Mengyuan Li,Yan Meng,Junyi Liu,Haojin Zhu,Xiaohui Liang,Yao Liu,Na Ruan

DOI: https://doi.org/10.1145/2976749.2978397

2016-01-01

Abstract:ABSTRACTIn this study, we present WindTalker, a novel and practical keystroke inference framework that allows an attacker to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI). The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user's number input. WindTalker presents a novel approach to collect the target's CSI data by deploying a public WiFi hotspot. Compared with the previous keystroke inference approach, WindTalker neither deploys external devices close to the target device nor compromises the target device. Instead, it utilizes the public WiFi to collect user's CSI data, which is easy-to-deploy and difficult-to-detect. In addition, it jointly analyzes the traffic and the CSI to launch the keystroke inference only for the sensitive period where password entering occurs. WindTalker can be launched without the requirement of visually seeing the smart phone user's input process, backside motion, or installing any malware on the tablet. We implemented Windtalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world. The evaluation results show that the attacker can recover the key with a high successful rate.

Li Lu,Jiadi Yu,Yingying Chen,Yanmin Zhu,Xiangyu Xu,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/infocom.2019.8737591

2019-01-01

Abstract:This paper demonstrates the feasibility of a side-channel attack to infer keystrokes on touch screen leveraging an off-the-shelf smartphone. Although there exist some studies on keystroke eavesdropping attacks on touch screen, they are mainly direct eavesdropping attacks, i.e., require the device of victims compromised to provide side-channel information for the adversary, which are hardly launched in practical scenarios. In this work, we show the practicability of an indirect eavesdropping attack, KeyListener, which infers keystrokes on QWERTY keyboards of touch screen leveraging audio devices on a smartphone. We investigate the attenuation of acoustic signals, and find that a user’s keystroke fingers can be localized through the attenuation of acoustic signals received by the microphones in the smartphone. We then utilize the attenuation of acoustic signals to localize each keystroke, and further analyze errors induced by ambient noises. To improve the accuracy of keystroke localization, KeyListener further tracks finger movements during inputs through phase change and Doppler effect to reduce errors of acoustic signal attenuation-based keystroke localization. In addition, a binary tree-based search approach is employed to infer keystrokes in a context-aware manner. The proposed keystroke eavesdropping attack is robust to various environments without the assistance of additional infrastructures. Extensive experiments demonstrate that the accuracy of keystroke inference in top-5 candidates can approach 90% with a top-5 error rate of around 6%, which is a strong indication of the possible user privacy leakage of inputs on QWERTY keyboard.

Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Li Lü,Jiadi Yu,Yingying Chen,Yan Wang

DOI: https://doi.org/10.1145/3397320

2020-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Min Peng,Xianxin Fu,Benling Ge,Lusheng Wang

DOI: https://doi.org/10.1093/comjnl/bxae087

2024-09-14

The Computer Journal

Abstract:Abstract With the popularity of mobile payment, password protection has become more and more important. Channel state information (CSI) has recently been used to crack passwords in public WiFi environments. The feasibility of password cracking lies in the fact that different keystrokes lead to different finger movement directions and distances, resulting in unique interference to WiFi signal transmission. The unique interference can be recorded by CSI and used for keystroke inference. In this paper, we propose Wi-Crack, a keystroke recognition system for numerical keypad input on smartphones. Two computers equipped with commercial off-the-shelf WiFi NIC comprise the system, with one serving as the transmitter and the other as the receiver. Previous keystroke recognition systems only used the amplitude of CSI for keystroke recognition. Different from them, Wi-Crack combines the amplitude, phase, amplitude difference and phase difference of CSI for keystroke recognition. The use of multi-dimensional information has enabled Wi-Crack to improve keystroke recognition. Experimental results show that Wi-Crack improves the accuracy of keystroke segmentation to consistently above 90%. It also improves the keystroke recognition accuracy on DTW-KNN, SVM, 1D-CNN, and LSTM with over 90% in the best case.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Yuanwei Hou,Yu Gu,Weiping Li,Zhi Liu

