research-article

Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication

Authors:
Yomna Abdelrahman

University of Stuttgart, Stuttgart, Germany

University of Stuttgart, Stuttgart, Germany
View Profile

,
Mohamed Khamis

LMU Munich, Munich, Germany

LMU Munich, Munich, Germany
View Profile

,
Stefan Schneegass

University of Stuttgart, Stuttgart, Germany

University of Stuttgart, Stuttgart, Germany
View Profile

,
Florian Alt

LMU Munich, Munich, Bavaria, Germany

LMU Munich, Munich, Bavaria, Germany
View Profile

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing SystemsMay 2017Pages 3751–3763https://doi.org/10.1145/3025453.3025461

Published:02 May 2017Publication History

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

Pages 3751–3763

ABSTRACT

PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices. Thermal cameras allow performing thermal attacks, where heat traces, resulting from authentication, can be used to reconstruct passwords. In this work we investigate in details the viability of exploiting thermal imaging to infer PINs and patterns on mobile devices. We present a study (N=18) where we evaluated how properties of PINs and patterns influence their thermal attacks resistance. We found that thermal attacks are indeed viable on mobile devices; overlapping patterns significantly decrease successful thermal attack rate from 100% to 16.67%, while PINs remain vulnerable (>72% success rate) even with duplicate digits. We conclude by recommendations for users and designers of authentication schemes on how to resist thermal attacks.

