fingerprint attack against touch-enabled devices .fingerprint attack against touch-enabled devices

Download Fingerprint Attack against Touch-enabled Devices .Fingerprint Attack against Touch-enabled Devices

Post on 28-May-2019




0 download

Embed Size (px)


Fingerprint Attack against Touch-enabled Devices

Yang ZhangSoutheast University

Nanjing 211189, P.R.China

Peng XiaUMass Lowell

Lowell, MA 01854,

Junzhou LuoSoutheast University

Nanjing 211189, P.R.China

Zhen LingSoutheast University

Nanjing 211189, P.R.China

Benyuan LiuUMass Lowell

Lowell, MA 01854,

Xinwen FuUMass Lowell

Lowell, MA 01854,


Oily residues left by tapping fingers on a touch screen maybreach user privacy. In this paper, we introduce the fin-gerprint attack against touch-enabled devices. We dust thetouch screen surface to reveal fingerprints, and use an iPhonecamera to carefully photograph fingerprints while striving toremove the virtual image of the phone from the fingerprintimage. We then sharpen the fingerprints in an image vi-a various image processing techniques and design effectivealgorithms to automatically map fingerprints to a keypadin order to infer tapped passwords. Extensive experimentswere conducted on iPad, iPhone and Android phone and theresults show that the fingerprint attack is effective and ef-ficient in inferring passwords from fingerprint images. Tothe best of our knowledge, we are the first using finger-print powder on touch screen and inferring passwords fromfingerprints. Video at shows the dusting process on iPhone and videoat shows thedusting process on iPad. After dusting, password charactersfor login are clearly disclosed.

Categories and Subject Descriptors

D.4.6 [Operating Systems]: Security and Protection; K.4.1[Public Policy Issues]: Abuse and Crime Involving Com-puters

General Terms



Fingerprint, Touch Screen, iPhone, iPad, Android, Attack

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.SPSM12, October 19, 2012, Raleigh, North Carolina, USA.Copyright 2012 ACM 978-1-4503-1666-8/12/10 ...$15.00.

1. INTRODUCTIONTouch-screen devices enjoy increasingly popular usage. Dis-

playbank forecasts that the total touch-screen panel marketsize will grow to $9.65 billion and 1.35 billion units, and800 million smartphones are expected to be touch-enabledin 2014 [14]. The market of smartbooks including tabletswith touch screen will catch up with the market of mobilephones. Touch screens are also widely used in consumer-electronic products such as personal digital assistants (P-DAs), personal navigation devices, netbooks and laptops.

However, oily residues (i.e. smudges) left by tapping fin-gers on a touch screen may disclose a plethora of informa-tion about its owner/users. Aviv et al. [2] introduced thesmudge attack, which explores graphical passwords used byan Android smartphone. A graphical password correspond-s to a graphical pattern when a finger presses on a touchscreen and drags around. They studied how to directly takepictures of the smudges from a smartphone touch screen sur-face at various camera angles with respect to the orientationof the phone and showed that smudge attack can reveal thegraphical pattern-based passwords in Android.

Figure 1: Standard Latent

Print Field Kit

Figure 2: Fingerprint

on iPhone

In this paper, we introduce a fingerprint attack againsttapped passwords via a keypad instead of graphical pass-words. In this attack, an attacker first dusts the touch screenwith fingerprint powder to reveal fingerprints left from tap-ping fingers. She then photographs the fingerprints, map-


s the fingerprints to the on-screen keyboard and recoversthe password characters. Brute force methods can then beapplied to derive the actual password sequence. For a 4-characters PIN like those used by iPhone and iPad, an at-tacker just needs to try 12 times on average to break into thephone and read the open Gmail and collect sensitive infor-mation from other applications such as phone book. Finger-prints are often not visible and smudge attack in [2] cannotwork in these scenarios. Fingerprinting kits are also wide-ly available and a standard latent print field kit costs only$30 [9] while we used a professional latent fingerprint kitin Figure 1 [8], which costs $200. The professional latentfingerprint kit contains a set of black and white fingerprintpowder and dusting brushes as well as a set of magneticpowder and magnetic applicator, which were not used inour experiments.

