-
IntegriScreen: Visually Supervising Remote User Interactions on Compromised Clients
Authors:
Ivo Sluganovic,
Enis Ulqinaku,
Aritra Dhar,
Daniele Lain,
Srdjan Capkun,
Ivan Martinovic
Abstract:
Remote services and applications that users access via their local clients (laptops or desktops) usually assume that, following a successful user authentication at the beginning of the session, all subsequent communication reflects the user's intent. However, this is not true if the adversary gains control of the client and can therefore manipulate what the user sees and what is sent to the remote…
▽ More
Remote services and applications that users access via their local clients (laptops or desktops) usually assume that, following a successful user authentication at the beginning of the session, all subsequent communication reflects the user's intent. However, this is not true if the adversary gains control of the client and can therefore manipulate what the user sees and what is sent to the remote server.
To protect the user's communication with the remote server despite a potentially compromised local client, we propose the concept of continuous visual supervision by a second device equipped with a camera. Motivated by the rapid increase of the number of incoming devices with front-facing cameras, such as augmented reality headsets and smart home assistants, we build upon the core idea that the user's actual intended input is what is shown on the client's screen, despite what ends up being sent to the remote server. A statically positioned camera enabled device can, therefore, continuously analyze the client's screen to enforce that the client behaves honestly despite potentially being malicious.
We evaluate the present-day feasibility and deployability of this concept by develo** a fully functional prototype, running a host of experimental tests on three different mobile devices, and by conducting a user study in which we analyze participants' use of the system during various simulated attacks. Experimental evaluation indeed confirms the feasibility of the concept of visual supervision, given that the system consistently detects over 98% of evaluated attacks, while study participants with little instruction detect the remaining attacks with high probability.
△ Less
Submitted 27 November, 2020;
originally announced November 2020.
-
2FE: Two-Factor Encryption for Cloud Storage
Authors:
Anders Dalskov,
Daniele Lain,
Enis Ulqinaku,
Kari Kostiainen,
Srdjan Capkun
Abstract:
Encrypted cloud storage services are steadily increasing in popularity, with many commercial solutions currently available. In such solutions, the cloud storage is trusted for data availability, but not for confidentiality. Additionally, the user's device is considered secure, and the user is expected to behave correctly.
We argue that such assumptions are not met in reality: e.g., users routine…
▽ More
Encrypted cloud storage services are steadily increasing in popularity, with many commercial solutions currently available. In such solutions, the cloud storage is trusted for data availability, but not for confidentiality. Additionally, the user's device is considered secure, and the user is expected to behave correctly.
We argue that such assumptions are not met in reality: e.g., users routinely forget passwords and fail to make backups, and users' devices get stolen or become infected with malware. Therefore, we consider a more extensive threat model, where users' devices are susceptible to attacks and common human errors are possible. Given this model, we analyze 10 popular commercial services and show that none of them provides good confidentiality and data availability.
Motivated by the lack of adequate solutions in the market, we design a novel scheme called Two-Factor Encryption (2FE) that draws inspiration from two-factor authentication and turns file encryption and decryption into an interactive process where two user devices, like a laptop and a smartphone, must interact. 2FE provides strong confidentiality and availability guarantees, as it withstands compromised cloud storage, one stolen or compromised user device at a time, and various human errors. 2FE achieves this by leveraging secret sharing with additional techniques such as oblivious pseudorandom functions and zero-knowledge proofs. We evaluate 2FE experimentally and show that its performance overhead is small. Finally, we explain how our approach can be adapted to other related use cases such as cryptocurrency wallets.
△ Less
Submitted 27 October, 2020;
originally announced October 2020.
-
Scan-and-Pay on Android is Dangerous
Authors:
Enis Ulqinaku,
Julinda Stefa,
Alessandro Mei
Abstract:
Mobile payments have increased significantly in the recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. These applications usually support scan-and-pay -- a technique that allows a payer to easily scan the destination address of the payment directly from the payee's smartphone screen. This technique is pervasive because it does not require any part…
▽ More
Mobile payments have increased significantly in the recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. These applications usually support scan-and-pay -- a technique that allows a payer to easily scan the destination address of the payment directly from the payee's smartphone screen. This technique is pervasive because it does not require any particular hardware, only the camera, which is present on all modern smartphones. However, in this work we show that a malicious application can exploit the overlay feature on Android to compromise the integrity of transactions that make use of the scan-and-pay technique. We implement Malview, a proof-of-concept malicious application that runs in the background on the payee's smartphone and show that it succeeds in redirecting payments to a malicious wallet. We analyze the weaknesses of the current defense mechanisms and discuss possible countermeasures against the attack.
△ Less
Submitted 24 May, 2019;
originally announced May 2019.
-
Using Hover to Compromise the Confidentiality of User Input on Android
Authors:
Enis Ulqinaku,
Luka Malisa,
Julinda Stefa,
Alessandro Mei,
Srdjan Capkun
Abstract:
We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by any Android application running with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input into other applications. Leveraging this attack, a malicious application running on the system is therefore able to profile user's behavior, capture sensitive input s…
▽ More
We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by any Android application running with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input into other applications. Leveraging this attack, a malicious application running on the system is therefore able to profile user's behavior, capture sensitive input such as passwords and PINs as well as record all user's social interactions. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the system background and records all input to foreground applications. We evaluated Hoover with 40 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.
△ Less
Submitted 2 August, 2017; v1 submitted 4 November, 2016;
originally announced November 2016.