当前位置:
X-MOL 学术
›
ACM Trans. Priv. Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Mimicry Attacks on Smartphone Keystroke Authentication
ACM Transactions on Privacy and Security ( IF 3.0 ) Pub Date : 2020-04-04 , DOI: 10.1145/3372420 Hassan Khan 1 , Urs Hengartner 2 , Daniel Vogel 2
ACM Transactions on Privacy and Security ( IF 3.0 ) Pub Date : 2020-04-04 , DOI: 10.1145/3372420 Hassan Khan 1 , Urs Hengartner 2 , Daniel Vogel 2
Affiliation
Keystroke behaviour-based authentication employs the unique typing behaviour of users to authenticate them. Recent such proposals for virtual keyboards on smartphones employ diverse temporal, contact, and spatial features to achieve over 95% accuracy. Consequently, they have been suggested as a second line of defense with text-based password authentication. We show that a state-of-the-art keystroke behaviour-based authentication scheme is highly vulnerable against mimicry attacks. While previous research used training interfaces to attack physical keyboards, we show that this approach has limited effectiveness against virtual keyboards. This is mainly due to the large number of diverse features that the attacker needs to mimic for virtual keyboards. We address this challenge by developing an augmented reality-based app that resides on the attacker’s smartphone and leverages computer vision and keystroke data to provide real-time guidance during password entry on the victim’s phone. In addition, we propose an audiovisual attack in which the attacker overlays transparent film printed with spatial pointers on the victim’s device and uses audio cues to match the temporal behaviour of the victim. Both attacks require neither tampering or installing software on the victim’s device nor specialized hardware. We conduct experiments with 30 users to mount over 400 mimicry attacks. We show that our methods enable an attacker to mimic keystroke behaviour on virtual keyboards with little effort. We also demonstrate the extensibility of our augmented reality-based technique by successfully mounting mimicry attacks on a swiping behaviour-based continuous authentication system.
中文翻译:
智能手机按键认证的模拟攻击
基于击键行为的身份验证采用用户的独特打字行为来对其进行身份验证。最近此类关于智能手机虚拟键盘的提议采用了不同的时间、接触和空间特征来实现超过 95% 的准确度。因此,建议将它们作为基于文本的密码身份验证的第二道防线。我们表明,最先进的基于击键行为的身份验证方案非常容易受到模仿攻击。虽然之前的研究使用训练界面来攻击物理键盘,但我们表明这种方法对虚拟键盘的有效性有限。这主要是由于攻击者需要为虚拟键盘模仿大量不同的功能。我们通过开发基于增强现实的应用程序来应对这一挑战,该应用程序驻留在攻击者的智能手机上,并利用计算机视觉和击键数据在受害者手机上输入密码期间提供实时指导。此外,我们提出了一种视听攻击,其中攻击者将印有空间指针的透明薄膜覆盖在受害者的设备上,并使用音频线索来匹配受害者的时间行为。这两种攻击都不需要在受害者的设备上篡改或安装软件,也不需要专门的硬件。我们对 30 个用户进行了实验,以安装超过 400 次模仿攻击。我们表明,我们的方法使攻击者能够毫不费力地模仿虚拟键盘上的击键行为。
更新日期:2020-04-04
中文翻译:
智能手机按键认证的模拟攻击
基于击键行为的身份验证采用用户的独特打字行为来对其进行身份验证。最近此类关于智能手机虚拟键盘的提议采用了不同的时间、接触和空间特征来实现超过 95% 的准确度。因此,建议将它们作为基于文本的密码身份验证的第二道防线。我们表明,最先进的基于击键行为的身份验证方案非常容易受到模仿攻击。虽然之前的研究使用训练界面来攻击物理键盘,但我们表明这种方法对虚拟键盘的有效性有限。这主要是由于攻击者需要为虚拟键盘模仿大量不同的功能。我们通过开发基于增强现实的应用程序来应对这一挑战,该应用程序驻留在攻击者的智能手机上,并利用计算机视觉和击键数据在受害者手机上输入密码期间提供实时指导。此外,我们提出了一种视听攻击,其中攻击者将印有空间指针的透明薄膜覆盖在受害者的设备上,并使用音频线索来匹配受害者的时间行为。这两种攻击都不需要在受害者的设备上篡改或安装软件,也不需要专门的硬件。我们对 30 个用户进行了实验,以安装超过 400 次模仿攻击。我们表明,我们的方法使攻击者能够毫不费力地模仿虚拟键盘上的击键行为。
京公网安备 11010802027423号