nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

SILK-TV: Secret Information Leakage from Keystroke Timing Videos

verfasst von : Kiran S. Balagani, Mauro Conti, Paolo Gasti, Martin Georgiev, Tristan Gurtler, Daniele Lain, Charissa Miller, Kendall Molas, Nikita Samarin, Eugen Saraci, Gene Tsudik, Lynn Wu

Erschienen in: Computer Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Shoulder surfing attacks are an unfortunate consequence of entering passwords or PINs into computers, smartphones, PoS terminals, and ATMs. Such attacks generally involve observing the victim’s input device. This paper studies leakage of user secrets (passwords and PINs) based on observations of output devices (screens or projectors) that provide “helpful” feedback to users in the form of masking characters, each corresponding to a keystroke. To this end, we developed a new attack called Secret Information Leakage from Keystroke Timing Videos (SILK-TV). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM or PoS. We conducted several studies in various envisaged attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, SILK-TV recovers 8-character alphanumeric passwords in as little as 19 attempts. However, when guessing PINs, SILK-TV yields no substantial speedup compared to brute force. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Phishing Attacks Modifications and Evolutions

Nächstes Kapitel A Formal Approach to Analyzing Cyber-Forensics Evidence

Where required, IRB approvals were duly obtained prior to the experiments.

See for example the lists maintained by https://haveibeenpwned.com/.

Rockyou password leak (2010). http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2

Linkedin password leak (2016). https://hashes.org/leaks.php

Asonov, D., Agrawal, R.: Keyboard acoustic emanations. In: IEEE S&P (2004)

Balzarotti, D., Cova, M., Vigna, G.: ClearShot: eavesdropping on keyboard input from video. In: IEEE S&P (2008)

Banerjee, R., Feng, S., Kang, J.S., Choi, Y.: Keystroke patterns as prosody in digital writings: a case study with deceptive reviews and essays. In: EMNLP. Association for Computational Linguistics (2014)

Bartlow, N., Cukic, B.: Evaluating the reliability of credential hardening through keystroke dynamics. In: IEEE ISSRE (2006)

Burnett, M.: Today I am releasing 10 million passwords (2015). https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495

Compagno, A., Conti, M., Lain, D., Tsudik, G.: Don’t skype & type!: Acoustic eavesdropping in Voice-Over-IP. In: ACM ASIACCS (2017)

Ding, L., Goshtasby, A.: On the canny edge detector. Pattern Recogn. 34(3), 721–725 (2001)CrossRef

10.

Fiegerman, S.: Yahoo says 500 million accounts stolen (2017). http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/index.html

11.

Florencio, D., Herley, C.: A large-scale study of web password habits. In: ACM WWW (2007)

12.

Hitaj, B., Gasti, P., Ateniese, G., Perez-Cruz, F.: PassGAN: a deep learning approach for password guessing. arXiv preprint arXiv:1709.00440 (2017)

13.

Ho, T.K.: Random decision forests. In: IEEE Document Analysis and Recognition (1995)

14.

Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017)CrossRef

15.

Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: IEEE S&P (2014)

16.

Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: ACCessory: password inference using accelerometers on smartphones. In: ACM HotMobile (2012)

17.

Pulli, K., Baksheev, A., Kornyakov, K., Eruhimov, V.: Real-time computer vision with OpenCV. Commun. ACM 55(6), 61–69 (2012)CrossRef

18.

Roth, J., Liu, X., Metaxas, D.: On continuous user authentication via typing behavior. IEEE Trans. Image Process. 23(10), 4611–4624 (2014)MathSciNetCrossRef

19.

Schalkoff, R.J.: Artificial Neural Networks, vol. 1. McGraw-Hill, New York (1997)MATH

20.

Shukla, D., Kumar, R., Serwadda, A., Phoha, V.V.: Beware, your hands reveal your secrets! In: ACM CCS (2014)

21.

Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium (2001)

22.

Sun, J., Jin, X., Chen, Y., Zhang, J., Zhang, Y., Zhang, R.: VISIBLE: video-assisted keystroke inference from tablet backside motion. In: NDSS (2016)

23.

Tari, F., Ozok, A., Holden, S.H.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: ACM SOUPS (2006)

24.

The Password Project (2017). http://thepasswordproject.com/leaked_password_lists_and_dictionaries

25.

Tomasi, C., Manduchi, R.: Bilateral filtering for gray and color images. In: IEEE Computer Vision (1998)

26.

Vural, E., Huang, J., Hou, D., Schuckers, S.: Shared research dataset to support development of keystroke authentication. In: IEEE IJCB (2014)

27.

Wang, C., Guo, X., Wang, Y., Chen, Y., Liu, B.: Friend or foe? Your wearable devices reveal your personal pin. In: ACM ASIACCS (2016)

28.

Wang, C., Jan, S.T., Hu, H., Bossart, D., Wang, G.: The next domino to fall: empirical analysis of user passwords across online services. In: ACM CODASPY (2018)

29.

Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: IEEE S&P (2009)

30.

Xu, Y., Heinly, J., White, A.M., Monrose, F., Frahm, J.M.: Seeing double: reconstructing obscured typed input from repeated compromising reflections. In: ACM CCS (2013)

31.

Zhu, T., Ma, Q., Zhang, S., Liu, Y.: Context-free attacks using keyboard acoustic emanations. In: ACM CCS (2014)

32.

Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM TISSEC 13(1), 3 (2009)CrossRef

Titel: SILK-TV: Secret Information Leakage from Keystroke Timing Videos
verfasst von: Kiran S. Balagani
Mauro Conti
Paolo Gasti
Martin Georgiev
Tristan Gurtler
Daniele Lain
Charissa Miller
Kendall Molas
Nikita Samarin
Eugen Saraci
Gene Tsudik
Lynn Wu
Verlag: Springer International Publishing
Buch: Computer Security
Print ISBN: 978-3-319-99072-9

Electronic ISBN: 978-3-319-99073-6

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-99073-6_13

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"