PIN skimming: Exploiting the ambient-light sensor in mobile devices

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 2014-November, Issue November, 2014, Pages 51-62

  Spreitzer, Raphael ^a  

^a GRAZ UNIVERSITY OF TECHNOLOGY   (Austria)

Author keywords

Ambient light sensor; Mobile malware; Mobile security; Sensor based attack; Side channel attack

Indexed keywords

COMPUTER PRIVACY; MALWARE; MOTION SENSORS; SIDE CHANNEL ATTACK; SMARTPHONES;

AMBIENT LIGHT; AMBIENT LIGHT SENSORS; INFORMATION LEAKAGE; MOBILE MALWARE; PERSONAL IDENTIFICATION NUMBER; PRIVACY AND SECURITY; SECURITY AND PRIVACY; TABLET COMPUTER;

MOBILE SECURITY;

EID: 84937575306     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2666620.2666622     Document Type: Conference Paper

References (51)

1. A. Al-Haiqi, M. Ismail, and R. Nordin. Keystrokes Inference Attack on Android: A Comparative Evaluation of Sensors and Their Fusion. Journal of ICT Research and Applications, 7(2):117-136, 2013.
2. E. Alpaydin. Introduction to Machine Learning (Adaptive Computation and Machine Learning. The MIT Press, 2nd edition, 2010.
3. Android Developers. Android KitKat. https://developer.android.com/about/versions/kitkat.html.
4. Android Developers. Camera. http://developer.android.com/reference/android/hardware/Camera.html.
5. Android Developers. Sensors Overview. http://developer.android.com/guide/topics/sensors/sensorsffoverview.html.
6. D. Asonov and R. Agrawal. Keyboard Acoustic Emanations. In IEEE Symposium on Security and Privacy, pages 3-11, 2004.
7. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge Attacks on Smartphone Touch Screens. In USENIX Conference on Offensive Technologies (WOOT), pages 1-7, 2010.
8. A. J. Aviv, B. Sapp, M. Blaze, and J. M. Smith. Practicality of Accelerometer Side Channels on Smartphones. In Annual Computer Security Applications Conference (ACSAC), pages 41-50, 2012.
9. M. Backes, T. Chen, M. Dürmuth, H. P. A. Lensch, and M.Welk. Tempest in a Teapot: Compromising Reections Revisited. In IEEE Symposium on Security and Privacy, pages 315-327, 2009.
10. M. Backes, M. Dürmuth, and D. Unruh. Compromising Reections-or-How to Read LCD Monitors around the Corner. In IEEE Symposium on Security and Privacy, pages 158-169, 2008.
11. M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von-Styp-Rekowsky. AppGuard - Enforcing User Requirements on Android Apps. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 543-548, 2013.
12. Barclays PLC. Mobile Banking Services. http://www.barclays.co.uk/Mobile/BarclaysPingit/P1242603570446.
13. M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices. In IEEE Symposium on Security and Privacy, pages 96-111, 2011.
14. C. M. Bishop. Pattern Recognition and Machine Learning (In- formation Science and Statistics). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006.
15. BlackBerry. BlackBerry Balance. http://us.blackberry.com/business/software/blackberry-balance.html.
16. BlackBerry. BlackBerry Runtime 10.0. http://developer.blackberry.com/android/.
17. J. Bonneau, S. Preibusch, and R. Anderson. A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In Financial Cryptography (FC), pages 25-40, 2012.
18. L. Cai and H. Chen. TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion. In USENIX Confer- ence on Hot Topics in Security (HotSec), 2011.
19. L. Cai and H. Chen. On the Practicality of Motion Based Keystroke Inference Attack. In Trust and Trustworthy Com- puting (TRUST), pages 273-290, 2012.
20. L. Cai, S. Machiraju, and H. Chen. Defending Against Sensor- Sniffng Attacks on Mobile Phones. In ACM SIGCOMM Work- shop on Networking, Systems, and Applications for Mobile Handhelds (MobiHeld), pages 31-36, 2009.
21. DoMobile. AppLock. https://play.google.com/store/apps/details?id=com.domobile.applock.
22. Evernote Corporation. Evernote. https://play.google.com/store/apps/details?id=com.evernote.
23. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystiffed. In ACM Conference on Computer and Communications Security (CCS), pages 627-638, 2011.
