Hacking Gesture-Based Security

Interesting research: Abdul Serwadda, Vir V. Phoha, Zibo Wang, Rajesh Kumar, and Diksha Shukla, “Robotic Robbery on the Touch Screen,” ACM Transactions on Information and System Security, May 2016.

Abstract: Despite the tremendous amount of research fronting the use of touch gestures as a mechanism of continuous authentication on smart phones, very little research has been conducted to evaluate how these systems could behave if attacked by sophisticated adversaries. In this article, we present two Lego-driven robotic attacks on touch-based authentication: a population statistics-driven attack and a user-tailored attack. The population statistics-driven attack is based on patterns gleaned from a large population of users, whereas the user-tailored attack is launched based on samples stolen from the victim. Both attacks are launched by a Lego robot that is trained on how to swipe on the touch screen. Using seven verification algorithms and a large dataset of users, we show that the attacks cause the system’s mean false acceptance rate (FAR) to increase by up to fivefold relative to the mean FAR seen under the standard zero-effort impostor attack. The article demonstrates the threat that robots pose to touch-based authentication and provides compelling evidence as to why the zero-effort attack should cease to be used as the benchmark for touch-based authentication systems.

News article. Slashdot thread.

Tags: academic papers, authentication, hacking

Posted on May 12, 2016 at 5:31 AM • 11 Comments

Comments

Clive Robinson • May 12, 2016 8:16 AM

I like this,

we present two Lego-driven robotic attacks on touch-based authentication

That alowes me to put another couple of lego kits “on the security budget” 😉

More importantly you can get the kids to help you and have fun at the same time 🙂

As the saying goes “get them young and you have got them for life”, thus get your kids into Security work and “thinking hinky” before they learn how to gut a rat in the biology lab. After all which is likely to be the more profitable life skill?

Russell Aminzade • May 12, 2016 8:34 AM

On my phone my swipe pattern is pretty easy to see on the screen when it’s turned off (thanks to finger oils and lunch remains), so I count on it only to provide an ‘I don’t have to run faster than the bear I just have to run faster than the other guy.’ level of security.

C U Anon • May 12, 2016 10:22 AM

The paper is behind the ACM paywall. If you don’t know how to find it on the web, have a read of this recent article,

http://www.ibtimes.co.uk/sci-hub-offline-elsevier-gets-yet-another-pirate-bay-scientists-domain-name-shut-down-1558645

The site it talks about needs both cookies and javascript enabled. Even though the buttons are labled in cyrilic, click on the one with the downwards pointing arrow.

Scared • May 12, 2016 10:29 AM

Uh oh. Someone named Abdul has used Lego’s for an attack.
Has anybody notified the TSA?

Some Guy • May 12, 2016 2:12 PM

Continuous reauthentication using touch gestures seems to risk a lot false negatives unless tuned to dumb to matter.

Suddenly I use
My left hand instead of my right
Hold the phone landscape instead of portrait
Use two hand instead of one
Use in dark at night rather than day
While driving rather than being responsible

Now my hand gestures suddenly have a different gait (whatever the correct term is). The above list has 5 factors or 32 combinations the algorithm may see. Some will be similar, but some wifi be very distinct.

Maybe I’m close minded, but I sure don’t see it.

G. Labow • May 12, 2016 3:19 PM

Our company, ePortID.com has worked with most forms of biometric for different customers. We found that most have some big flaws. Fingerprints are just not secure at all as they can be very easily faked or spoofed and also have a very high error rate which leads to problems and delays. Facial recognition we found to have several different problems associated with it. Iris scanning is accurate but it is very expensive and we discovered that people do not like it. We have found palm vein scanning to be the best overall. It is very fast, very accurate, robust, reliable, affordable, can not be spoofed, and is liked by users because it is so easy to use and it works.

Thomas • May 12, 2016 4:36 PM

“we present two Lego-driven robotic attacks on …”

I had such high hopes for where that sentence was going…

“On my phone my swipe pattern is pretty easy to see on the screen when it’s turned off (thanks to finger oils and lunch remains), …”

Before I upgraded to a dumb-phone I’d set my swipe pattern to hit all the nodes, then I could mush the screen after unlocking to obscure any patterns.

Scared • May 12, 2016 5:48 PM

@ G.Labow
Doesn’t the iPhone use a capacitive fingerprint sensor?
I would think that is harder to spoof than an optical one where you make a silicone imprint of an PCB etching with the fingerprint.
How do you get the right capacitance pattern?

Clive Robinson • May 12, 2016 6:20 PM

@ Scared,

How do you get the right capacitance pattern?

If you get a copy of the paper, towards the end they have photoes of their robot and it’s finger. The finger is made with an AA battery with some play-dough on it and a wire going of to some other part of the system. I suspect that wire is an integral part of the system for capacitive sensing.

Rk • May 12, 2016 7:32 PM

If anyone needs to read the article for free, send me an email at rkuma102@syr.edu, i will send you a copy gor free.

So... • May 12, 2016 7:43 PM

…does this mean that Legos are to be outlawed as terrorist tools?

…or does it mean that all users of Legos are to be imprisoned for being terrorists?

I mean, just ask Feinstein, paper shredders, garbage cans, and toilets are, why not Legos too?

Hacking Gesture-Based Security

Comments

Leave a comment Cancel reply