Supplemental Material

pn1028p.mp4

mp4

1.9 MB

Download

p3751-abdelrahman.mp4

mp4

246.2 MB

Download

References

Yomna Abdelrahman, Alireza Sahami Shirazi, Niels Henze, and Albrecht Schmidt. 2015. Investigation of Material Properties for Thermal Imaging-Based Interaction. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 15--18. DOI: http://dx.doi.org/10.1145/2702123.2702290 Google ScholarDigital Library
Florian Alt, Mateusz Mikusz, Stefan Schneegass, and Andreas Bulling. 2016. Long-term Memorability of Cued-Recall Graphical Passwords with Saliency Masks. In Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia (MUM'16). ACM, New York, NY, USA. DOI: http://dx.doi.org/10.1145/3012709.3012727 Google ScholarDigital Library
Florian Alt, Stefan Schneegass, Alireza Sahami Shirazi, Mariam Hassib, and Andreas Bulling. 2015. Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). ACM, New York, NY, USA, 316--322. DOI:http://dx.doi.org/10.1145/2785830.2785882 Google ScholarDigital Library
Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, and Can Yildiz. 2013. A Pilot Study on the Security of Pattern Screen-lock Methods and Soft Side Channel Attacks. In Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '13). ACM, New York, NY, USA, 1--6. DOI: http://dx.doi.org/10.1145/2462096.2462098 Google ScholarDigital Library
Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge Attacks on Smartphone Touch Screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT'10). USENIX, Berkeley, CA, USA, 1--7. http: //dl.acm.org/citation.cfm?id=1925004.1925009Google ScholarDigital Library
Andrea Bianchi, Ian Oakley, Vassilis Kostakos, and Dong Soo Kwon. 2011. The Phone Lock: Audio and Haptic Shoulder-surfing Resistant PIN Entry Methods for Mobile Devices. In Proceedings of the Fifth International Conference on Tangible, Embedded, and Embodied Interaction (TEI '11). ACM, New York, NY, USA, 197--200. DOI: http://dx.doi.org/10.1145/1935701.1935740 Google ScholarDigital Library
Andrea Bianchi, Ian Oakley, and DongSoo Kwon. 2011. Spinlock: A Single-Cue Haptic and Audio PIN Input Technique for Authentication. In Haptic and Audio Interaction Design, EricW. Cooper, VictorV. Kryssanov, Hitoshi Ogawa, and Stephen Brewster (Eds.). Lecture Notes in Computer Science, Vol. 6851. Springer Berlin Heidelberg, 81--90.Google Scholar
Andrea Bianchi, Ian Oakley, and Dong Soo Kwon. 2012. Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry. Interacting with Computers 24, 5 (2012), 409 -- 422. Google ScholarDigital Library
Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the Security of Gaze-based Cued-recall Graphical Passwords Using Saliency Masks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 3011--3020. DOI: http://dx.doi.org/10.1145/2207676.2208712 Google ScholarDigital Library
Daniel Buschek, Alexander De Luca, and Florian Alt. 2015. Improving Accuracy, Applicability and Usability of Keystroke Biometrics on Mobile Touchscreen Devices. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 1393--1402. DOI: http://dx.doi.org/10.1145/2702123.2702252 Google ScholarDigital Library
Kun Woo Cho, Feng Lin, Chen Song, Xiaowei Xu, Fuxing Gu, and Wenyao Xu. 2016. Thermal handprint analysis for forensic identification using Heat-Earth Mover's Distance. In 2016 IEEE International Conference on Identity, Security and Behavior Analysis (ISBA). IEEE, 1--8. Google ScholarCross Ref
MG Cooper, BB Mikic, and MM Yovanovich. 1969. Thermal contact conductance. International Journal of heat and mass transfer 12, 3 (1969). Google ScholarCross Ref
Alexander De Luca, Alina Hang, Emanuel von Zezschwitz, and Heinrich Hussmann. 2015. I Feel Like I'M Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 1411--1414. DOI: http://dx.doi.org/10.1145/2702123.2702141 Google ScholarDigital Library
Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. 2014. Now You See Me, Now You Don't: Protecting Smartphone Authentication from Shoulder Surfers. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2937--2946. DOI: http://dx.doi.org/10.1145/2556288.2557097 Google ScholarDigital Library
Alexander De Luca, Emanuel von Zezschwitz, Ngo Dieu Huong Nguyen, Max-Emanuel Maurer, Elisa Rubegni, Marcello Paolo Scipioni, and Marc Langheinrich. 2013a. Back-of-device Authentication on Smartphones. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). ACM, New York, NY, USA, 2389--2398. DOI: http://dx.doi.org/10.1145/2470654.2481330 Google ScholarDigital Library
Alexander De Luca, Emanuel von Zezschwitz, Laurent Pichler, and Heinrich Hussmann. 2013b. Using Fake Cursors to Secure On-screen Password Entry. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13). ACM, New York, NY, USA, 2399--2402. DOI: http://dx.doi.org/10.1145/2470654.2481331 Google ScholarDigital Library
Richard O Duda and Peter E Hart. 1972. Use of the Hough transformation to detect lines and curves in pictures. Commun. ACM 15, 1 (1972), 11--15. Google ScholarDigital Library
Malin Eiband, Mohamed Khamis, Emanuel von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding Shoulder Surfing in the Wild: Stories from Users and Observers. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI '17). ACM, New York, NY, USA, 11.Google ScholarDigital Library
Malin Eiband, Emanuel von Zezschwitz, Daniel Buschek, and Heinrich Hußmann. 2016. My Scrawl Hides It All: Protecting Text Messages Against Shoulder Surfing With Handwritten Fonts. In Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA '16). ACM, New York, NY, USA, 2041--2048. DOI: http://dx.doi.org/10.1145/2851581.2892511 Google ScholarDigital Library
Robert C Folweiler and William J Mallio. 1964. Thermal Radiation Characteristics of Transparent Semi-Transparent and Translucent Materials under Non-isothermal Conditions. Technical Report. DTIC Document.Google Scholar
Markus Funk, Stefan Schneegass, Michael Behringer, Niels Henze, and Albrecht Schmidt. 2015. An Interactive Curtain for Media Usage in the Shower. In Proceedings of the 4th International Symposium on Pervasive Displays (PerDis '15). ACM, New York, NY, USA, 225--231. DOI: http://dx.doi.org/10.1145/2757710.2757713 Google ScholarDigital Library
Jan Gugenheimer, Alexander De Luca, Hayato Hess, Stefan Karg, Dennis Wolf, and Enrico Rukzio. 2015. ColorSnakes: Using Colored Decoys to Secure Authentication in Sensitive Contexts. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). ACM, New York, NY, USA, 274--283. DOI:http://dx.doi.org/10.1145/2785830.2785834 Google ScholarDigital Library
Marian Harbach, Alexander De Luca, and Serge Egelman. 2016. The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 4806--4817. DOI: http://dx.doi.org/10.1145/2858036.2858267 Google ScholarDigital Library
Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, and Ian Oakley. 2013. CASA: Context-aware Scalable Authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS '13). ACM, New York, NY, USA, Article 3, 10 pages. DOI: http://dx.doi.org/10.1145/2501604.2501607 Google ScholarDigital Library