DOI: https://doi.org/10.1587/transfun.2021eap1119

2022-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:The fast evolving credential attacks have been a great security challenge to current password-based information systems. Recently, biometrics factors like facial, iris, or fingerprint that are difficult to forge rise as key elements for designing passwordless authentication. However, capturing and analyzing such factors usually require special devices, hindering their feasibility and practicality. To this end, we present WiASK, a device-free WiFi sensing enabled Authentication System exploring Keystroke dynamics. More specifically, WiASK captures keystrokes of a user typing a pre-defined easy-to-remember string leveraging the existing WiFi infrastructure. But instead of focusing on the string itself which are vulnerable to password attacks, WiASK interprets the way it is typed, i.e., keystroke dynamics, into user identity, based on the biologically validated correlation between them. We prototype WiASK on the low-cost off-the-shelf WiFi devices and verify its performance in three real environments. Empirical results show thatWiASK achieves on average 93.7% authentication accuracy, 2.5% false accept rate, and 5.1% false reject rate.

Yu Gu,Yantong Wang,Meng Wang,Zulie Pan,Zhihao Hu,Zhi Liu,Fan Shi,Mianxiong Dong

DOI: https://doi.org/10.1109/tii.2021.3108850

IF: 12.3

2022-04-01

IEEE Transactions on Industrial Informatics

Abstract:User authentication plays a critical role in access control of a man-machine system, where the knowledge factor, such as a personal identification number, constitutes the most widely used authentication element. However, knowledge factors are usually vulnerable to the spoofing attack. Recently, the inheritance factor, such as fingerprints, emerges as an efficient alternative resilient to malicious users, but it normally requires special equipment. To this end, in this article, we propose WiPass, a device-free authentication system only leveraging the pervasive Wi-Fi infrastructure to explore keystroke dynamics (manner and rhythm of keystrokes) captured by the channel state information to recognize legitimate users while rejecting spoofers. However, it remains an open challenge to characterize the behavioral features hidden in the human subtle motions, such as keystrokes. Therefore, we build a signal enhancement model using Ricean distribution to amplify user keystroke dynamics and a hybrid learning model for user authentication, which consists of two parts, i.e., convolutional neural network based feature extraction and support vector machine based classification. The former relies on visualizing the channel responses into time-series images to learn the behavioral features of keystrokes in energy and spectrum domains, whereas the latter exploits such behavioral features for user authentication. We prototype WiPass on the low-cost off-the-shelf Wi-Fi devices and verify its performance. Empirical results show that WiPass achieves on average 92.1% authentication accuracy, 5.9% false accept rate, and 6.3% false reject rate in three real environments.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Yu-feng JIANG,Da-wei GUO,Hang LIU

DOI: https://doi.org/10.3969/j.issn.1674-6236.2017.23.011

2017-01-01

Abstract:With the development of society and the continuous improvement of information technology,the value of human-computer interaction in life is getting higher and higher and the importance of ensuring information security has become increasingly prominent.For the purpose of ensuring the security of mobile devices and the user's privacy,a system named WiF based on Wi-Fi is proposed.Experiment in the indoor environment using a signal transmitter and a signal receiver show that WiF can achieve a recognition accuracy of 86.11％ on the button of one to nine.

Zijian Zhang,Nurilla Avazov,Jiamou Liu,Bakh Khoussainov,Xin Li,Keke Gai,Liehuang Zhu

DOI: https://doi.org/10.1109/jiot.2020.2986700

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:WiFi access points are sources of considerable security risks as the wireless signals have the potential to leak important private information such as passwords. This article examines the security issues posed by point-of-sale (POS) terminals which are widely used in WiFi-covered environments, such as restaurants, banks, and libraries. In particular, we envisage an attack model on passwords entered on POS terminals. We put forward the WiPOS, a password inference system based on wireless signals. Specifically, the WiPOS is a device-free system that uses two commercial off-the-shelf (COTS) devices to collect WiFi signals. Implementing a new keystroke segmentation algorithm and adopting support vector machine (SVM) classifiers with global alignment kernel (GAK), the WiPOS achieves improvement on both keystroke recognition and password prediction. The experimental results show that the WiPOS can achieve more than 73% accuracy for 6-digit password with the top 100 candidates. This article calls the community to take a closer look at the risks posed by the current ubiquitous WiFi devices.

