Abstract
Despite the tremendous amount of research fronting the use of touch gestures as a mechanism of continuous authentication on smart phones, very little research has been conducted to evaluate how these systems could behave if attacked by sophisticated adversaries. In this article, we present two Lego-driven robotic attacks on touch-based authentication: a population statistics--driven attack and a user-tailored attack. The population statistics--driven attack is based on patterns gleaned from a large population of users, whereas the user-tailored attack is launched based on samples stolen from the victim. Both attacks are launched by a Lego robot that is trained on how to swipe on the touch screen. Using seven verification algorithms and a large dataset of users, we show that the attacks cause the system’s mean false acceptance rate (FAR) to increase by up to fivefold relative to the mean FAR seen under the standard zero-effort impostor attack. The article demonstrates the threat that robots pose to touch-based authentication and provides compelling evidence as to why the zero-effort attack should cease to be used as the benchmark for touch-based authentication systems.
- De Luca Alexander, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and I know it’s you! Implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM Annual Conference on Human Factors in Computing Systems (CHI’12). ACM, New York, NY, 987--996. DOI:http://dx.doi.org/10.1145/2208516.2208544 Google ScholarDigital Library
- Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT’10). 1--7. http://dl.acm.org/citation.cfm?id=1925004.1925009. Google ScholarDigital Library
- Lucas Ballard, Seny Kamara, Fabian Monrose, and Michael K. Reiter. 2008. Towards practical biometric key generation with randomized biometric templates. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, NY, 235--244. DOI:http://dx.doi.org/10.1145/1455770.1455801 Google ScholarDigital Library
- L. Ballard, D. Lopresti, and F. Monrose. 2007. Forgery quality and its implications for behavioral biometric security. Transactions on Systems, Man, and Cybernetics, Part B 37, 5, 1107--1118. DOI:http://dx.doi.org/10.1109/TSMCB.2007.903539 Google ScholarDigital Library
- Lucas Ballard, Fabian Monrose, and Daniel Lopresti. 2006. Biometric authentication revisited: Understanding the impact of wolves in sheep’s clothing. In Proceedings of the 15th Conference on USENIX Security Symposium, Vol. 15 (USENIX-SS’06). Article No. 3. http://dl.acm.org/citation.cfm?id=1267336.1267339. Google ScholarDigital Library
- R. M. Bolle, S. Pankanti, and N. K. Ratha. 2000. Evaluation techniques for biometrics-based authentication systems (FRR). In Proceedings of the 15th International Conference on Pattern Recognition, Vol. 2. 831--837 DOI:http://dx.doi.org/10.1109/ICPR.2000.906204Google Scholar
- Leo Breiman. 2001. Random forests. Machine Learning 45, 1, 5--32. DOI:http://dx.doi.org/10.1023/A:1010933404324 Google ScholarDigital Library
- Corinna Cortes and Vladimir Vapnik. 1995. Support-vector networks. Machine Learning 20, 3, 273--297. DOI:http://dx.doi.org/10.1023/A:1022627411411 Google ScholarDigital Library
- T. Cover and P. Hart. 2006. Nearest neighbor pattern classification. IEEE Transactions on Information Theory 13, 1, 21--27. DOI:http://dx.doi.org/10.1109/TIT.1967.1053964 Google ScholarDigital Library
- R. Duda, P. Hart, and D. Stork. 2002. Pattern Classification (2nd ed.). John Wiley & Sons. Google ScholarDigital Library
- Tao Feng, Liu Ziyi, Carbunar Bogdan, Boumber Daining, and Shi Weidong. 2012. Continuous mobile authentication using touchscreen gestures. In Proceedings of the 12th IEEE Conference on Technologies for Homeland Security (HST’12).Google ScholarCross Ref
- Mario Frank, Ralf Biedert, Ma Eugene, Martinovic Ivan, and Song Dawn. 2013. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security 8, 1, 136--148. Google ScholarDigital Library
- Mitchell H. Gail and Sylvan B. Green. 1976. Critical values for the one-sided two-sample Kolmogorov-Smirnov statistic. Journal of the American Statistical Association 71, 355, 757--760.Google ScholarCross Ref
- S. Govindarajan, P. Gasti, and K. S. Balagani. 2013. Secure privacy-preserving protocols for outsourcing continuous authentication of smartphone users with touch data. In Proceedings of the 2013 IEEE 6th International Conference on Biometrics: Theory, Applications, and Systems (BTAS’13). 1--8. DOI:http://dx.doi.org/10.1109/BTAS.2013.6712742Google Scholar
