Defense against Smartphone Keyloggers

Recent research shows that it is possible to infer a user’s touchscreen inputs (e.g., passwords) on Android devices based on inertial (motion/position) sensors, currently freely-accessible by any Android app. Figure below shows the high level steps involved in motion based touchstroke logging attack. Given the high accuracies of such touchstroke logging attacks, they are now considered a significant threat to user privacy. Consequently, the security community has started exploring defenses to such side channel attacks, but the suggested solutions are either not effective (e.g., those based on vibrational noise) and/or may significantly undermine system usability (e.g., those based on keyboard layout randomization).

Figure1: Motion-based Touchstroke Logging Attack
Figure1: Motion-based Touchstroke Logging Attack

In this work, we introduce a novel and practical defense to motion-based touchstroke leakage based on system-generated, fully automated and user-oblivious sensory noise. Our defense leverages a recently developed framework, SMASheD, that takes advantage of the Android’s ADB functionality and can programmatically inject noise to various inertial sensors. Although SMASheD was originally advertised as a malicious app by its authors, we use it to build a defense mechanism, called Slogger (“Smashing the logger”), for defeating sensor-based touchstroke logging attacks. Slogger transparently inserts noisy sensor readings in the background as the user provides sensitive touchscreen input (e.g., password, PIN or credit card info) in order to obfuscate the original sensor readings. It can be installed in the user space without the need to root the device and to change the device’s OS or kernel. The figure below shows the notion of noise injection to obfuscate the original signal.

Figure2: Notion of sensor event injection to obfuscate the original signal
Figure2: Notion of sensor event injection to obfuscate the original signal





Media Coverage

UAB Homepage
UAB is an Equal Opportunity/Affirmative Action Employer committed to fostering a diverse, equitable and family-friendly environment in which all faculty and staff can excel and achieve work/life balance irrespective of race, national origin, age, genetic or family medical history, gender, faith, gender identity and expression as well as sexual orientation. UAB also encourages applications from individuals with disabilities and veterans.