Christian Holz and Frank R. Bentley. 2016. On-Demand Biometrics: Fast Cross-Device Authentication. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 3761--3766. DOI: http://dx.doi.org/10.1145/2858036.2858139 Google ScholarDigital Library
Christian Holz and Marius Knaust. 2015. Biometric Touch Sensing: Seamlessly Augmenting Each Touch with Continuous Authentication. In Proceedings of the 28th Annual ACM Symposium on User Interface Software & Technology (UIST '15). ACM, New York, NY, USA, 303--312. DOI: http://dx.doi.org/10.1145/2807442.2807458 Google ScholarDigital Library
John R Howell, M Pinar Menguc, and Robert Siegel. 2010. Thermal radiation heat transfer. CRC press.Google Scholar
H. Kataoka, H. Kano, H. Yoshida, A. Saijo, M. Yasuda, and M. Osumi. 1998. Development of a skin temperature measuring system for non-contact stress evaluation. In Proceedings of the Conference on Engineering in Medicine and Biology Society. 940--943. Google ScholarCross Ref
Mohamed Khamis, Florian Alt, Mariam Hassib, Emanuel von Zezschwitz, Regina Hasholzner, and Andreas Bulling. 2016. GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices. In Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA '16). ACM, New York, NY, USA, 2156--2164. DOI: http://dx.doi.org/10.1145/2851581.2892314 Google ScholarDigital Library
Masood Mehmood Khan, Michael Ingleby, and Robert D. Ward. 2006. Automated Facial Expression Classification and affect interpretation using infrared measurement of facial skin temperature variations. ACM Transactions on Autonomous Adaptive Systems 1, 1 (2006), 91--113. Google ScholarDigital Library
Seong G Kong, Jingu Heo, Faysal Boughorbel, Yue Zheng, Besma R Abidi, Andreas Koschan, Mingzhong Yi, and Mongi A Abidi. 2007. Multiscale fusion of visible and thermal IR images for illumination-invariant face recognition. International Journal of Computer Vision 71, 2 (2007), 215--233.Google ScholarDigital Library
Eric Larson, Gabe Cohn, Sidhant Gupta, Xiaofeng Ren, Beverly Harrison, Dieter Fox, and Shwetak Patel. 2011. HeatWave: Thermal Imaging for Surface User Interaction. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 2565--2574. DOI: http://dx.doi.org/10.1145/1978942.1979317 Google ScholarDigital Library
Dachuan Liu, Bo Dong, Xing Gao, and Haining Wang. Exploiting Eye Tracking for Smartphone Authentication. In Proc. of ACNS '15. 20. Google ScholarCross Ref
Keaton Mowery, Sarah Meiklejohn, and Stefan Savage. 2011. Heat of the Moment: Characterizing the Efficacy of Thermal Camera-based Attacks. In Proceedings of the 5th USENIX Conference on Offensive Technologies (WOOT'11). USENIX Association, Berkeley, CA, USA.Google ScholarDigital Library
Ian Oakley and Andrea Bianchi. 2012. Multi-touch Passwords for Mobile Device Access. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp '12). ACM, New York, NY, USA, 611--612. DOI:http://dx.doi.org/10.1145/2370216.2370329 Google ScholarDigital Library
Ian Oakley and Andrea Bianchi. 2014. Keeping Secrets from Friends. Archives of Design Research 27 (2014), 49--62. http://www.dbpia.co.kr/Article/NODE02465396Google Scholar
Nobuyuki Otsu. 1975. A threshold selection method from gray-level histograms. Automatica 11, 285--296 (1975), 23--27.Google ScholarDigital Library
KC Parsons. 1992. Contact between human skin & hot surfaces equivalent contact temperature. In Proc. ICEE.Google Scholar
Alexander P. Pons and Peter Polak. 2008. Understanding User Perspectives on Biometric Technology. Commun. ACM 51, 9 (Sept. 2008), 115--118. DOI: http://dx.doi.org/10.1145/1378727.1389971 Google ScholarDigital Library
RD Ray. 1984. The theory and practice of safe handling temperatures. Applied ergonomics 15, 1 (1984). Google ScholarCross Ref
E F J Ring and K Ammer. 2012. Infrared thermal imaging in medicine. Physiological Measurement 33, 3 (2012), R33. http://stacks.iop.org/0967--3334/33/i=3/a=R33Google ScholarCross Ref
Alireza Sahami Shirazi, Yomna Abdelrahman, Niels Henze, Stefan Schneegass, Mohammadreza Khalilbeigi, and Albrecht Schmidt. 2014. Exploiting Thermal Reflection for Interactive Systems. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 3483--3492. DOI: http://dx.doi.org/10.1145/2556288.2557208 Google ScholarDigital Library
Stefan Schneegass, Frank Steimle, Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2014. SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). ACM, New York, NY, USA, 775--786. DOI: http://dx.doi.org/10.1145/2632048.2636090 Google ScholarDigital Library
Corning Display Technologies. 2006. Glass Material Information. http://www.sydor.com/wp-content/ uploads/Corning-EAGLE-XG-Display-Glass.pdf. (2006). Accessed September 19, 2016.Google Scholar
Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 161--172. DOI: http://dx.doi.org/10.1145/2508859.2516700 Google ScholarDigital Library
Emanuel von Zezschwitz, Alexander De Luca, Bruno Brunkow, and Heinrich Hussmann. 2015a. SwiPIN: Fast and Secure PIN-Entry on Smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 1403--1406. DOI: http://dx.doi.org/10.1145/2702123.2702212 Google ScholarDigital Library
Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2013. Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition. Springer Berlin Heidelberg, Berlin, Heidelberg, 460--467. DOI: http://dx.doi.org/10.1007/978--3--642--40477--1_28Google Scholar
Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015b. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2339--2342. DOI: http://dx.doi.org/10.1145/2702123.2702202 Google ScholarDigital Library
Emanuel von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the Wild: A Field Study of the Usability of Pattern and Pin-based Authentication on Mobile Devices. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services (MobileHCI '13). ACM, New York, NY, USA, 261--270. DOI: http://dx.doi.org/10.1145/2493190.2493231 Google ScholarDigital Library
Emanuel von Zezschwitz, Sigrid Ebbinghaus, Heinrich Hussmann, and Alexander De Luca. 2016. You Can'T Watch This!: Privacy-Respectful Photo Browsing on Smartphones. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 4320--4324. DOI: http://dx.doi.org/10.1145/2858036.2858120 Google ScholarDigital Library
Emanuel von Zezschwitz, Anton Koslow, Alexander De Luca, and Heinrich Hussmann. 2013. Making Graphic-based Authentication Secure Against Smudge Attacks. In Proceedings of the 2013 International Conference on Intelligent User Interfaces (IUI '13). ACM, New York, NY, USA, 277--286. DOI: http://dx.doi.org/10.1145/2449396.2449432 Google ScholarDigital Library
Oliver Wiese and Volker Roth. 2016. See You Next Time: A Model for Modern Shoulder Surfers. In Proceedings of the 18th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '16). ACM, New York, NY, USA, 453--464. DOI:http://dx.doi.org/10.1145/2935334.2935388 Google ScholarDigital Library