Kamran Ali,Alex X. Liu,Wei Wang,Muhammad Shahzad

DOI: https://doi.org/10.1109/jsac.2017.2680998

IF: 16.4

2017-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Keystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what is being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of channel state information (CSI) values, which we call CSI-waveform for that key. In this paper, we propose a WiFi signal-based keystroke recognition system called WiKey. WiKey consists of two commercial off-the-shelf WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves over 97.5% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%. WiKey can also recognize complete words inside a sentence with over 85% accuracy.

Kamran Ali,Alex X. Liu,Wei Wang,Muhammad Shahzad

DOI: https://doi.org/10.1145/2789168.2790109

2015-09-07

Abstract:Keystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key. In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves more than 97.5\% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.

Benxiao Tang,Zhibo Wang,Run Wang,Lei Zhao,Lina Wang

DOI: https://doi.org/10.1155/2018/4627108

2018-01-01

Wireless Communications and Mobile Computing

Abstract:Digital password lock has been commonly used on mobile devices as the primary authentication method. Researches have demonstrated that sensors embedded on mobile devices can be employed to infer the password. However, existing works focus on either each single keystroke inference or entire password sequence inference, which are user-dependent and require huge efforts to collect the ground truth training data. In this paper, we design a novel side-channel attack system, called Niffler, which leverages the user-independent features of movements of tapping consecutive buttons to infer unlocking passwords on smartphones. We extract angle features to reflect the changing trends and build a multicategory classifier combining the dynamic time warping algorithm to infer the probability of each movement. We further use the Markov model to model the unlocking process and use the sequences with the highest probabilities as the attack candidates. Moreover, the sensor readings of successful attacks will be further fed back to continually improve the accuracy of the classifier. In our experiments, 100,000 samples collected from 25 participants are used to evaluate the performance of Niffler. The results show that Niffler achieves 70% and 85% accuracy with 10 attempts in user-independent and user-dependent environments with few training samples, respectively.

Rui Song,Yubo Song,Qihong Dong,Aiqun Hu,Shang Gao

DOI: https://doi.org/10.1109/wcsp.2017.8171036

2017-01-01

Abstract:In recent years, various sensors have been integrated into smartphones to sense the slight motions of human body. However, security researchers found that these sensors can not only be used in motion detection, but also as side-channel to reveal users' privacy data by inferring keystrokes. What is worse, as defined in W3C specifications, the mobile web applications can get these sensor readings silently without permissions from users. Therefore, when cross-site scripting vulnerabilities are found in a mobile web application, attackers can get users' privacy data remotely via these sensors in theory. However, these attacks are difficult to achieve by the fact that mobile web applications can only get sensor readings with low sampling rate in practical uses. In this paper, we proposed a novel ensemble learning algorithm based on weighted voting to improve the keystroke inferring accuracy in low sensors sampling rate. Based on this novel learning algorithm, a prototype system named WebLogger is developed to demonstrate the possibility of inferring the PIN numbers or passwords entered by mobile phone users from mobile web application silently. The results of experiments show that the prediction accuracy of our learning model can be improved to 70%, which is better than 50% in single machine learning algorithms.

