STEALING PINS VIA MOBILE SENSORS: ACTUAL RISK VERSUS USER PERCEPTION

Similar documents
This is a repository copy of TouchSignatures : Identification of User Touch Actions and PINs Based on Mobile Sensor Data via JavaScript.

Fusing Sensors into Mobile Operating Systems & Innovative Use Cases

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

SE 3S03 - Tutorial 1. Zahra Ali. Week of Feb 1, 2016

Overview. Background. Intelligence at the Edge. Learning at the Edge: Challenges and Brainstorming. Amazon Alexa Smart Home!

System requirements. Display requirements. PDF reader requirements. Fingerprint Login/Touch Authentication requirements

Online and Mobile Banking Requirements Guide

Mobile Computing Meets Research Data

Tablet - is the generic term for a mobile computer with touchscreen display that is operated with fingers or stylus pen instead of a mouse and

ANDROID TABLETS & SMARTPHONES. JB Burke Your OLLI Android Facilitator/Teacher/Moderator/etc (Cell)

Private Browsing: an Inquiry on Usability and Privacy Protection

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Should the users be informed? Differences in risk perception between Android and iphone users

Privacy, Law, and Smartphones

The State of the Trust Gap in 2015

Head-to-head: Which will win for your business?

Mobile and Ubiquitous Computing: Mobile Sensing

KAUSTUBH DEKATE KEDAR AYACHIT KALPESH BHOIR SAGAR KEDARE DHAWAL JADHAV NITIN DHALE

MOBILE COMPUTING 2/11/18. System Structure. Context as Implicit Input. explicit input. explicit output. explicit input.

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Mobile Devices prioritize User Experience

MOBILE COMPUTING 2/14/17. System Structure. Context as Implicit Input. explicit input. explicit output. explicit input.

The new maximum security smartphone No Camera - No GPS - No Recorder

BETTER TOGETHER. Internet + TV from Elevate Fiber. TV User Guide

LIBRARY MEMBER USER GUIDE

Preface...3 Acknowledgments...4. Contents...5. List of Figures...17

february 2013 part 1 of 3

Event Password: NationalCenter2017 DON T FORGET STEP 2 ON THE NEXT PAGE!

Mobile Devices and Smartphones

How to use Video Conferencing & Desktop Sharing on Magnet Voice

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

WebSphere Puts Business In Motion. Put People In Motion With Mobile Apps

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Live Guide Co-browsing

NORTON WI-FI RISK REPORT: U.S. Results

Privacy-ABC Technologies on Mobile Phones

Digital Marketing, Privacy, and New Technologies. Jules Polonetsky, CEO Future of Privacy Forum

How To Install Flash Firefox Android Tablet Os On Hp

PNC.com, Weather.com & SouthWest.com. Usability Analysis. Tyler A. Steinke May 8, 2014 IMS 413

User Help

Android - open source mobile platform

CNT-IP-2 Web Enabled Serial Controller

Duo Security Enrollment Guide

SMARTWATCH User Manual

Getting Started for Moderators Quick Reference Guide

Duo Security Enrollment Guide

ORGANIZING MOBILE WEB

Android OS. Operating System based on Linux [ ] [Jonas Teuscher, Alex Cuordileone, Cédric Glaus]

TELEVISION. WiFi Plans. Interactive Guide and DVR (Digital Video Recorder) Manual. WiFi ARVIG arvig.net/wifitv. Delivered by Arvig

Secure Authentication for Internet environment using Biometric and One-Time Password

Iphone Usb Tethering Windows 7 No Internet. Access >>>CLICK HERE<<<

ViewersLogic - Installation guide

EMBEDDED SYSTEMS AND MOBILE SYSTEMS

Copyright

VerseOne Introductions

Copyright

TELEVISION. WiFi Plans. Interactive Guide and DVR (Digital Video Recorder) Manual for the Amazon Fire TV Stick. WiFi ARVIG arvig.

