Side-Channel Inference Attacks on Mobile Keypads using Smartwatches

Abstract

The popularity of smartwatches is soaring with more than 45 million devices expected to be shipped by 2017 [1]. These devices, typically equipped with state-of-the-art sensors and communication capabilities, will enable a plethora of novel applications, including activity tracking, wellness monitoring and ubiquitous computing. However, the presence of a diverse set of on-board sensors also provides an additional attack surface to malicious applications on these devices. Security and privacy threats on handheld smartphones that take advantage of such sensors as side-channels have received significant attention in the literature. Notable examples include keystroke (or key press) inference [2]–[4], activity identification [5] and location inference [6] attacks. As most modern mobile operating systems introduced stringent access controls on front end sensors, such as microphones, cameras and GPS, adversaries shifted attention to sensors which cannot be actively disengaged by users (e.g., accelerometer and gyroscope). Typically, handheld device usage is highly intermittent and such devices spend a majority of time in a constrained (e.g., in users’ dress pocket) or activity-less (e.g., on a table) setting where most on-board sensors are partially or completely non-functional, thereby limiting the effectiveness of handhelds in inference attacks. Contrary to this, wearable device usage is much more persistent as they are constantly carried by the users on their body. This makes wearable devices a more desirable platform for a variety of side-channel attacks. If access to wearable sensor data is not appropriately regulated, it can be used as a side-channel to infer sensitive user information. In this paper, we evaluate the feasibility of side-channel security vulnerabilities in smart wearables by investigating motion-based keystroke inference attacks using smartwatches. More specifically, we evaluate the feasibility and effectiveness of keystroke inference attacks on smartphone numeric touchpads by using smartwatch motion sensors as a side-channel. Numeric touchpads are typically targeted by adversaries for obtaining sensitive information such as security pins and credit card numbers. We propose multiple attacks suitable for three popular typing scenarios. In typing scenarios where key press events can be identified based on surge in motion sensor activity, we use supervised learning to infer the key presses. This attack comprises of first training appropriate classification

22 Figures and Tables

Cite this paper

@article{Maiti2017SideChannelIA, title={Side-Channel Inference Attacks on Mobile Keypads using Smartwatches}, author={Anindya Maiti and Murtuza Jadliwala and Jibo He and Igor Bilogrevic}, journal={CoRR}, year={2017}, volume={abs/1710.03656} }