SPECIAL ISSUE PAPER
Securing PIN-based authentication in smartwatches with just two gestures
Meriem Guerar,
Mauro Migliardi,
Francesco Palmieri,
Luca Verderame,
Alessio Merlo,
Meriem Guerar
Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy
Search for more papers by this authorMauro Migliardi
Department of Information Engineering, University of Padua, Padua, Italy
Search for more papers by this authorCorresponding Author
Francesco Palmieri
Department of Computer Science, University of Salerno, Salerno, Italy
Francesco Palmieri, Department of Computer Science, University of Salerno, 84084 Salerno, Italy.
Email: [email protected]
Search for more papers by this authorLuca Verderame
Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy
Search for more papers by this authorAlessio Merlo
Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy
Search for more papers by this authorMeriem Guerar,
Mauro Migliardi,
Francesco Palmieri,
Luca Verderame,
Alessio Merlo,
Meriem Guerar
Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy
Search for more papers by this authorMauro Migliardi
Department of Information Engineering, University of Padua, Padua, Italy
Search for more papers by this authorCorresponding Author
Francesco Palmieri
Department of Computer Science, University of Salerno, Salerno, Italy
Francesco Palmieri, Department of Computer Science, University of Salerno, 84084 Salerno, Italy.
Email: [email protected]
Search for more papers by this authorLuca Verderame
Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy
Search for more papers by this authorAlessio Merlo
Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy
Search for more papers by this authorSummary
Smartwatches are becoming increasingly ubiquitous as they offer new capabilities to develop sophisticated applications that make daily life easier and more convenient for consumers. The services provided include applications for mobile payment, ticketing, identification, access control, etc. While this makes modern smartwatches very powerful devices, it also makes them very attractive targets for attackers. Indeed, PINs and Pattern Lock have been widely used in smartwatches for user authentication. However, such authentication methods are not robust against various forms of cybersecurity attacks, such as side channel, phishing, smudge, shoulder surfing, and video-recording attacks. Moreover, the recent adoption of hardware-based solutions, like the Trusted Execution Environment (TEE), can mitigate only partially such problems. Thus, the user's security and privacy are at risk without a strong authentication scheme in place. In this work, we propose 2GesturePIN, a new authentication framework that allows users to authenticate securely to their smartwatches and related sensitive services through solely two gestures. 2GesturePIN leverages the rotating bezel or crown, which are the most intuitive ways to interact with a smartwatch, as a dedicated hardware. 2GesturePIN improves the resilience of the regular PIN authentication method against state-of-the-art cybersecurity attacks while maintaining a high level of usability.
REFERENCES
- 1 ARM Technologies. Arm Security Technology: Building a Secure System Using TrustZone Technology. Technical Report. Cambridge, UK: ARM Limited; 2005. http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf
- 2Lu CX, Du B, Wen H, et al. Snoopy: sniffing your smartwatch passwords via deep sequence learning. Proc ACM Interact Mob Wearable Ubiquitous Technol. 2018; 1(4). Article No. 152.
10.1145/3161196 Google Scholar
- 3Brandon A, Trimarchi M. Trusted display and input using screen overlays. In: Proceedings of the 2017 International Conference on ReConFigurable Computing and FPGAs (ReConFig); 2017; Cancun, Mexico.
- 4Khan H, Hengartner U, Vogel D. Evaluating attack and defense strategies for smartphone pin shoulder surfing. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI '18); 2018; Montreal, Canada.
- 5Ye G, Tang Z, Fang D, et al. A video-based attack for Android pattern lock. ACM Trans Priv Secur 2018; 21(4). Article No. 19.
- 6Owusu E, Han J, Das S, Perrig A, Zhang J. ACCessory: password inference using accelerometers on smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems & Applications (HotMobile '12); 2012; San Diego, CA.
- 7Guerar M, Verderame L, Migliardi M, Merlo A. 2GesturePIN: securing pin-based authentication on smartwatches. In: Proceedings of the 28th IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2019); 2019; Napoli, Italy.
- 8 Global Platform. The trusted execution environment: delivering enhanced security at a lower cost to the mobile market. White paper. February 2011.
- 9Vasudevan A, Owusu E, Zhou Z, Newsome J, McCune JM. Trustworthy execution on mobile devices: What security properties can my mobile platform give me? In: Trust and Trustworthy Computing: 5th International Conference, TRUST 2012, Vienna, Austria, June 13-15, 2012. Proceedings. Berlin, Germany: Springer; 2012: 159-178.
10.1007/978-3-642-30921-2_10 Google Scholar
- 10 Intel. Intel Trusted Execution Technology. Technical Report. Santa Clara, CA: Intel; 2012. https://www.intel.it/content/www/it/it/architecture-and-technology/trusted-execution-technology/trusted-execution-technology-security-paper.html
- 11Srage J, Azema J. M-Shield mobile security technology. Texas instruments white paper. 2005.
- 12Penard W, van Werkhoven T. On the secure hash algorithm family. In: Cryptography in Context. 2008: 1-18.
- 13Sarkisyan A, Debbiny R, Nahapetian A. WristSnoop: smartphone PINs prediction using smartwatch motion sensors. In: Proceedings of the 2015 IEEE International Workshop on Information Forensics and Security (WIFS); 2015; Rome, Italy.
- 14Maiti A, Jadliwala M, He J, Bilogrevic I. (Smart)watch your taps: side-channel keystroke inference attacks using smartwatches. In: Proceedings of the 2015 ACM International Symposium on Wearable Computers (ISWC '15); 2015; Osaka, Japan.
- 15Wang C, Guo X, Chen Y, Wang Y, Liu B. Personal pin leakage from wearable devices. IEEE Trans Mob Comput. 2018; 17(3): 646-660.
- 16Wang C, Guo X, Wang Y, Chen Y, Liu B. Friend or foe?: Your wearable devices reveal your personal pin. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIACCS); 2016; Xi'an, China.
- 17Simon L, Anderson R. PIN skimmer: inferring PINs through the camera and microphone. In: Proceedings of the 3rd ACM Workshop on Security and Privacy in smartphones & Mobile Devices (SPSM '13); 2013; Berlin, Germany. http://doi.acm.org/10.1145/2516760.2516770
- 18Cai L, Chen H. TouchLogger: inferring keystrokes on touch screen from smartphone motion. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security; 2011; San Francisco, CA. http://dl.acm.org/citation.cfm?id=2028040.2028049
- 19Xu Z, Bai K, Zhu S. TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC '12); 2012; Tucson, AZ. http://doi.acm.org/10.1145/2185448.2185465
- 20Armando A, Costa G, Verderame L, Merlo A. Securing the “bring your own device” paradigm. Computer. 2014; 47(6): 48-56.
- 21Armando A, Costa G, Merlo A, Verderame L. Enabling BYOD through secure meta-market. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks; 2014; Oxford, UK.
- 22van Rijswijk RM, Poll E. Using trusted execution environments in two-factor authentication: comparing approaches. In: Proceedings of the Open Identity Summit 2013 (OID 2013). Bonn, Germany: Gesellschaft for Informatik; 2013: 20-31. Lecture Notes in Informatics.
- 23Aonzo S, Merlo A, Tavella G, Fratantonio Y. Phishing attacks on modern Android. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security; 2018; Toronto, Canada.
- 24Dahan FB, Cornillault B. Secure mode indicator for smart phone or PDA. US patent 8,479,022. 2013.
- 25Shukla D, Kumar R, Serwadda A, Phoha VV. Beware, your hands reveal your secrets! In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14); 2014; Scottsdale, AZ. http://doi.acm.org/10.1145/2660267.2660360
- 26Ye G, Tang Z, Fang D, et al. Cracking Android pattern lock in five attempts. Proceedings 2017 Network and Distributed System Security Symposium (NDSS'17); 2017; San Diego, CA.
- 27Ozdenizci B, Ok K, Coskun V. A tokenization-based communication architecture for HCE-enabled NFC services. Mob Inf Syst. 2016; 2016.
- 28Armando A, Merlo A, Verderame L. Trusted host-based card emulation. In: Proceedings of the 2015 International Conference on High Performance Computing & Simulation (HPCS); 2015; Amsterdam, The Netherlands.
- 29Blake-Wilson S, Menezes A. Unknown key-share attacks on the station-to-station (STS) protocol. In: Public Key Cryptography: Second International Workshop on Practice and Theory in Public Key Cryptography, PKC'99 Kamakura, Japan, March 1-3, 1999 Proceedings. Berlin, Germany: Springer; 1999: 154-170.
10.1007/3-540-49162-7_12 Google Scholar
- 30 Sierraware. SierraTEE Trusted Execution Environment. Technical Report. Cupertino, CA: Sierraware Inc.; 2101. https://www.sierraware.com/open-source-ARM-TrustZone.html
- 31Ogiela L, Ogiela MR. Insider threats and cryptographic techniques in secure information management. IEEE Syst J. 2015; 11(2): 405-414.
- 32Ogiela MR, Ogiela U. Secure information management in hierarchical structures. In: Advanced Computer Science and Information Technology: Third International Conference, AST 2011, Seoul, Korea, September 27-29, 2011. Proceedings. Berlin, Germany: Springer; 2011: 31-35.
10.1007/978-3-642-24267-0_5 Google Scholar
- 33Nguyen T, Memon N. Smartwatches locking methods: a comparative study. In: Proceedings of the 33th Symposium on Usable Privacy and Security (SOUPS 2017); 2017; Santa Clara, CA. https://www.usenix.org/conference/soups2017/workshop-program/way2017/nguyen
- 34Ogiela L, Ogiela MR, Ogiela U. Efficiency of strategic data sharing and management protocols. In: Proceedings of the 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS); 2016; Fukuoka, Japan.
- 35Yang J, Li Y, Xie M. MotionAuth: motion-based authentication for wrist worn smart devices. In: Proceedings of the 2015 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops); 2015; St. Louis, MO.
- 36Lewis A, Li Y, Xie M. Real time motion-based authentication for smartwatch. In: Proceedings of the 2016 IEEE Conference on Communications and Network Security (CNS); 2016; Philadelphia, PA.
- 37Buriro A, Crispo B, Eskandri M, Gupta S, Mahboob A, Van Acker R. SNAPAUTH: a gesture-based unobtrusive smartwatch user authentication scheme. In: A Saracino, P Mori, eds. Emerging Technologies for Authorization and Authentication. Cham, Switzerland: Springer International Publishing; 2018: 30-37.
10.1007/978-3-030-04372-8_3 Google Scholar
- 38Johnston AH, Weiss GM. Smartwatch-based biometric gait recognition. In: Proceedings of the 2015 IEEE 7th International Conference on Biometrics Theory, Applications and Systems (BTAS); 2015; Arlington, VA.
- 39Al-Naffakh N, Clarke N, Li F, Haskell-Dowland P. Unobtrusive gait recognition using smartwatches. In: Proceedings of the 2017 International Conference of the Biometrics Special Interest Group (BIOSIG); 2017; Darmstadt, Germany.
- 40Nguyen T, Memon N. Tap-based user authentication for smartwatches. Comput Secur. 2018; 78: 174-186. http://www.sciencedirect.com/science/article/pii/S0167404818303778
- 41Ehatisham-ul Haq M, Azam MA, Loo J, et al. Authentication of smartphone users based on activity recognition and mobile sensing. Sensors. 2017; 17(9). http://www.mdpi.com/1424-8220/17/9/2043
- 42Guerar M, Migliardi M, Merlo A, Benmohammed M, Palmieri F, Castiglione A. Using screen brightness to improve security in mobile social network access. IEEE Trans Dependable Secure Comput. 2018; 15(4): 621-632.
- 43von Zezschwitz E, De Luca A, Brunkow B, Hussmann H. SwiPIN: fast and secure PIN-entry on smartphones. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15); 2015; Seoul, Republic of Korea. http://doi.acm.org/10.1145/2702123.2702212
- 44Guerar M, Migliardi M, Merlo A, Benmohammed M, Messabih B. A completely automatic public physical test to tell computers and humans apart: a way to enhance authentication schemes in mobile devices. In: Proceedings of the 2015 International Conference on High Performance Computing & Simulation (HPCS); 2015; Amsterdam, The Netherlands.
- 45Guerar M, Merlo A, Migliardi M. Completely automated public physical test to tell computers and humans apart: a usability study on mobile devices. Future Gener Comput Syst. 2018; 82: 617-630. http://www.sciencedirect.com/science/article/pii/S0167739X17303709
- 46Bianchi A, Oakley I, Kostakos V, Kwon DS. The phone lock: audio and haptic shoulder-surfing resistant pin entry methods for mobile devices. In: Proceedings of the 5th International Conference on Tangible, Embedded, and Embodied Interaction (TEI '11); 2011; Funchal, Portugal.
- 47Kwon T, Na S. TinyLock: affordable defense against smudge attacks on smartphone pattern lock systems. Comput Secur. 2014; 42: 137-150.
- 48Guerar M, Merlo A, Migliardi M. ClickPattern: a pattern lock system resilient to smudge and side-channel attacks. JoWUA. 2017; 8(2): 64-78. http://isyou.info/jowua/papers/jowua-v8n2-4.pdf
- 49Guerar M, Benmohammed M, Alimi V. Color wheel pin: usable and resilient ATM authentication. J High Speed Netw. 2016; 22(3): 231-240.
- 50De Luca A, Von Zezschwitz E, Hußmann H. Vibrapass: secure authentication based on shared lies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems; 2009; Boston, MA.
- 51De Luca A, Hertzschuch K, Hussmann H. ColorPIN: securing PIN entry through indirect input. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10); 2010; Atlanta, GA.
- 52Nyang D, Mohaisen A, Kang J. Keylogging-resistant visual authentication protocols. IEEE Trans Mob Comput. 2014; 13(11): 2566-2579.
- 53Oakley I, Huh JH, Cho J, Cho G, Islam R, Kim H. The personal identification chord: a four buttonauthentication system for smartwatches. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS '18); 2018; Incheon, Republic of Korea.
- 54Nguyen TV, Sae-Bae N, Memon N. DRAW-A-PIN: authentication using finger-drawn PIN on touch devices. Comput Secur. 2017; 66: 115-128.
- 55Hutchins B, Reddy A, Jin W, Zhou M, Li M, Yang L. Beat-PIN: a user authentication mechanism for wearable devices through secret beats. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS '18); 2018; Incheon, Republic of Korea. http://doi.acm.org/10.1145/3196494.3196543
- 56Yoon H, Park S-H, Lee K-T. Exploiting ambient light sensor for authentication on wearable devices. In: Proceedings of the 2015 4th International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec); 2015; Jakarta, Indonesia.
- 57Kuribara T, Shizuki B, Tanaka J. Vibrainput: two-step PIN entry system based on vibration and visual information. In: Proceedings of the CHI '14 Extended Abstracts on Human Factors in Computing Systems; 2014; Toronto, Canada. http://doi.acm.org/10.1145/2559206.2581187
- 58Lee M-K, Nam H, Kim DK. Secure bimodal PIN-entry method using audio signals. Comput Secur. 2016; 56: 140-150. http://www.sciencedirect.com/science/article/pii/S0167404815000929
- 59 Samsung Gear S3 frontier software update. https://www.verizonwireless.com/support/samsung-galaxy-gear-s3-frontier-update/. Accessed August 6, 2019.
Citing Literature
September 25, 2020
e5549
