The pervasiveness of wearable devices furnished with state-of-the-art sensors has shown the powerful capability in context-aware applications. However, embedded sensors also become targets for adversaries to launch potential side-channel attacks. In this paper, we present a self-adaptive and pretraining-independent pattern attack that infers a graphical password by recovering the victim's hand movement trajectory via motion sensors of a wrist-worn smart device. With the adaptive pattern inference algorithm, the discovered attack can be launched remotely without requiring previous training data from victims or the prior knowledge about the keyboard input settings. Toward the proposed attack, we create a method to detect the sliding behavior that draws a graphical password on the screen. We also propose an inference algorithm to generate password candidates from hand movement trajectories for different keypad input settings. We implement the discovered attack on a smartwatch and conduct experiments to evaluate the impact of this attack. The evaluation results show that for complex graphical patterns, with a single try, the attack can infer the passwords at a success rate as high as 80%, and the success rate can be further boosted to over 90% within five attempts, which reveals the overlooked privacy information threat caused by sensor data leakage.

• 出版日期2018-12
• 单位西安交通大学