Figures 2 and 3 show the fingerprints on iPhone and iPadafter dusting and the photos are taken with iPhone 4s. Wetrimmed the background and kept only iPhone and iPadimages. Our video at shows the dusting process on iPhone and videoat shows thedusting process on iPad. We can see that the password char-acters for login are clearly disclosed. A fiberglass brush andwhite powder are used for dusting and revealing the finger-prints on touch screen.

Figure 3: Fingerprint on iPad

Our threat model is as follows [10]: the attacker hasphysical access to a touch-enabled device. This is a reason-able assumption in many scenarios. An attacker such asa spouse who has physical access to a smartphone can ap-ply fingerprint powder to a smartphone and deploy the at-tack. Corrupt staff at a working place deployed with touch-enabled devices may also wield a fingerprinting kit and col-lect passwords on screens.

The major contributions of this paper are summarized asfollows:

We conducted a systematic study of inferring a pass-word from photographed fingerprint images. We haveinvestigated various practical issues such as selectingapprobate fingerprint powder for dusting, removingvirtual images of the phone camera during photograph-

ing, sharpening fingerprints via various image process-ing techniques, designing algorithms to automatical-ly infer passwords from fingerprint images, and differ-entiating fingerprints from multiple persons sharing atouch-enabled device.

Extensive experiments on iPad, iPhone and Androidphone were performed to verify the feasibility and ef-fectiveness of the fingerprint attack against touch-enableddevices. In most scenarios, the attack can reveal morethan 50% of the passwords. We were also able to dif-ferentiate fingerprints from people sharing a device.

The rest of the paper is organized as follows: Section 2introduces most related work. In Section 3, we introducethe fingerprint attack to infer the password from fingerprintimages. We evaluate the attack in Section 4 and brieflydiscuss countermeasures in Section 5. Section 6 concludesthis paper.

2. RELATED WORKFelt et al. [10] classify threats from third-party smart-

phone applications into malware, grayware, and personalspyware. Malware intends to damage finance or propertyof the smartphone owner. An attacker such as a spousewho has physical access to a smartphone can install per-sonal spyware on the victim smartphone and gather infor-mation about the smartphone owner, for example, trackingthe victim. Grayware is often commercial applications withreal functionality while stealing user information. The dis-tributor may have a privacy policy with varying degree ofclarity. The authors conduct a survey of 46 pieces of s-martphone malware and their incentives and conclude thatApples mechanisms of application permission and reviewprocess can avoid approving malware. Becher et al. [5]examine mechanisms securing sophisticated mobile devices.Although no major incidents of attacking smartphones havehappened, small-scale attacks have been emerging. Threatsare classified into four classes: hardware centric, device inde-pendent, software centric, and user layer attacks for the pur-pose of eavesdropping, availability attacks, privacy attacksand impersonation attacks. Existing security mechanismsare enumerated for various attacks.

TouchLogger [6] is an Android malware, which is installedby a victim and utilizes device orientation data to inferkeystrokes. When a user types on a virtual keyboard ona touch screen, the orientation event reports intrinsic Tait-Bryan angles and timing and reflects device orientation, whichis user independent in terms of typed keys. TouchLogger in-fers the typing locations from Tait-Bryan angles and timinginformation and derives the corresponding keys. Owusu etal. show [22] that a malware can use only accelerometerdata to infer the entered keys on a virtual keyboard. Theinference accuracy is constrained by the sampling frequencyof the accelerometer, the key location, and its size. Patternrecognition is used and 46 features are generated from eachpreprocessed acceleration stream. TapLogger [30] also usesmotion sensors to infer a users tap inputs to a smartphone.

In [23], reflections of a devices screen on a victims glass-es or other objects are exploited to automatically infer texttyped on a virtual keyboard. The authors use inexpensivecameras (such as those in smartphones), utilize the fact ofkeys popping out when pressed and adopt computer visiontechniques processing the recorded video in order to infer


the corresponding key although the text in the video is illeg-ible. Balzarotti et al. [4] proposed an automatic approachto reconstruct the text typed on a keyboard from a videoof a person typing on a


View more >