Stealing passwords by observing hands movement

Diksha Shukla, Vir Phoha

Research output: Contribution to journalArticle

Abstract

The use of mobile phones in public places opens up the possibilities of remote side channel attacks on these devices. We present a video-based side channel attack to decipher passwords on mobile devices. Our method uses short video clips ranging from 5 to 10 s each, which can be taken unobtrusively from a distance and do not require the keyboard or the screen of the phone to be visible. By relating the spatiotemporal movements of the user's hand during typing and an anchor point on any visible part of the phone, we predict the typed password with high accuracy. The results on a dataset of 375 short videos of password entry process on a Samsung Galaxy S4 phone show an exponential reduction in the search space compared to a random guess. For each key-press corresponding to a character in the passwords, our method was able to reduce the search space to an average of 2-3 keys compared to 30 keys if one has to guess the key randomly. Thus, this paper reaffirms threats to smartphone users' conventional login in public places and highlights the threats in scenarios such as hiding the screen that otherwise gives the impression of being safe to the users.

Original languageEnglish (US)
Article number8691569
Pages (from-to)3086-3101
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Volume14
Issue number12
DOIs
StatePublished - Dec 1 2019

Fingerprint

Galaxies
Smartphones
Anchors
Mobile phones
Mobile devices
Side channel attack

Keywords

  • authentication
  • Biometrics
  • hand gestures
  • password
  • side channel attack
  • smartphone security

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Stealing passwords by observing hands movement. / Shukla, Diksha; Phoha, Vir.

In: IEEE Transactions on Information Forensics and Security, Vol. 14, No. 12, 8691569, 01.12.2019, p. 3086-3101.

Research output: Contribution to journalArticle

@article{5aa22ece62b54eae842370da4a36a8cc,
title = "Stealing passwords by observing hands movement",
abstract = "The use of mobile phones in public places opens up the possibilities of remote side channel attacks on these devices. We present a video-based side channel attack to decipher passwords on mobile devices. Our method uses short video clips ranging from 5 to 10 s each, which can be taken unobtrusively from a distance and do not require the keyboard or the screen of the phone to be visible. By relating the spatiotemporal movements of the user's hand during typing and an anchor point on any visible part of the phone, we predict the typed password with high accuracy. The results on a dataset of 375 short videos of password entry process on a Samsung Galaxy S4 phone show an exponential reduction in the search space compared to a random guess. For each key-press corresponding to a character in the passwords, our method was able to reduce the search space to an average of 2-3 keys compared to 30 keys if one has to guess the key randomly. Thus, this paper reaffirms threats to smartphone users' conventional login in public places and highlights the threats in scenarios such as hiding the screen that otherwise gives the impression of being safe to the users.",
keywords = "authentication, Biometrics, hand gestures, password, side channel attack, smartphone security",
author = "Diksha Shukla and Vir Phoha",
year = "2019",
month = "12",
day = "1",
doi = "10.1109/TIFS.2019.2911171",
language = "English (US)",
volume = "14",
pages = "3086--3101",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "12",

}

TY - JOUR

T1 - Stealing passwords by observing hands movement

AU - Shukla, Diksha

AU - Phoha, Vir

PY - 2019/12/1

Y1 - 2019/12/1

N2 - The use of mobile phones in public places opens up the possibilities of remote side channel attacks on these devices. We present a video-based side channel attack to decipher passwords on mobile devices. Our method uses short video clips ranging from 5 to 10 s each, which can be taken unobtrusively from a distance and do not require the keyboard or the screen of the phone to be visible. By relating the spatiotemporal movements of the user's hand during typing and an anchor point on any visible part of the phone, we predict the typed password with high accuracy. The results on a dataset of 375 short videos of password entry process on a Samsung Galaxy S4 phone show an exponential reduction in the search space compared to a random guess. For each key-press corresponding to a character in the passwords, our method was able to reduce the search space to an average of 2-3 keys compared to 30 keys if one has to guess the key randomly. Thus, this paper reaffirms threats to smartphone users' conventional login in public places and highlights the threats in scenarios such as hiding the screen that otherwise gives the impression of being safe to the users.

AB - The use of mobile phones in public places opens up the possibilities of remote side channel attacks on these devices. We present a video-based side channel attack to decipher passwords on mobile devices. Our method uses short video clips ranging from 5 to 10 s each, which can be taken unobtrusively from a distance and do not require the keyboard or the screen of the phone to be visible. By relating the spatiotemporal movements of the user's hand during typing and an anchor point on any visible part of the phone, we predict the typed password with high accuracy. The results on a dataset of 375 short videos of password entry process on a Samsung Galaxy S4 phone show an exponential reduction in the search space compared to a random guess. For each key-press corresponding to a character in the passwords, our method was able to reduce the search space to an average of 2-3 keys compared to 30 keys if one has to guess the key randomly. Thus, this paper reaffirms threats to smartphone users' conventional login in public places and highlights the threats in scenarios such as hiding the screen that otherwise gives the impression of being safe to the users.

KW - authentication

KW - Biometrics

KW - hand gestures

KW - password

KW - side channel attack

KW - smartphone security

UR - http://www.scopus.com/inward/record.url?scp=85070291262&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85070291262&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2019.2911171

DO - 10.1109/TIFS.2019.2911171

M3 - Article

VL - 14

SP - 3086

EP - 3101

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

IS - 12

M1 - 8691569

ER -