Paper 2017/1169

There Goes Your PIN: Exploiting Smartphone Sensor Fusion Under Single and Cross User Setting

David Berend, Bernhard Jungk, and Shivam Bhasin

Abstract

A range of zero-permission sensors are found in modern smartphones to enhance user experience. These sensors can lead to unintentional leakage of user private data. In this paper, we combine leakage from a pool of zero-permission sensors, to reconstruct user's secret PIN. By harvesting the power of machine learning algorithms, we show a practical attack on the full four-digit PIN space. Able to classify all 10,000 PIN combinations, results show up to 83.7% success within 20 tries in a single user setting. Latest previous work demonstrated 74% success on a reduced space of 50 chosen PINs, where we report 99.5% success with a single try in a similar setting. Moreover, we extend the PIN recovery attack from a single user to a cross-user scenario. Firstly, we show that by training on several users, the PIN recovery success can be boosted, when a target user is part of the training pool. On the other hand, PIN recovery is still possible when training pool is mutually exclusive to the target user, albeit with low success rate.

Note: Minor edits in the abstract

Metadata
Available format(s)
PDF
Publication info
Preprint. MINOR revision.
Keywords
SmartphonesPINSensorMachine Learning
Contact author(s)
sbhasin @ ntu edu sg
History
2017-12-06: revised
2017-12-06: received
See all versions
Short URL
https://ia.cr/2017/1169
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/1169,
      author = {David Berend and Bernhard Jungk and Shivam Bhasin},
      title = {There Goes Your PIN: Exploiting Smartphone Sensor Fusion Under Single and Cross User Setting},
      howpublished = {Cryptology ePrint Archive, Paper 2017/1169},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/1169}},
      url = {https://eprint.iacr.org/2017/1169}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.