PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices

Raphael Spreitzer

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

The pervasive usage of mobile devices, i.e., smartphones and tablet computers, and their vast amount of sensors represent a plethora of side channels posing a serious threat to the user's privacy and security. In this paper, we propose a new type of side channel which is based on the ambient-light sensor employed in today's mobile devices. While recent advances in this area of research focused on the employed motion sensors and the camera as well as the sound, we investigate a less obvious source of information leakage, namely the ambient light. We successfully demonstrate that minor tilts and turns of mobile devices cause variations of the ambient-light sensor information. Furthermore, we show that these variations leak enough information to infer a user's personal identification number (PIN) input based on a set of known PINs. Our results clearly show that we are able to determine the correct PIN---out of a set of 50 random PINs---within the first ten guesses about 80% of the time. In contrast, the chance of finding the right PIN by randomly guessing ten PINs would be 20%. Since the data required to perform such an attack can be gathered without any specific permissions or privileges, the presented attack seriously jeopardizes the security and privacy of mobile-device owners.
Originalspracheenglisch
Titel4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)
Herausgeber (Verlag)Association of Computing Machinery
Seiten51-62
DOIs
PublikationsstatusVeröffentlicht - 2014
VeranstaltungAnnual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices - Scottsdale, Arizona, USA / Vereinigte Staaten
Dauer: 7 Nov 20147 Nov 2014

Konferenz

KonferenzAnnual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices
LandUSA / Vereinigte Staaten
OrtScottsdale, Arizona
Zeitraum7/11/147/11/14

Fingerprint

Mobile devices
Sensors
Smartphones
Cameras
Acoustic waves

Fields of Expertise

  • Information, Communication & Computing

Treatment code (Nähere Zuordnung)

  • Application

Dies zitieren

Spreitzer, R. (2014). PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices. in 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) (S. 51-62). Association of Computing Machinery. https://doi.org/10.1145/2666620.2666622

PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices. / Spreitzer, Raphael.

4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). Association of Computing Machinery, 2014. S. 51-62.

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Spreitzer, R 2014, PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices. in 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). Association of Computing Machinery, S. 51-62, Scottsdale, Arizona, USA / Vereinigte Staaten, 7/11/14. https://doi.org/10.1145/2666620.2666622
Spreitzer R. PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices. in 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). Association of Computing Machinery. 2014. S. 51-62 https://doi.org/10.1145/2666620.2666622
Spreitzer, Raphael. / PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices. 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). Association of Computing Machinery, 2014. S. 51-62
@inproceedings{409b886920054d9db250a8b73988e9d9,
title = "PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices",
abstract = "The pervasive usage of mobile devices, i.e., smartphones and tablet computers, and their vast amount of sensors represent a plethora of side channels posing a serious threat to the user's privacy and security. In this paper, we propose a new type of side channel which is based on the ambient-light sensor employed in today's mobile devices. While recent advances in this area of research focused on the employed motion sensors and the camera as well as the sound, we investigate a less obvious source of information leakage, namely the ambient light. We successfully demonstrate that minor tilts and turns of mobile devices cause variations of the ambient-light sensor information. Furthermore, we show that these variations leak enough information to infer a user's personal identification number (PIN) input based on a set of known PINs. Our results clearly show that we are able to determine the correct PIN---out of a set of 50 random PINs---within the first ten guesses about 80{\%} of the time. In contrast, the chance of finding the right PIN by randomly guessing ten PINs would be 20{\%}. Since the data required to perform such an attack can be gathered without any specific permissions or privileges, the presented attack seriously jeopardizes the security and privacy of mobile-device owners.",
author = "Raphael Spreitzer",
note = "In conjunction with the 21st ACM Conference on Computer and Communications Security (CCS)",
year = "2014",
doi = "10.1145/2666620.2666622",
language = "English",
pages = "51--62",
booktitle = "4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)",
publisher = "Association of Computing Machinery",
address = "United States",

}

TY - GEN

T1 - PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices

AU - Spreitzer, Raphael

N1 - In conjunction with the 21st ACM Conference on Computer and Communications Security (CCS)

PY - 2014

Y1 - 2014

N2 - The pervasive usage of mobile devices, i.e., smartphones and tablet computers, and their vast amount of sensors represent a plethora of side channels posing a serious threat to the user's privacy and security. In this paper, we propose a new type of side channel which is based on the ambient-light sensor employed in today's mobile devices. While recent advances in this area of research focused on the employed motion sensors and the camera as well as the sound, we investigate a less obvious source of information leakage, namely the ambient light. We successfully demonstrate that minor tilts and turns of mobile devices cause variations of the ambient-light sensor information. Furthermore, we show that these variations leak enough information to infer a user's personal identification number (PIN) input based on a set of known PINs. Our results clearly show that we are able to determine the correct PIN---out of a set of 50 random PINs---within the first ten guesses about 80% of the time. In contrast, the chance of finding the right PIN by randomly guessing ten PINs would be 20%. Since the data required to perform such an attack can be gathered without any specific permissions or privileges, the presented attack seriously jeopardizes the security and privacy of mobile-device owners.

AB - The pervasive usage of mobile devices, i.e., smartphones and tablet computers, and their vast amount of sensors represent a plethora of side channels posing a serious threat to the user's privacy and security. In this paper, we propose a new type of side channel which is based on the ambient-light sensor employed in today's mobile devices. While recent advances in this area of research focused on the employed motion sensors and the camera as well as the sound, we investigate a less obvious source of information leakage, namely the ambient light. We successfully demonstrate that minor tilts and turns of mobile devices cause variations of the ambient-light sensor information. Furthermore, we show that these variations leak enough information to infer a user's personal identification number (PIN) input based on a set of known PINs. Our results clearly show that we are able to determine the correct PIN---out of a set of 50 random PINs---within the first ten guesses about 80% of the time. In contrast, the chance of finding the right PIN by randomly guessing ten PINs would be 20%. Since the data required to perform such an attack can be gathered without any specific permissions or privileges, the presented attack seriously jeopardizes the security and privacy of mobile-device owners.

UR - http://www.spsm-workshop.org/2014/

UR - http://www.spsm-workshop.org/2014/

U2 - 10.1145/2666620.2666622

DO - 10.1145/2666620.2666622

M3 - Conference contribution

SP - 51

EP - 62

BT - 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)

PB - Association of Computing Machinery

ER -