Chris Xiaoxuan Lu
ABSTRACT
No longer reserved for nerdy geeks, nowadays smartwatches have gain their popularities rapidly, and become one of the most desirable gadgets that the general public would like to own. However, such popularity also introduces potential vulnerability. Until now, the de facto solution to protect smartwatches are passwords, i.e. either PINs or Android Pattern Locks (APLs). Unfortunately, those types of passwords are not robust against various forms of attacks, such as shoulder surfing or touch/motion based side channel attacks. In this paper, we propose a novel authentication approach for smartwatches, which adds another layer of security on top of the traditional passwords by considering the unique motion signatures when different users input passwords on their watches. It uses a deep recurrent neural networks to analyse the subtle motion signals of password input, and distinguish the legitimate users from malicious impostors. Following a privacy-preserving manner, our proposed approach does not require users to upload their passcodes for model training but only the motion data and identity labels. Extensive experiments on large-scale datasets collected real-world show that the proposed approach outperforms the state-of-the-art significantly, even in the most challenging case where a user has multiple distinct passcodes.
- Ltd Alipay.com Co. 2017. Alipay - Makes Life Easy. https://itunes.apple.com/us/app/alipay-makes-life-easy/id333206289?mt=8. (2017).Google Scholar
- Adam J Aviv, Katherine L Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. 2010. Smudge Attacks on Smartphone Touch Screens. USENIX Workshop on Offensive Technologies, Woot (2010). Google ScholarDigital Library
- James Bergstra, Frédéric Bastien, Olivier Breuleux, Pascal Lamblin, Razvan Pascanu, Olivier Delalleau, Guillaume Desjardins, David Warde-Farley, Ian Goodfellow, Arnaud Bergeron, et al. 2011. Theano: Deep learning on gpus with python. In NIPS 2011, BigLearning Workshop, Granada, Spain, Vol. 3.Google Scholar
- Liang Cai and Hao Chen. 2011. TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion.. In Proceedings of the 6th USENIX Conference on Hot Topics in Security, HotSec. USENIX. Google ScholarDigital Library
- François Chollet et al. 2015. Keras: Deep learning library for theano and tensor-flow. URL: https://keras.io/k (2015).Google Scholar
- Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (CHI). Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and Paul C Van Oorschot. 2014. passcode Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.. In USENIX Security Symposium. Google ScholarDigital Library
- Mario Frank, Ralf Biedert, Eugene Ma, Ivan Martinovic, and Dawn Song. 2013. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE transactions on information forensics and security.Google ScholarDigital Library
- Marian Harbach, Alexander De Luca, and Serge Egelman. 2016. The anatomy of smartphone unlocking: A field study of android lock screens. In ACM Conference on Human Factors in Computing Systems, CHI. Google ScholarDigital Library
- Sepp Hochreiter, Yoshua Bengio, Paolo Frasconi, and Jürgen Schmidhuber. 2001. Gradient flow in recurrent nets: the difficulty of learning long-term dependencies. (2001).Google Scholar
- Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. 9, 8 (1997), 1735--1780. Google ScholarDigital Library
- Haiming Jin, Lu Su, Houping Xiao, and Klara Nahrstedt. 2016. INCEPTION: incentivizing privacy-preserving data aggregation for mobile crowd sensing systems.. In MobiHoc. Google ScholarDigital Library
- Diederik Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. In International Conference on Learning Representations, ICLR.Google Scholar
- Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable Reauthentication for Smartphones.. In NDSS.Google Scholar
- Chenglin Miao, Wenjun Jiang, Lu Su, Yaliang Li, Suxin Guo, Zhan Qin, Houping Xiao, Jing Gao, and Kui Ren. 2015. Cloud-enabled privacy-preserving truth discovery in crowd sensing systems. In SenSys. Google ScholarDigital Library
- Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. 2012. ACCessory: passcode inference using accelerometers on smartphones. In HotMobile. Google ScholarDigital Library
- Muhammad Shahzad, Alex X Liu, and Arjmand Samuel. 2013. Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In Proceedings of the 19th annual international conference on Mobile computing & networking, (MobiCom). Google ScholarDigital Library
- Elizabeth Stobert and Robert Biddle. 2014. The passcode life cycle: user behaviour in managing passcodes. In USENIX Symposium On Usable Privacy and Security.Google Scholar
- Zhi Xu, Kun Bai, and Sencun Zhu. 2012. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proceedings of the 5th ACM conference on Security and Privacy in Wireless and Mobile Networks. Google ScholarDigital Library
- Hongji Yang, Lin Chen, Kaigui Bian, Yang Tian, Fan Ye, Wei Yan, Tong Zhao, and Xiaoming Li. 2015. TapLock: Exploit finger tap events for enhancing attack resilience of smartphone passcodes. In IEEE International Conference on Communications, (ICC).Google ScholarCross Ref
- Shuochao Yao, Shaohan Hu, Yiran Zhao, Aston Zhang, and Tarek Abdelzaher. 2017. Deepsense: A unified deep learning framework for time-series mobile sensing data processing. In International Conference on World Wide Web, WWW. Google ScholarDigital Library
- Nan Zheng, Kun Bai, Hai Huang, and Haining Wang. 2014. You are how you touch: User verification on smartphones via tapping behaviors. In IEEE 22nd International Conference on Network Protocols (ICNP). Google ScholarDigital Library
Index Terms
- VeriNet: User Verification on Smartwatches via Behavior Biometrics
Recommendations
Snoopy: Sniffing Your Smartwatch Passwords via Deep Sequence Learning
Demand for smartwatches has taken off in recent years with new models which can run independently from smartphones and provide more useful features, becoming first-class mobile platforms. One can access online banking or even make payments on a ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Stealing PINs via mobile sensors: actual risk versus user perception
In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. ...
Comments