, 2 (1973), 112--122.Google ScholarGoogle ScholarCross RefCross Ref
  18. Benjamin Draffin, Jiang Zhu, and Joy Zhang. 2014. KeySens: Passive user authentication through micro-behavior modeling of soft keyboard interaction. In Mobile Computing, Applications, and Services. Springer, 184--201.Google ScholarGoogle Scholar
  19. Richard O. Duda, Peter E. Hart, and David G. Stork. 2012. Pattern Classification. John Wiley 8 Sons.Google ScholarGoogle Scholar
  20. Serge Egelman, Sakshi Jain, Rebecca S Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are you ready to lock? In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Malin Eiband, Mohamed Khamis, Emanuel von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In Proceedings of the 35th Annual ACM Conference on Human Factors in Computing Systems. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Tao Feng, Jun Yang, Zhixian Yan, Emmanuel Munguia Tapia, and Weidong Shi. 2014. TIPS: Context-aware implicit user identification using touch screen in uncontrolled environments. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Tao Feng, Xi Zhao, Bogdan Carbunar, and Weidong Shi. 2013. Continuous mobile authentication using virtual key typing biometrics. In Proceedings of the 12th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 1547--1552.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Mario Frank, Ralf Biedert, Eugene Ma, Ivan Martinovic, and Dawn Song. 2013. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Info. Forensics Secur. 8, 1 (2013), 136--148.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Davrondzhon Gafurov, Einar Snekkenes, and Patrick Bours. 2007. Spoof attacks on gait authentication system. IEEE Trans. Info. Forensics Secur. 2, 3 (2007), 491--502.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Cristiano Giuffrida, Kamil Majdanik, Mauro Conti, and Herbert Bos. 2014. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 92--111.Google ScholarGoogle Scholar
  27. Sture Holm. 1979. A simple sequentially rejective multiple test procedure. Scand. J. Stat. 6, 2 (1979), 65--70.Google ScholarGoogle Scholar
  28. Feng Hong, Meiyu Wei, Shujuan You, Yuan Feng, and Zhongwen Guo. 2015. Waving authentication: Your smartphone authenticate you on motion gesture. In Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Seong-seob Hwang, Sungzoon Cho, and Sunghoon Park. 2009. Keystroke dynamics-based authentication for mobile devices. Comput. Secur. 28, 1 (2009), 85--93.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Hassan Khan and Urs Hengartner. 2014. Towards application-centric implicit authentication on smartphones. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Hassan Khan, Urs Hengartner, and Daniel Vogel. 2016. Targeted mimicry attacks on touch input-based implicit authentication schemes. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Hassan Khan, Urs Hengartner, and Daniel Vogel. 2018. Augmented reality-based mimicry attacks on behaviour-based smartphone authentication. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Jennifer R. Kwapisz, Gary M. Weiss, and Samuel A. Moore. 2010. Cell phone-based biometric identification. In Proceedings of the 4th IEEE International Conference on Biometrics: Theory Applications and Systems. IEEE, 1--7.Google ScholarGoogle Scholar
  34. Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium, Vol. 13.Google ScholarGoogle Scholar
  35. Emanuele Maiorana, Patrizio Campisi, Noelia González-Carballo, and Alessandro Neri. 2011. Keystroke dynamics authentication for mobile phones. In Proceedings of the Symposium on Applied Computing. ACM, 21--26.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: Your finger taps have fingerprints. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services. ACM, 323--336.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Fabian Monrose, Michael K. Reiter, and Susanne Wetzel. 2002. Password hardening based on keystroke dynamics. Int. J. Info. Secur. 1, 2 (2002), 69--83.Google ScholarGoogle ScholarCross RefCross Ref
  38. Mozilla. 2019. MDB Browser compatibility data. https://github.com/mdn/browser-compat-data. Last accessed: 07/2019.Google ScholarGoogle Scholar
  39. Parimarjan Negi, Prafull Sharma, Vivek Jain, and Bahman Bahmani. 2018. K-means++ vs. behavioral biometrics: One loop to rule them all. In Proceedings of the 25th Network and Distributed System Security Symposium.Google ScholarGoogle ScholarCross RefCross Ref
  40. Nobuyuki Otsu. 1979. A threshold selection method from gray-level histograms. IEEE Trans. Syst. Man Cybernet. 9, 1 (1979), 62--66.Google ScholarGoogle ScholarCross RefCross Ref
  41. Saurabh Panjwani and Achintya Prakash. 2014. Crowdsourcing attacks on biometric systems. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’14). USENIX Association.Google ScholarGoogle Scholar
  42. Bruce Schneier. 2009. Schneier on Security: Biometrics. Retrieved from https://www.schneier.com/blog/archives/2009/01/biometrics.html.Google ScholarGoogle Scholar
  43. Abdul Serwadda and Vir V. Phoha. 2013a. Examining a large keystroke biometrics dataset for statistical-attack openings. ACM Trans. Info. Syst. Secur. 16, 2 (2013), 8.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Abdul Serwadda and Vir V. Phoha. 2013b. When kids’ toys breach mobile phone security. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 599--610.Google ScholarGoogle Scholar
  45. Muhammad Shahzad, Alex X. Liu, and Arjmand Samuel. 2013. Secure unlocking of mobile touch screen devices by simple gestures: You can see it but you can not do it. In Proceedings of the 19th Annual International Conference on Mobile Computing 8 Networking. ACM, 39--50.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Chee Meng Tey, Payas Gupta, and Debin Gao. 2013. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium.Google ScholarGoogle Scholar
  47. The Register. 2019. Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds. Retrieved from https://www.theregister.co.uk/2019/08/14/biostar_2_suprema_database_exposed_27m_records/.Google ScholarGoogle Scholar
  48. W3C. 2019. Touch Events: Draft Community Group Report. Retrieved from https://w3c.github.io/touch-events/.Google ScholarGoogle Scholar
  49. Xiao Wang, Tong Yu, Ole Mengshoel, and Patrick Tague. 2017. Towards continuous and passive authentication across mobile devices: An empirical study. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 35--45.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Lei Yang, Yi Guo, Xuan Ding, Jinsong Han, Yunhao Liu, Cheng Wang, and Changwei Hu. 2015. Unlocking smart phone through handwaving biometrics. IEEE Trans. Mobile Comput. 14, 5 (2015), 1044--1055.Google ScholarGoogle ScholarCross RefCross Ref
  51. Hongzi Zhu, Jingmei Hu, Shan Chang, and Li Lu. 2017. ShakeIn: Secure user authentication of smartphones with single-handed shakes. IEEE Trans. Mobile Comput. 16, 10 (2017), 2901--2912.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Mimicry Attacks on Smartphone Keystroke Authentication

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!