24. A. P. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How to Ask for Permission. In USENIX Conference on Hot Topics in Security (HotSec), 2012.
25. A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Symposium On Usable Privacy and Security (SOUPS), page 3, 2012.
26. Gary Mazo. How to uncover and use the hidden Service menu on the Galaxy S3. http://www.androidcentral.com/how-uncover-and-use-hidden-service-menu-galaxy-s3.
27. C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Trust and Trustworthy Computing (TRUST), pages 291-307, 2012.
28. Google. Simpliffed permissions on Google Playhttps://support.google.com/googleplay/answer/6014972, 2014.
29. J. Han, E. Owusu, L. T. Nguyen, A. Perrig, and J. Zhang. Accomplice: Location Inference using Accelerometers on Smartphones. In Communication Systems and Networks (COM- SNETS), pages 1-9, 2012.
30. M. Jakobsson and D. Liu. Your Password is Your New PIN. In Mobile Authentication, SpringerBriefs in Computer Science, pages 25-36. Springer New York, 2013.
31. KeepSafe. KeepSafe. https://play.google.com/store/apps/details?id=com.kii.safe.
32. P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. M. Sadeh, and D. Wetherall. A Conundrum of Permissions: Installing Applications on an Android Smartphone. In Financial Cryptography Workshops, pages 68-79, 2012.
33. P. C. Kocher. Timing Attacks on Implementations of Diffe- Hellman, RSA, DSS, and Other Systems. In Advances in Cryp- Tology (CRYPTO), pages 104-113, 1996.
34. D. F. Kune and Y. Kim. Timing Attacks on PIN Input Devices. In ACM Conference on Computer and Communications Security (CCS), pages 678-680, 2010.
35. P. Marquardt, A. Verma, H. Carter, and P. Traynor. (sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers. In ACM Conference on Computer and Communications Security (CCS), pages 551-562, 2011.
36. MathWorks. Statistics Toolbox. http://www.mathworks.com/products/statistics/.
37. E. Miluzzo, A. Varshavsky, S. Balakrishnan, and R. R. Choudhury. Tapprints: Your Finger Taps Have Fingerprints. In Mobile Systems, Applications, and Services (MobiSys), pages 323-336, 2012.
38. NAB. NAB. https://play.google.com/store/apps/details?id=au.com.nab.mobile.
39. E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. ACCessory: Password Inference using Accelerometers on Smartphones. In Mobile Computing Systems and Applications (HotMobile), page 9, 2012.
40. H. Peng, C. S. Gates, B. P. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using Probabilistic Generative Models for Ranking Risks of Android Apps. In ACM Conference on Computer and Communications Security (CCS), pages 241- 252, 2012.
41. F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In IEEE Symposium on Security and Privacy, pages 224-238, 2012.
42. Samsung. Samsung Galaxy S4 Speciffcations. http://www.samsung.com/global/microsite/galaxys4/.
43. Samsung. Samsung Galaxy SIII Speciffcations. http://www.samsung.com/global/galaxys3/specifications.html.
44. Samsung. Samsung KNOX. http://www.samsung.com/global/business/mobile/solution/security/samsung-knox.
45. Samsung. What You May Not Know About GALAXY S4. http://global.samsungtomorrow.com/?p=23610.
46. L. Simon and R. Anderson. PIN Skimmer: Inferring PINs Through The Camera and Microphone. In ACM Workshop on Security and Privacy in Smartphones & Mobile Devices (SPSM), pages 67-78, 2013.
47. Solirify. Math Trainer. https://play.google.com/store/apps/details?id=com.solirify.mathgame.
48. D. X. Song, D. Wagner, and X. Tian. Timing Analysis of Keystrokes and Timing Attacks on SSH. In USENIX Security Symposium, 2001.
49. UK Offce of Communications. Communications Market Report 2013. http://media.ofcom.org.uk/2013/08/01/the-reinvention-of-the-1950s-living-room-2/, 2013.
50. VirusTotal. VirusTotal. https://play.google.com/store/apps/details?id=com.virustotal.
51. Z. Xu, K. Bai, and S. Zhu. TapLogger: Inferring User Inputs On Smartphone Touchscreens Using On-Board Motion Sensors. In Conference on Security and Privacy in Wireless and Mobile Networks (WISEC), pages 113-124. ACM, 2012.