Rui Song,Yubo Song,Shang Gao,Bin Xiao,Aiqun Hu

DOI: https://doi.org/10.1109/glocom.2018.8647385

2018-01-01

Abstract:Smartphone sensors have been applied to record the movement of users for healthy use. However, the motion sensor readings recorded by malicious applications can be utilized as a side-channel to leak user privacy by keystroke inference. Most existing approaches use time-domain statistical characteristics for keystroke inference. Their systems are poor to show the subtle changes in short time period, since the time- domain statistical features can only reflect the characteristics in a long-time interval. In this paper, we propose a novel framework to perform keystroke inference on smartphones. This framework introduces an improved MFCC algorithm to extract frequency- domain features for more comprehensive use of raw data. Since the frequency-domain energy distribution of motion signals is concentrated, and the specificity of signals is strong, MFCC can improve the inference accuracies under complex scenarios. Based on this framework, we present a prototype called FreqKey, which is an inference system to leak user privacy such as PINs and passwords. FreqKey collects motion sensor readings during keystroke events and constructs classification models with machine learning algorithms. Experimental results show that FreqKey improves the performance in a variety of complex scenarios. Especially, even in web platform whose sampling rate is lower than 80Hz, FreqKey can achieve relatively high accuracy of 74.6%. To mitigate the frequency-based side-channel attack and protect user privacy, we propose a defense solution which contains sensor- activity monitoring, malicious program identification and interference signal injection.

Yao Wang,Wandong Cai,Tao Gu,Wei Shao

DOI: https://doi.org/10.1109/tmc.2019.2934690

IF: 6.075

2020-11-01

IEEE Transactions on Mobile Computing

Abstract:The widespread use of smartphones has brought great convenience to our daily lives, while at the same time we have been increasingly exposed to security threats. Keystroke security is essential to user privacy protection. In this paper, we present GazeRevealer, a novel side-channel based keystroke inference framework to infer sensitive inputs on smartphone from video recordings of victim's eye patterns captured from smartphone front camera. We observe that eye movements typically follow the keystrokes typing on the number-only soft keyboard during password input. By exploiting eye movement patterns, we are able to infer the passwords being entered. We propose a novel algorithm to extract sensitive eye images from video streams, and classify these images with Support Vector Classification. We also propose a novel classification enhancement algorithm to further improve classification accuracy. Compared with prior keystroke detection approaches, GazeRevealer does not require any external auxiliary devices, and it only relies on smartphone front camera. We evaluate the performance of GazeRevealer on several smartphones under different real-life usage scenarios. The results show that GazeRevealer achieves an inference rate of 77.89 percent for single key number and an inference rate of 84.38 percent for 6-digit password in the ideal case.

computer science, information systems,telecommunications

Hongbo Liu,Yan Wang,Jian Liu,Yingying Chen

DOI: https://doi.org/10.1007/978-3-030-10597-6_9

2019-01-01

Abstract:User authentication is the critical first step of network security to detect identity-based attacks and prevent subsequent malicious attacks. However, the increasingly dynamic mobile environments make it harder to always apply the cryptographic-based methods for user authentication due to their infrastructural and key management overhead. Exploiting non-cryptographic-based techniques grounded on physical layer properties to perform user authentication appears promising. To ensure the security of mobile devices in dynamic networks, we explore to use fine-grained channel state information (CSI), which is available from off-the-shelf WiFi devices, to perform proactive user authentication. We propose a user-authentication framework that has the capability to proactively request CSI and build the user profile resilient to the presence of the spoofer. Our machine learning based user-authentication techniques can distinguish two users even when they possess similar signal fingerprints and detect the existence of the spoofer in dynamic network environments. Extensive experiments in both office and apartment environments show that our framework can remove the effect of signal outliers and achieve higher authentication accuracy compared to existing approaches that use received signal strength (RSS).

Fan Li,Xiuxiu Wang,Huijie Chen,Kashif Sharif,Yu Wang

DOI: https://doi.org/10.1109/access.2017.2776527

IF: 3.9

2017-01-01

IEEE Access

Abstract:Public social environments are hot beds of security leaks, either they are virtual or physical. The nature of social settings allows numerous people to co-exist in the same space. This close un-bounded proximity opens up the possibility of privacy compromise in such environments. In this paper, we explore a novel and practical multi-modal side-channel keystroke recognition system, named ClickLeak, which can infer the PIN code/password entered on numeric keypad by using the commodity Wi-Fi devices. Such numeric keypads are commonly available in many public social environments. ClickLeak is built on the observation that each key input makes unique pattern of hand and finger movements, and this generates unique distortions to multi-path Wi-Fi signals. Acceleration and microphone sensors of smart phones determine the starting and ending time of keystrokes, while the time series of channel state information are analyzed to determine the keystrokes. The evaluation results have shown that with large scale data collections from public social settings, the key recognition accuracy can reach higher than 83%.

Shaoyong Du,Yue Gao,Jingyu Hua,Sheng Zhong

DOI: https://doi.org/10.1007/978-3-319-59608-2_4

2016-01-01

Abstract:Nowadays, attackers seek various covert channels to access the users’ privacy on the mobile devices. Recent research has demonstrated that the built-in motion sensors can be exploited to monitor the users’ screen taps and infer what they have typed. This paper presents several practical and convenient countermeasures against this attack in terms of the soft keyboard. We find that this attack is sensitive to the motion noise of the mobile device and the layout variation of the soft keyboard. We, thus, present two kinds of countermeasures against this attack by introducing vibration noise in sensor readings and dynamics in the keyboard layout, respectively. We implement these countermeasures on Android platform and recruit 20 volunteers to evaluate these countermeasures’ effectiveness and usability on both the smartphones and tablets. The results show that the proposed countermeasures can effectively reduce the attackers’ keystroke inference accuracy without significantly hurting the typing efficiency.

Hongbo Liu,Yan Wang,Jian Liu,Jie Yang,Yingying Chen

DOI: https://doi.org/10.1145/2590296.2590321

2014-06-04

Abstract:User authentication is the critical first step to detect identity-based attacks and prevent subsequent malicious attacks. However, the increasingly dynamic mobile environments make it harder to always apply the cryptographic-based methods for user authentication due to their infrastructural and key management overhead. Exploiting non-cryptographic based techniques grounded on physical layer properties to perform user authentication appears promising. In this work, we explore to use channel state information (CSI), which is available from off-the-shelf WiFi devices, to conduct fine-grained user authentication. We propose an user-authentication framework that has the capability to build the user profile resilient to the presence of the spoofer. Our machine learning based user-authentication techniques can distinguish two users even when they possess similar signal fingerprints and detect the existence of the spoofer. Our experiments in both office building and apartment environments show that our framework can filter out the signal outliers and achieve higher authentication accuracy compared with existing approaches using received signal strength (RSS).

Xiangyu Liu,Zhe Zhou,Wenrui Diao,Zhou Li,Kehuan Zhang

DOI: https://doi.org/10.1145/2810103.2813668

2015-01-01

Abstract:One rising trend in today's consumer electronics is the wearable devices, e.g., smartwatches. With tens of millions of smartwatches shipped, however, the security implications of such devices are not fully understood. Although previous studies have pointed out some privacy concerns about the data that can be collected, like personalized health information, the threat is considered low as the leaked data is not highly sensitive and there is no real attack implemented. In this paper we investigate a security problem coming from sensors in smartwatches, especially the accelerometer. The results show that the actual threat is much beyond people's awareness.Being worn on the wrist, the accelerometer built within a smartwatch can track user's hand movements, which makes inferring user inputs on keyboards possible in theory. But several challenges need to be addressed ahead in the real-world settings: e.g., small and irregular hand movements occur persistently during typing, which degrades the tracking accuracy and sometimes even overwhelms useful signals.In this paper, we present a new and practical side-channel attack to infer user inputs on keyboards by exploiting sensors in smartwatch. Novel keystroke inference models are developed to mitigate the negative impacts of tracking noises. We focus on two major categories of keyboards: one is numeric keypad that is generally used to input digits, and the other is QWERTY keyboard on which a user can type English text. Two prototypes have been built to infer users' banking PINs and English text when they type on POS terminal and QWERTY keyboard respectively. Our results show that for numeric keyboard, the probability of finding banking PINs in the top 3 candidates can reach 65%, while for QWERTY keyboard, a significant accuracy improvement is achieved compared to the previous works, especially of the success rate of finding the correct word in the top 10 candidates.