- A. Rahman Khandaker, Kiran S. Balagani, and Vir V. Phoha. 2013. Snoop-forge-replay attacks on continuous verification with keystrokes. IEEE Transactions on Information Forensics and Security 8, 3, 528--541. Google ScholarDigital Library
- Kevin S. Killourhy and Roy A. Maxion. 2009. Comparing anomaly-detection algorithms for keystroke dynamics. In Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’09). 125--134.Google Scholar
- Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13).Google Scholar
- Elizabeth Mauch. 2001. Using technological innovation to improve the problem-solving skills of middle school students: Educators’ experiences with the LEGO mindstorms robotic invention system. Clearing House 74, 4, 211--214.Google ScholarCross Ref
- Tey Chee Meng, Payas Gupta, and Debin Gao. 2013. I can be you: Questioning the use of keystroke dynamics as a biometric. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS’13).Google Scholar
- Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. 2012. ACCessory: Password inference using accelerometers on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications (HotMobile’12). ACM, New York, NY, Article No. 9. DOI:http://dx.doi.org/10.1145/2162081.2162095 Google ScholarDigital Library
- Abdul Serwadda and Vir V. Phoha. 2013a. Examining a large keystroke biometrics dataset for statistical-attack openings. ACM Transactions on Information and System Security 16, 2, Article No. 8. DOI:http://dx.doi.org/10.1145/2516960 Google ScholarDigital Library
- Abdul Serwadda and Vir V. Phoha. 2013b. When kids’ toys breach mobile phone security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 599--610. DOI:http://dx.doi.org/10.1145/2508859.2516659 Google ScholarDigital Library
- Abdul Serwadda, Vir V. Phoha, and Zibo Wang. 2013. Which verifiers work? A benchmark evaluation of touch-based authentication algorithms. In Proceedings of the 2013 IEEE 6th International Conference on Biometrics: Theory, Applications, and Systems (BTAS’13). 1--8. DOI:http://dx.doi.org/10.1109/BTAS.2013.6712758Google ScholarCross Ref
- Umut Uludag and Anil K. Jain. 2004. Attacks on biometric systems: A case study in fingerprints. In Proceedings of SPIE5306: Security, Steganography, and Watermarking of Multimedia Contents VI. 622--633.Google Scholar
- Tim Walsh. 2005. Timeless Toys: Classic Toys and the Playmakers Who Created Them. McMeel Publishing.Google Scholar
- Z. Wang, A. Serwadda, K. S. Balagani, and V. V. Phoha. 2012. Transforming animals in a cyber-behavioral biometric menagerie with frog-boiling attacks. In Proceedings of the 2012 IEEE 5th International Conference on Biometrics: Theory, Applications, and Systems (BTAS’12). 289--296. DOI:http://dx.doi.org/10.1109/BTAS.2012.6374591Google Scholar
- Ian H. Witten and Eibe Frank. 2005. Data Mining: Practical Machine Learning Tools and Techniques (2nd ed.). Morgan Kaufmann, San Francisco, CA. Google ScholarDigital Library
- Xi Zhao, Tao Feng, and Weidong Shi. 2013. Continuous mobile authentication using a novel graphic touch gesture feature. In Proceedings of the 2013 IEEE 6th International Conference on Biometrics: Theory, Applications, and Systems (BTAS’13). 1--6. DOI:http://dx.doi.org/10.1109/BTAS.2013.6712747Google ScholarCross Ref
Index Terms
- Toward Robotic Robbery on the Touch Screen
Recommendations
When kids' toys breach mobile phone security
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityTouch-based verification --- the use of touch gestures (e.g., swiping, zooming, etc.) to authenticate users of touch screen devices --- has recently been widely evaluated for its potential to serve as a second layer of defense to the PIN lock mechanism. ...
Toward Posture Recognition with Touch Screen Biometrics
CompSysTech '16: Proceedings of the 17th International Conference on Computer Systems and Technologies 2016Touch screen data from smartphones can be used to extract behavioral biometric features and enhance user experience of touch screen applications based on user's current environment, such as body postures. In this paper we propose a new method for ...
Revisiting the Security of Biometric Authentication Systems Against Statistical Attacks
The uniqueness of behavioral biometrics (e.g., voice or keystroke patterns) has been challenged by recent works. Statistical attacks have been proposed that infer general population statistics and target behavioral biometrics against a particular victim. ...
Comments