Browse > Article
http://dx.doi.org/10.13089/JKIISC.2016.26.4.903

Automated Smudge Attacks Based on Machine Learning and Security Analysis of Pattern Lock Systems  

Jung, Sungmi (Information Security Lab., Graduate school of Information, Yonsei University)
Kwon, Taekyoung (Information Security Lab., Graduate school of Information, Yonsei University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.26, no.4, 2016 , pp. 903-910 More about this Journal
Abstract
As smart mobile devices having touchscreens are growingly deployed, a pattern lock system, which is one of the graphical password systems, has become a major authentication mechanism. However, a user's unlocking behaviour leaves smudges on a touchscreen and they are vulnerable to the so-called smudge attacks. Smudges can help an adversary guess a secret pattern correctly. Several advanced pattern lock systems, such as TinyLock, have been developed to resist the smudge attacks. In this paper, we study an automated smudge attack that employs machine learning techniques and its effectiveness in comparison to the human-only smudge attacks. We also compare Android pattern lock and TinyLock schemes in terms of security. Our study shows that the automated smudge attacks are significantly advanced to the human-only attacks with regard to a success ratio, and though the TinyLock system is more secure than the Android pattern lock system.
Keywords
Smartphone; Pattern Lock System; Machine Learning; Smudge Attack;
Citations & Related Records
연도 인용수 순위
  • Reference
1 A. De. Angeli, L. Coventry, G. Johnson, and K. Renaud, "Is a picture really worth a thousand words? exploring the feasibility of graphical authentication systems," International Journal of Human-Computer Studies, Vol. 63, no. 1, pp. 128-152, July 2005.   DOI
2 P. Andriotis, T. Tryfonas, G. Oikonomou, and C. Yildiz, "A Pilot Study on the Security of Pattern Screen-Lock Methods and Soft Side Channel Attacks," In Proc. of the sixth ACM conference on Security and privacy in wireless and mobile networks (WiSec'13), pp. 1-6, April 2013.
3 P. Andriotis, T. Tryfonas, and Z. Yu, "POSTER: Breaking the Android Pattern Lock Screen with Neural Networks and Smudge Attacks," In Proc. of the sixth ACM conference on Security and privacy in wireless and mobile networks (WiSec'14), July 2014.
4 A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, "Smudge Attacks on Smartphone Touch Screens," In Proc. of the 4th USENIX Conference on Offensive Technologies (WOOT'10), pp. 1-7, Aug. 2010.
5 A. J. Aviv, D. Budzitowski, and R. Kuber, "Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock," In Proc. of the 31st Annual Computer Security Applications Conference (ACSAC' 16), pp. 301-310, Dec. 2015.
6 C. M. Bishop, Pattern Recognition and Machine Learning, Springer, Aug. 2006.
7 P. E. Danielsson, "Euclidean Distance Mapping," Computer Graphics and image processing, Elsevier, Vol. 14, no. 3, pp. 227-248, Nov. 1980.   DOI
8 B. V. Dasarathy, Nearest Neighbor (NN) Norms: NN Pattern Classification Techniques, IEEE Computer Society Press, 1991.
9 D. Davis, F. Monrose, and M. K. Reiter, "On user choice in graphical password schemes," In USENIX Security Symposium, Aug. 2004.
10 H. Gao, X. Guo, X. Chen, L.Wang, and X. Liu, "Yagp: Yet another graphical password strategy," Annual Computer Security Applications Conference (ACSAC'08), pp. 121-129, Dec. 2008.
11 I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The design and analysis of graphical passwords," In Proc. of the 8th Conference on USENIX Security Symposium (SSYM'99), pp. 1-14, Aug. 1999.
12 T. Kwon, and S. Na, "TinyLock: Affordable Defense Against Smudge Attacks on Smartphone Pattern Lock Systems," Computers & Security, Elsevier, Vol. 42, pp. 137-150, May 2014.   DOI
13 K. Renaud and A. D. Angeli, "Visual passwords: Cure-all or snake-oil?," Communications of the ACM, Vol. 52, no. 12, pp. 135-140, Dec. 2009.   DOI
14 E. v. Zezschwitz, A. Koslow, A. De Luca, and H. Hussmann, "Making Graphic-Based Authentication Secure Against Smudge Attacks," In Proc. of the International Conference on Intelligent User Interfaces (IUI'13), pp. 277-286, March 2013.
15 S. Schneegass, F. Steimle, A. Bulling, F. Alt, and A. Schmidt, "Smudgesafe: Geometric Image Transformations for Smudge-Resistant User Authentication," In Proc. of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp'14), pp. 775-786, Sep. 2014.
16 Y. Song, G. Cho, S. Oh, H. Kim, and J. H. Huh, "On the effectiveness of pattern lock strength meters: Measuring the strength of real world pattern locks," In Proc. of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI'15), pp. 2343-2352, April 2015.
17 S. Uellenbeck, M. Dürmuth, C. Wolf, and T. Holz, "Quantifying the security of graphical passwords: The case of Android unlock patterns," In Proc. of the 2013 ACM SIGSAC conference on Computer \& communications security (CCS'13), pp. 161-172, Nov. 2013.