ABSTRACT
The proliferation of wearable devices, e.g., smartwatches and activity trackers, with embedded sensors has already shown its great potential on monitoring and inferring human daily activities. This paper reveals a serious security breach of wearable devices in the context of divulging secret information (i.e., key entries) while people accessing key-based security systems. Existing methods of obtaining such secret information relies on installations of dedicated hardware (e.g., video camera or fake keypad), or training with labeled data from body sensors, which restrict use cases in practical adversary scenarios. In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user's fine-grained hand movements, which enable attackers to reproduce the trajectories of the user's hand and further to recover the secret key entries. In particular, our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user's hand between consecutive key entries regardless of the pose of the hand. Our Backward PIN-Sequence Inference algorithm exploits the inherent physical constraints between key entries to infer the complete user key entry sequence. Extensive experiments are conducted with over 5000 key entry traces collected from 20 adults for key-based security systems (i.e. ATM keypads and regular keyboards) through testing on different kinds of wearables. Results demonstrate that such a technique can achieve 80% accuracy with only one try and more than 90% accuracy with three tries, which to our knowledge, is the first technique that reveals personal PINs leveraging wearable devices without the need for labeled training data and contextual information.
- All about skimmers. http://krebsonsecurity.com/all-about-skimmers/.Google Scholar
- Is it acceptable to wear a watch on the right wrist? http://www.askandyaboutclothes.com/forum/showthread.php? 116570-Is-it-acceptable-to-wear-a-watch-on-the-right-wrist.Google Scholar
- Malicious cloned games attack google android market. naked security:. http://nakedsecurity.sophos.com/2011/12/12/ malicious-cloned-games-attack-google-android-market/.Google Scholar
- Wearable device shipments predicted to surge 173% this year. http://www.cnet.com/news/shipments-of-wearable-device-to-surge-173-this-year/.Google Scholar
- Why wear a watch on the wrist where you're hand dominant. http://www.reddit.com/r/Watches/comments/1wzub5/question_why_wear_a_watch_on_the_wrist_where/.Google Scholar
- D. Balzarotti, M. Cova, and G. Vigna. Clearshot: Eavesdropping on keyboard input from video. In IEEE S&P, pages 170--183, 2008. Google ScholarDigital Library
- Y. Berger, A. Wool, and A. Yeredor. Dictionary attacks using keyboard acoustic emanations. In ACM CCS, pages 245--254, 2006. Google ScholarDigital Library
- J. Liu, Y. Wang, k. Kar, Y. Chen, J. Yang, and M. Gruteser. Snooping keystrokes with mm-level audio ranging on a single phone. In ACM Mobicom, 2015. Google ScholarDigital Library
- L. Liu and et al. Toward detection of unsafe driving with wearables. In ACM WearSys, pages 27--32, 2015. Google ScholarDigital Library
- X. Liu, Z. Zhou, W. Diao, Z. Li, and K. Zhang. When good becomes evil: Keystroke inference with smartwatch. In ACM CCS, pages 1273--1285, 2015. Google ScholarDigital Library
- F. Maggi, A. Volpatto, S. Gasparini, G. Boracchi, and S. Zanero. A fast eavesdropping attack against touchscreens. In IEEE IAS, pages 320--325, 2011.Google ScholarCross Ref
- P. Marquardt, A. Verma, H. Carter, and P. Traynor. (sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In ACM CCS, pages 551--562, 2011. Google ScholarDigital Library
- E. Miluzzo, A. Varshavsky, S. Balakrishnan, and R. R. Choudhury. Tapprints: your finger taps have fingerprints. In ACM MobiSys, pages 323--336, 2012. Google ScholarDigital Library
- A. Parate and et al. RisQ: recognizing smoking gestures with inertial sensors on a wristband. In ACM MobiSys, pages 149--161, 2014. Google ScholarDigital Library
- Y. Ren, Y. Chen, M. C. Chuah, and J. Yang. User verification leveraging gait recognition for smartphone enabled mobile healthcare systems. IEEE Transactions on Mobile Computing, 2014.Google Scholar
- M. Ryan. Bluetooth: With low energy comes low security. In USENIX WOOT, pages 4--4, 2013. Google ScholarDigital Library
- M. Sherman and et al. User-generated free-form gestures for authentication: Security and memorability. In ACM Mobisys, pages 176--189, 2014. Google ScholarDigital Library
- D. Shukla, R. Kumar, A. Serwadda, and V. V. Phoha. Beware, your hands reveal your secrets! In ACM CCS, pages 904--917, 2014. Google ScholarDigital Library
- D. Spill and A. Bittau. Bluesniff: Eve meets alice and bluetooth. In USENIX WOOT, pages 5:1--5:10, 2007. Google ScholarDigital Library
- H. Wang, T. T.-T. Lai, and R. Roy Choudhury. Mole: Motion leaks through smartwatch sensors. In ACM MobiCom, pages 155--166, 2015. Google ScholarDigital Library
- J. Wang, K. Zhao, X. Zhang, and C. Peng. Ubiquitous keyboard for small mobile devices: Harnessing multipath fading for fine-grained keystroke localization. In ACM Mobysis, pages 14--27, 2014. Google ScholarDigital Library
- Z. Xu, K. Bai, and S. Zhu. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In ACM WISEC, pages 113--124, 2012. Google ScholarDigital Library
- T. Zhu, Q. Ma, S. Zhang, and Y. Liu. Context-free attacks using keyboard acoustic emanations. In ACM CCS, pages 453--464, 2014. Google ScholarDigital Library
Index Terms
- Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN
Recommendations
Viewpoint Integration for Hand-Based Recognition of Social Interactions from a First-Person View
ICMI '15: Proceedings of the 2015 ACM on International Conference on Multimodal InteractionWearable devices are becoming part of everyday life, from first-person cameras (GoPro, Google Glass), to smart watches (Apple Watch), to activity trackers (FitBit). These devices are often equipped with advanced sensors that gather data about the wearer ...
Quantifying Temporal Privacy Leakage in Continuous Event Data Publishing
Cooperative Information SystemsAbstractProcess mining employs event data extracted from different types of information systems to discover and analyze actual processes. Event data often contain highly sensitive information about the people who carry out activities or the people for ...
A novel asymmetric three-party based authentication scheme in wearable devices environment
As we know, wearable devices record data generating from user's daily activities, and most of which are private data, such as health data and movement data. These information is usually stored in user's device. As more and more people started using ...
Comments