Index Terms

Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

The Case for Mobile Two-Factor Authentication

Mobile two-factor authentication systems can provide three security guarantees. First, a compromised PIN won't provide a way to authenticate an attacker or provide any extra information about the corresponding phone. Second, a stolen phone won't provide ...
Read More
Towards device-to-user authentication: protecting against phishing hardware by ensuring mobile device authenticity using vibration patterns
MUM '15: Proceedings of the 14th International Conference on Mobile and Ubiquitous Multimedia

Users usually authenticate to mobile devices before using them (e.g. PIN, password), but devices do not do the same to users. Revealing the authentication secret to a non-authenticated device potentially enables attackers to obtain the secret, by ...
Read More
Mobile Authentication Scheme Using SMS
SSME '09: Proceedings of the 2009 IITA International Conference on Services Science, Management and Engineering

Identity authentication is the first line of defense in the security application system to access the mobile network resources. However, as the means of attacking become variety, new requirements have been brought forward for the technology of identity ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems
May 2017
7138 pages
ISBN:9781450346559
DOI:10.1145/3025453
General Chairs:
Gloria Mark
University of California Irvine
,
Susan Fussell
Cornell University
,
Program Chairs:
Cliff Lampe
University of Michigan
,
m.c. schraefel
University of Southampton
,
Juan Pablo Hourcade
University of Iowa
,
Caroline Appert
Université Paris-Sud
,
Daniel Wigdor
University of Toronto
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 May 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Honorable Mention
Author Tags
mobile authentication
thermal imaging
touchscreens
Qualifiers
- research-article
Conference

Acceptance Rates
CHI '17 Paper Acceptance Rate600of2,400submissions,25%Overall Acceptance Rate6,199of26,314submissions,24%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 95
  Total Citations
  View Citations
- 1,015
  Total Downloads
- Downloads (Last 12 months)91
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

The Case for Mobile Two-Factor Authentication

Towards device-to-user authentication: protecting against phishing hardware by ensuring mobile device authenticity using vibration patterns

Mobile Authentication Scheme Using SMS