Cybersecurity now seems like a game of whack-a-mole, where you are never sure which will be the next hole the threat is going to emerge from, and when you finally see it, will you be fast enough to arrest the situation.
We recently feature an article about the possibility of hackers reading your password by simply pointing a thermal camera to your keyboard. They can then use the heat your fingers leave on the keyboard to read your keystroke and easily get your password.
As if that was not enough, it now emerges that hackers can actually read data off your touchscreen interactions. This new cybersecurity threat was established by a team of researchers at Ben-Gurion University of the Negev (BGU).
The BGU have demonstrated that user’s information can be exfiltrated from a smartphone by tracking the touch movements. That can more likely happen on smartphone using compromised third party touchscreens.
More often than not, broken smartphone touchscreen are replaced using aftermarket components made by third-party manufacturers. These third party touchscreen have been found to contain malicious codes embedded in their circuitry.
“Our research objective was to use machine learning to determine the amount of high-level context information the attacker can derive by observing and predicting the user’s touchscreen interactions. If an attacker can understand the context of certain events, he can use the information to create a more effective customized attack,” said Yossi Oren, a research in the BGU Department of Software and Information Systems Engineering.
That is to say a hacker can essentially learn when to steal a user information or completely hijack the phone by executing malicious touches. The BGU researchers were able to record 160 touch interaction session from users running multiple applications to quantify the amount of high-level context information. The researchers then used a series of questions and games and then leveraged on machine learning to establish the stroke velocity, duration, and stroke intervals. These recording were done on a specially modified LG Nexus Android phone. The researchers claim that the machine learning results were 92% accurate.
“Now that we have validated the ability to obtain high-level context information based on touch events alone, we recognize that touch injection attacks are more significant potential threat,” warned Oren.
“Using this analysis defensively, we can also stop attacks by identifying anomalies in a user’s typical phone use and deter unauthorized or malicious phone use.”
Oren and team presented their findings at the Second International Symposium on Cybersecurity, Cryptography, and Machine Learning (CSCML) that ran June 21-22 in Beer-Sheva, Israel. The BGU team of researchers include the following undergraduate students; Tal Shkonik, Moran Azaran, and Niv Ben-Shabat.