Kaspersky Internet Security - Top 10 Internet Security Software in With Best Antivirus, Firewall,

MIGRATING FROM WINDOWS XP

BUYING PERSONAL COMPUTERS AND SMART DEVICES SOUTHEAST COASTAL GEORGIA COMPUTER CLUB - CHARLES MURPHY

Pivot Full Manual. The All-in-One Smart Hub Solution

Remotely accessing GPH ICT systems

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

The Google Maps app for iphone and ipad makes navigating your world faster and easier. Voice-guided GPS navigation for driving, biking, and walking

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Copyright 2017, Zighra Inc.

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Topic Course Activities

SMARTWATCH User Manual

Use of ISP1507-AL Evaluation Boards

Introduction to Android Tablets and Smartphones

Mastering Mobile Web with 8 Key Rules. Mastering Mobile Web with 8 Key Rules

Security and privacy in the smartphone ecosystem: Final progress report

Opening Smart T.V to third-party apps, user perspectives Himanandini Mohanty Faculty sponsor: Fadi Mohsen, University of Michigan-Flint

Remotely accessing GPH ICT systems

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu

Farm Sprayer GPS Pro & Pro Software. Operation Manual

Bark: Default-Off Networking and Access Control for the IoT. James Hong, Amit Levy, Laurynas Riliskis, Philip Levis Stanford University

9/27/15 MOBILE COMPUTING. CSE 40814/60814 Fall System Structure. explicit output. explicit input

MEMS & Sensors for wearable electronics. Jérémie Bouchaud Director and Senior Principal Analyst IHS Technology

U.S. Mobile Benchmark Report

Evidence.com February 2017 Release Notes

Mint Getting Started Guide for Financial Institutions. Financial Institution Support OFX Connectivity Group

Sage ERP Accpac Version 6.1. Coming Q4 2011

Mobile development initiation

Machine Learning for the Quantified Self. Lecture 2 Basic of Sensory Data

A MODEL FOR COMPARATIVE ANALYSIS OF THE SIMILARITY BETWEEN ANDROID AND IOS OPERATING SYSTEMS

Blackboard Collaborate Ultra

Indoor navigation using smartphones. Chris Hide IESSG, University of Nottingham, UK

Cambridge Nationals R001. Revision help (LO1)

IP Cam EdiLife Quick Installation Guide

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Features. Product Highlights. Not just an app, but a friend for your phone. Optimization. Speed. Battery. Storage. Data Usage

Android Samsung Galaxy S6 Edge

MicroBot Push User Guide

An Empirical Analysis of Energy Consumption of Cross-platform Frameworks for Mobile Development

EMBEDDED SYSTEMS PROGRAMMING Accessing Hardware

Mobile Middleware Course. Mobile Platforms and Middleware. Sasu Tarkoma

Firefox OS App Days. Overview and High Level Architecture. Author: José M. Cantera Last update: March 2013 TELEFÓNICA I+D

Apple ios Enterprise Mobility Management (cloud based)

Transcription:

STEALING PINS VIA MOBILE SENSORS: ACTUAL RISK VERSUS USER PERCEPTION Maryam Mehrnezhad Ehsan Toreini Siamak F. Shahandashti Feng Hao Newcastle University, UK At EuroUSEC, July 2016

JavaScript-based attack on mobile devices using Motion and Orientation sensors

Research Challenge: Low Sampling rate Android Native app: 200 Hz Firefox: up to 50 Hz Chrome: up to 60 Hz ios: Native app: 100 Hz Safari: 20 Hz

Implementation Data from mobile users User independent Platform-free: Android/iOS JavaScript, html5, Node.js, Mongodb ANN Sensitive Information Phone-call timing Physical Activities Touch actions PINs

Entire PIN on 3rd attempt: 99.48%

Impact on industry and academia W3C The standard is being revised W3C Technical/advisory meeting Browsers Acknowledged by Chrome, Firefox, Safari, Opera Patched in Firefox v46 and Apple ios 9.3 Current Solution: Limiting/ Disabling, user permission Security vs usability A project between NCL culture lab and Security group and UCL Strong support from world leading researchers and Google, Qualcomm and W3C

WHY DOES THIS VULNERABILITY EXIST? Unmanaged sensors sensing is unmanaged on existing smartphone platforms in-app access to unmanaged sensors is now spreading to in-browser access Different terminology Unknown sensors users are less familiar with the relatively newer (and less advertised) sensors such as motion and orientation User study: to rate the level of their familiarity with each sensor.

List of mobile sensors From: iphone 6, Nexus 6S, Android Developers, W3C, Extra sensors (Common sensing hardware) Sensors: WiFi, Bluetooth, NFC Touch Screen, TouchID, Fingerprint, Camera, Microphone, GPS Ambient Pressure, Barometer, Ambient Humidity, Ambient Temperature, Ambient Light, Device Temperature Accelerometer, Gyroscope, Gravity, Magnetic field, Motion, Rotation, Orientation, Proximity Hall Sensor, Sensor Hub

Participants 30 participants, 13 male and 17 female Recruited through social and vocational networks 18 to 59 years old, median: 31 Except one, no computer security bg Multiple degree programs and levels, and the remaining participants worked in a different range of fields Owning a wide range of mobile devices, from 0 to 11 years, average: 6 University office, 10 Amazon voucher

Findings Generally surprised and impressed with the variety Newer sensors tend to be less known Generally not familiar with ambient sensors Low-level hardware sensors (acc, gyr) less known in comparison with high-level (motion, ori) High-level sensors are named after their functionalities Software features are more advertised by the mobile vendors

Risk Perception of Mobile Sensors Perceived risk level for their PINs being discovered by each sensor Finding one s PIN is a clear and intuitive security risk Putting the perceived risk levels in context with respect to the actual risk levels for a number of sensors Scenario Game app having access to all sensors Opening your banking app Entering your PIN Description of sensors Basic functionalities Further questions

Touch Screen Users are generally concerned However, still about half of our participants were either moderately concerned, a little concerned, or not concerned at all Some comments: Why any of these sensors should be dangerous on an app while I have officially installed it from a legal place such as Google Play? As long as the app with these sensors is in the background, I have no concern at all More general risk model in relation to mobile devices is affecting the users perception

Communicational sensors WiFi, Bluetooth, and NFC Users are generally concerned Comment: I am not concerned with physical [motion, orientation, accelerometer, etc.]/ environmental [light, pressure, etc.] sensors, but network ones. Hackers might be able to transfer my information and PIN Fair concern in regard to each sensor capability on the PIN discovery

Identity-related sensors Camera, microphone, fingerprint/ TouchID, and GPS Users are generally concerned GPS, fingerprint/touchid can not cause the disclosure of PINs After sensor description, still concerned Camera and Microphone Participant s concern due to other reasons (saying out loud, glasses reflection) Low actual risk Another general risk model

Environmental Sensors Ambient sensors (humidity, light, pressure, and temperature) Generally low and stays low after description Were concerned about these sensors simply because they did not know them [now that I know these sensors,] I am quite certain that movement/environmental sensors would not affect the security of personal id/passwords etc. Ambient light and PIN discovery, low actual risk

Movement Sensors Orientation, rotation, and motion Know them, but not concerned Accelerometer and gyroscope The risk perception is even lower Comments: In my everyday life, I don t even think about these sensors and their security. There is nothing on the news about their risk High actual risk

General knowledge versus risk perception The more the users know about these sensors, the more concern they express Spearman s rank-order correlation measure, r = 0.61, high confidence Not knowing sensors -> no customer demand -> no security design by mobile vendors Not as OS resources

Suggested Solutions Academic approach restricting the sensor to one app, reducing the sampling rate, temporal pause of the sensor on sensitive entries such as keyboard, rearranging keyboard for password entrance, asking for explicit permission from the user, ranking apps based on their similarities to malware, and obfuscating anomalies in sensor data Industrial Native app: no consideration JsavaScript No event fires when the page is not visible or is backgrounded Fire events only on the top-level browsing context or same-origin nested iframes Limit the frequency of events (60 Hz)

Conclusion and Discussion Sensors on mobile devices are booming Their security is not managed Current solutions are not usable enough Users are not generally concerned or even familiar with sensors Designing a practical solution is not straightforward Having control on granting access before running a website during working with it full control on reviewing, updating and deleting these data, if stored by the website or shared with a third party afterwards a smart notification feature on the browser

THANKS Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback