PILOT: Password and PIN Information Leakage from Obfuscated Ty** Videos
Authors:
Kiran Balagani,
Matteo Cardaioli,
Mauro Conti,
Paolo Gasti,
Martin Georgiev,
Tristan Gurtler,
Daniele Lain,
Charissa Miller,
Kendall Molas,
Nikita Samarin,
Eugen Saraci,
Gene Tsudik,
Lynn Wu
Abstract:
This paper studies leakage of user passwords and PINs based on observations of ty** feedback on screens or from projectors in the form of masked characters that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Ty** Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters…
▽ More
This paper studies leakage of user passwords and PINs based on observations of ty** feedback on screens or from projectors in the form of masked characters that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Ty** Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work [4]. In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper.
△ Less
Submitted 9 April, 2019; v1 submitted 30 March, 2019;
originally announced April 2019.