STEALING PINS VIA MOBILE SENSORS: ACTUAL RISK VERSUS USER PERCEPTION Maryam Mehrnezhad Ehsan Toreini Siamak F. Shahandashti Feng Hao Newcastle University, UK At EuroUSEC, July 2016
JavaScript-based attack on mobile devices using Motion and Orientation sensors
Research Challenge: Low Sampling rate Android Native app: 200 Hz Firefox: up to 50 Hz Chrome: up to 60 Hz ios: Native app: 100 Hz Safari: 20 Hz
Implementation Data from mobile users User independent Platform-free: Android/iOS JavaScript, html5, Node.js, Mongodb ANN Sensitive Information Phone-call timing Physical Activities Touch actions PINs
Entire PIN on 3rd attempt: 99.48%
Impact on industry and academia W3C The standard is being revised W3C Technical/advisory meeting Browsers Acknowledged by Chrome, Firefox, Safari, Opera Patched in Firefox v46 and Apple ios 9.3 Current Solution: Limiting/ Disabling, user permission Security vs usability A project between NCL culture lab and Security group and UCL Strong support from world leading researchers and Google, Qualcomm and W3C
WHY DOES THIS VULNERABILITY EXIST? Unmanaged sensors sensing is unmanaged on existing smartphone platforms in-app access to unmanaged sensors is now spreading to in-browser access Different terminology Unknown sensors users are less familiar with the relatively newer (and less advertised) sensors such as motion and orientation User study: to rate the level of their familiarity with each sensor.
List of mobile sensors From: iphone 6, Nexus 6S, Android Developers, W3C, Extra sensors (Common sensing hardware) Sensors: WiFi, Bluetooth, NFC Touch Screen, TouchID, Fingerprint, Camera, Microphone, GPS Ambient Pressure, Barometer, Ambient Humidity, Ambient Temperature, Ambient Light, Device Temperature Accelerometer, Gyroscope, Gravity, Magnetic field, Motion, Rotation, Orientation, Proximity Hall Sensor, Sensor Hub
Participants 30 participants, 13 male and 17 female Recruited through social and vocational networks 18 to 59 years old, median: 31 Except one, no computer security bg Multiple degree programs and levels, and the remaining participants worked in a different range of fields Owning a wide range of mobile devices, from 0 to 11 years, average: 6 University office, 10 Amazon voucher
Findings Generally surprised and impressed with the variety Newer sensors tend to be less known Generally not familiar with ambient sensors Low-level hardware sensors (acc, gyr) less known in comparison with high-level (motion, ori) High-level sensors are named after their functionalities Software features are more advertised by the mobile vendors
Risk Perception of Mobile Sensors Perceived risk level for their PINs being discovered by each sensor Finding one s PIN is a clear and intuitive security risk Putting the perceived risk levels in context with respect to the actual risk levels for a number of sensors Scenario Game app having access to all sensors Opening your banking app Entering your PIN Description of sensors Basic functionalities Further questions
Touch Screen Users are generally concerned However, still about half of our participants were either moderately concerned, a little concerned, or not concerned at all Some comments: Why any of these sensors should be dangerous on an app while I have officially installed it from a legal place such as Google Play? As long as the app with these sensors is in the background, I have no concern at all More general risk model in relation to mobile devices is affecting the users perception
Communicational sensors WiFi, Bluetooth, and NFC Users are generally concerned Comment: I am not concerned with physical [motion, orientation, accelerometer, etc.]/ environmental [light, pressure, etc.] sensors, but network ones. Hackers might be able to transfer my information and PIN Fair concern in regard to each sensor capability on the PIN discovery
Identity-related sensors Camera, microphone, fingerprint/ TouchID, and GPS Users are generally concerned GPS, fingerprint/touchid can not cause the disclosure of PINs After sensor description, still concerned Camera and Microphone Participant s concern due to other reasons (saying out loud, glasses reflection) Low actual risk Another general risk model
Environmental Sensors Ambient sensors (humidity, light, pressure, and temperature) Generally low and stays low after description Were concerned about these sensors simply because they did not know them [now that I know these sensors,] I am quite certain that movement/environmental sensors would not affect the security of personal id/passwords etc. Ambient light and PIN discovery, low actual risk
Movement Sensors Orientation, rotation, and motion Know them, but not concerned Accelerometer and gyroscope The risk perception is even lower Comments: In my everyday life, I don t even think about these sensors and their security. There is nothing on the news about their risk High actual risk
General knowledge versus risk perception The more the users know about these sensors, the more concern they express Spearman s rank-order correlation measure, r = 0.61, high confidence Not knowing sensors -> no customer demand -> no security design by mobile vendors Not as OS resources
Suggested Solutions Academic approach restricting the sensor to one app, reducing the sampling rate, temporal pause of the sensor on sensitive entries such as keyboard, rearranging keyboard for password entrance, asking for explicit permission from the user, ranking apps based on their similarities to malware, and obfuscating anomalies in sensor data Industrial Native app: no consideration JsavaScript No event fires when the page is not visible or is backgrounded Fire events only on the top-level browsing context or same-origin nested iframes Limit the frequency of events (60 Hz)
Conclusion and Discussion Sensors on mobile devices are booming Their security is not managed Current solutions are not usable enough Users are not generally concerned or even familiar with sensors Designing a practical solution is not straightforward Having control on granting access before running a website during working with it full control on reviewing, updating and deleting these data, if stored by the website or shared with a third party afterwards a smart notification feature on the browser
THANKS Q&A