research-article

When kids' toys breach mobile phone security

Authors:

Abdul Serwadda,

Vir V. PhohaAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 599 - 610

https://doi.org/10.1145/2508859.2516659

Published: 04 November 2013 Publication History

Abstract

Touch-based verification --- the use of touch gestures (e.g., swiping, zooming, etc.) to authenticate users of touch screen devices --- has recently been widely evaluated for its potential to serve as a second layer of defense to the PIN lock mechanism. In all performance evaluations of touch-based authentication systems however, researchers have assumed naive (zero-effort) forgeries in which the attacker makes no effort to mimic a given gesture pattern.

In this paper we demonstrate that a simple "Lego" robot driven by input gleaned from general population swiping statistics can generate forgeries that achieve alarmingly high penetration rates against touch-based authentication systems. Using the best classification algorithms in touch-based authentication, we rigorously explore the effect of the attack, finding that it increases the Equal Error Rates of the classifiers by between 339% and 1004% depending on parameters such as the failure-to-enroll threshold and the type of touch stroke generated by the robot. The paper calls into question the zero-effort impostor testing approach used to benchmark the performance of touch-based authentication systems.

References

[1]

Bricx command center 3.3. http://bricxcc.sourceforge.net/. Last accessed in April, 2013.

[2]

A gloves. original touch screen gloves. http://www.amazon.com/Agloves-Original-Touchscreen-Gloves-Texting/dp/B005GXMM5W. Last accessed in April, 2013.

[3]

Lego mindstorms. http://mindstorms.lego.com/en-us/default.aspx. Last accessed in April, 2013.

[4]

Touchalytics. http://www.mariofrank.net/touchalytics/. Last accessed in April, 2013.

[5]

Walmart. http://www.walmart.com/ip/LEGO-Mindstorms-NXT-2.0/11081183. Last accessed in April, 2013.

[6]

A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive technologies, WOOT'10, pages 1--7, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[7]

L. Ballard, S. Kamara, F. Monrose, and M. K. Reiter. Towards practical biometric key generation with randomized biometric templates. In Proceedings of the 15th ACM conference on Computer and communications security, CCS'08, pages 235--244, New York, NY, USA, 2008. ACM.

Digital Library

[8]

L. Ballard, D. Lopresti, and F. Monrose. Evaluating the security of handwriting biometrics. In The 10 th International Workshop on the Foundations of Handwriting Recognition, pages 461--466, 2006.

[9]

L. Ballard, D. Lopresti, and F. Monrose. Forgery quality and its implications for behavioral biometric security. Transactions on Systems Man and Cybernetics Part B, 37(5):1107--1118, Oct. 2007.

Digital Library

[10]

J.-J. Cabibihan. Patient-specific prosthetic fingers by remote collaboration - a case study. CoRR, abs/1105.1028, 2011.

[11]

C. Cortes and V. Vapnik. Support-vector networks. Machine Learning, 20(3):273--297, Sept. 1995.

[12]

T. Cover and P. Hart. Nearest neighbor pattern classification. IEEE Transactions on Information Theory, 13(1):21--27, Sept. 2006.

Digital Library

[13]

A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems, CHI'12, pages 987--996, New York, NY, USA, 2012. ACM.

Digital Library

[14]

R. D. Gibbons. Nonparametric Statistical Inference. M. Dekker, 2nd edition, 1985.

[15]

K. S. Killourhy and R. A. Maxion. Comparing anomaly-detection algorithms for keystroke dynamics. In DSN, pages 125--134, 2009.

[16]

L. Li, X. Zhao, and G. Xue. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium, NDSS'13. Internet Society, 2013.

[17]

F. Mario, B. Ralf, M. Eugene, M. Ivan, and S. Dawn. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security, 8(1):136--148, 2013.

Digital Library

[18]

A. F. Martin, G. R. Doddington, T. Kamm, M. Ordowski, and M. A. Przybocki. The det curve in assessment of detection task performance. In Fifth European Conference on Speech Communication and Technology, EUROSPEECH'97. ISCA, 1997.

[19]

F. J. Massey. The Kolmogorov-Smirnov test for goodness of fit. Journal of the American Statistical Association, 46(253):68--78, 1951.

[20]

E. Mauch. Using technological innovation to improve the problem-solving skills of middle school students: Educators' experiences with the lego mindstorms robotic invention system. Clearing House, 74(4):211--214, April 2001.

[21]

T. C. Meng, P. Gupta, and D. Gao. I can be you: Questioning the use of keystroke dynamics as a biometric. In NDSS,2013, Feb 2013.

[22]

E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. Accessory: password inference using accelerometers on smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems and Applications, HotMobile'12, pages 9:1--9:6, New York, NY, USA, 2012. ACM.

Digital Library

[23]

A. Ross, A. Rattani, and M. Tistarelli. Exploiting the "doddington zoo" effect in biometric fusion. In Proceedings of the 3rd IEEE international conference on Biometrics: Theory, applications and systems, BTAS'09, pages 264--270, Piscataway, NJ, USA, 2009. IEEE Press.

Digital Library

[24]

N. Sae-Bae, K. Ahmed, K. Isbister, and N. Memon. Biometric-rich gestures: a novel approach to authentication on multi-touch devices. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems, CHI'12, pages 977--986, New York, NY, USA, 2012. ACM.

Digital Library

[25]

N. Sae-Bae, N. Memon, and K. Isbister. Investigating multi-touch gestures as a novel biometric modality. In Biometrics: Theory, Applications and Systems (BTAS), 2012 IEEE Fifth International Conference on, pages 156--161, 2012.

[26]

A. Serwadda and V. V. Phoha. Examining a large keystroke biometrics dataset for statistical-attack openings. ACM Transactions on Information and System Security, 16(2):(in press), 2013.

Digital Library

[27]

F. Tao, L. Ziyi, C. Bogdan, B. Daining, and S. Weidong. Continuous mobile authentication using touchscreen gestures. In Proceedings of the 12th IEEE Conference on Technologies for Homeland Security, HST'12, 2012.

[28]

T. Walsh. Timeless Toys: Classic Toys and the Playmakers Who Created Them. McMeel Publishing, 2005.

[29]

I. H. Witten and E. Frank. Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, San Francisco, 2nd edition, 2005.

Digital Library

[30]

N. Yager and T. Dunstone. The biometric menagerie. IEEE Transactions on Pattern Analysis and Machine Intelligence, 32(2):220--30, 2010.

Digital Library

Cited By

Van hamme TGarofalo GArgones Rúa EPreuveneers DJoosen W(2024)A Novel Evaluation Framework for Biometric Security: Assessing Guessing Difficulty as a MetricIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345593019(8369-8384)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3455930
Song YZhang YCai ZSu Z(2024)Touch Authentication for Sharing Context Using Within-Group Similarity StructureIEEE Internet of Things Journal10.1109/JIOT.2024.340232311:17(28281-28296)Online publication date: 1-Sep-2024
https://doi.org/10.1109/JIOT.2024.3402323
Ayeswarya SSingh K(2024)A Comprehensive Review on Secure Biometric-Based Continuous Authentication and User ProfilingIEEE Access10.1109/ACCESS.2024.341178312(82996-83021)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3411783
Show More Cited By

Index Terms

When kids' toys breach mobile phone security
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Toward Robotic Robbery on the Touch Screen

Despite the tremendous amount of research fronting the use of touch gestures as a mechanism of continuous authentication on smart phones, very little research has been conducted to evaluate how these systems could behave if attacked by sophisticated ...
Next generation biometric security system: an approach for mobile device security
CCSEIT '12: Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology

In Information technology, biometrics refers to the technique that measure and analyse the human body characteristics either physiological and/or behavioural such as DNA, fingerprints, eye retina, iris, voice patterns, facial patterns and hand ...
Authenticating mobile phone users using keystroke analysis

Mobile handsets have found an important place in modern society, with hundreds of millions currently in use. The majority of these devices use inherently weak authentication mechanisms, based upon passwords and PINs. This paper presents a feasibility ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
1,815
Total Downloads

Downloads (Last 12 months)54
Downloads (Last 6 weeks)8

Reflects downloads up to 22 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Van hamme TGarofalo GArgones Rúa EPreuveneers DJoosen W(2024)A Novel Evaluation Framework for Biometric Security: Assessing Guessing Difficulty as a MetricIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345593019(8369-8384)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3455930
Song YZhang YCai ZSu Z(2024)Touch Authentication for Sharing Context Using Within-Group Similarity StructureIEEE Internet of Things Journal10.1109/JIOT.2024.340232311:17(28281-28296)Online publication date: 1-Sep-2024
https://doi.org/10.1109/JIOT.2024.3402323
Ayeswarya SSingh K(2024)A Comprehensive Review on Secure Biometric-Based Continuous Authentication and User ProfilingIEEE Access10.1109/ACCESS.2024.341178312(82996-83021)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3411783
Deng ZHuang LWang C(2023)Enhanced In-air Signature Verification via Hand Skeleton Tracking to Defeat Robot-level ReplaysProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627195(451-462)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627195
Kumar RIsik CMohan CPintor MChen XTramèr F(2023)Dictionary Attack on IMU-based Gait AuthenticationProceedings of the 16th ACM Workshop on Artificial Intelligence and Security10.1145/3605764.3623909(115-126)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605764.3623909
Habib SKhan HHamilton-Wright AHengartner U(2023)Revisiting the Security of Biometric Authentication Systems Against Statistical AttacksACM Transactions on Privacy and Security10.1145/357174326:2(1-30)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1145/3571743
Wang CXiao YGao XLi LWang J(2023)A Framework for Behavioral Biometric Authentication Using Deep Metric Learning on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2021.307260822:1(19-36)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TMC.2021.3072608
Hu MZhang KYou RTu B(2023)Multisensor-Based Continuous Authentication of Smartphone Users With Two-Stage Feature ExtractionIEEE Internet of Things Journal10.1109/JIOT.2022.321913510:6(4708-4724)Online publication date: 15-Mar-2023
https://doi.org/10.1109/JIOT.2022.3219135
Maes JRahman KMukherjee A(2023)Hybrid Smartwatch Multi-factor Authentication2023 IEEE 17th International Symposium on Medical Information and Communication Technology (ISMICT)10.1109/ISMICT58261.2023.10152114(1-6)Online publication date: 10-May-2023
https://doi.org/10.1109/ISMICT58261.2023.10152114
Yu RKizilkaya BMeng ZLi EZhao GImran M(2023)Robot Mimicry Attack on Keystroke-Dynamics User Identification and Authentication System2023 IEEE International Conference on Robotics and Automation (ICRA)10.1109/ICRA48891.2023.10161423(9879-9884)Online publication date: 29-May-2023
https://doi.org/10.1109/ICRA48891.2023.10161423
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents