Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka...
Transcript of Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka...
Hacking in the Blind:(Almost) Invisible Runtime User Interface Attacks
Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun
{firstname.lastname}@inf.ethz.ch [email protected]
• Used for daily and critical tasks
• Consists of input and output
Computer System
User Interfaces
2
Output
InputUser Interface
User Interface Attacks
3
Input Output
Computer System
App
App…
UI Attacks are often possible
1. Brief and non-invasive
2. Bypass security features
• Drawbacks
- Registers new peripherals- Installs malware- Assume user not present
Existing Command Injection Attacks
4
1. New Keyboard2. New Mouse
Limitations
5
• Observations
1. Hardened devices
2. Malware installation not possible
3. Damaging attacks possible only when user is present
Can we attack without installing malware?
• Benefits
+ Does not install new peripherals
+ Does not install malware
+ Assume user is present
Our Attack
6
!!!
1. Click Blocked2. Inject Events
Heart rate = 100
1. Click Blocked2. Inject Events3. Heart rate = 1000
Our Attack
7
!!!
Attack Demonstration
8
Attack Overview
9
Mouse Location Estimator
10
Mouse Events:Up 10px Left 10px
Mouse Events:Up 100px Left 100px
Mouse Events:Right 150px Down 150px
Username:
Password:
State Tracking
11
CancelLogin
John Doe
******
CancelLogin
State Tracking
12
CancelOK
Button 2Button 1
2 Click “Login”
State 0
State 2State 1State 0
3 Click “Cancel”1 Click outside
State Tracking
• Maintain all possible options
• Strategies to assign probabilities
1. Both buttons are equally likely
2. “Cancel” is more likely (more area)
3. “Login” is more likely (clicked more often)
• Introduce expert knowledge through assumptions on probabilities
13
CancelLogin
Attack Overview
14
User Interface Models
15
Pay to:
Amount:
CancelSubmit
Text
Button
Button
Full Model
Partial Model E-Banking UI
Text
Application
Attack Applicability
16
UI unique?
Partial model App simple?
Not applicableFull model
Yes No
Yes No
Evaluation
17Simulated Pacemaker Programmer
State Estimation Accuracy:90% after 10 clicks
Attack Success Rate: >90%
Evaluation
18E-Banking
Attack Success Rate: >90% Processing Delay: 40ms
Countermeasures
19
• Preventing our attack
1. Trusted path
2. Biometrics
3. Randomized UIs
(See paper for others)
Discussion
20
• No signs of attacks in the wild, but hardware exists
• Attack device easy to minimize
• Small footprint
Conclusion
21
• Hacking-in-the-Blind
• A novel UI attack
• Easy to deploy
• Invisible to malware detection
• Accurate and stealthy
Thank you!