NDLI: The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio

Please wait, while we are loading the content...

Cybersecurity, Nuclear Security, Alan Turing, and Illogical Logic

On the Security and Performance of Proof of Work Blockchains

Differential Privacy as a Mutual Information Constraint

The Misuse of Android Unix Domain Sockets and Security Implications

Strong Non-Interference and Type-Directed Higher-Order Masking

On the Instability of Bitcoin Without the Block Reward

EpicRec: Towards Practical Differentially Private Framework for Personalized Recommendation

AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems

Safe Serializable Secure Scheduling: Transactions and the Trade-Off Between Security and Consistency

Making Smart Contracts Smarter

DPSense: Differentially Private Crowdsourced Spectrum Sensing

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime

Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR

Improvements to Secure Computation with Penalties

Message-Recovery Attacks on Feistel-Based Format Preserving Encryption

Scalable Graph-based Bug Search for Firmware Images

TypeSan: Practical Type Confusion Detection

Alternative Implementations of Secure Real Numbers

MEMS Gyroscopes as Physical Unclonable Functions

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem

How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior

SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles

SANA: Secure and Scalable Aggregate Network Attestation

Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence

An In-Depth Study of More Than Ten Years of Java Exploitation

High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority

Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations

Leave Your Phone at the Door: Side Channels that Reveal Factory Floor Secrets

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

5Gen: A Framework for Prototyping Applications Using Multilinear Maps and Matrix Branching Programs

On Code Execution Tracking via Power Side-Channel

Using Reflexive Eye Movements for Fast Challenge-Response Authentication

Limiting the Impact of Stealthy Attacks on Industrial Control Systems

POPE: Partial Order Preserving Encoding

Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication

An Empirical Study of Mnemonic Sentence-based Password Generation Strategies

PIPSEA: A Practical IPsec Gateway on Embedded APUs

Function Secret Sharing: Improvements and Extensions

A Surfeit of SSH Cipher Suites

Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild

PhishEye: Live Monitoring of Sandboxed Phishing Kits

A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3)

Generic Attacks on Secure Outsourced Databases

Host of Troubles: Multiple Host Ambiguities in HTTP Implementations

Safely Measuring Tor

A Protocol for Privately Reporting Ad Impressions at Scale

ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels

Android ION Hazard: the Curse of Customizable Memory Management System

Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement

POSTER: An Educational Network Protocol for Covert Channel Analysis Using Patterns

DEMO: Easy Deployment of a Secure Internet Architecture for the 21st Century: How hard can it be to build a secure Internet?

Program Anomaly Detection: Methodology and Practices

MTD 2016: Third ACM Workshop on Moving Target Defense

9th International Workshop on Artificial Intelligence and Security: AISec 2016

A Secure Sharding Protocol For Open Blockchains

Advanced Probabilistic Couplings for Differential Privacy

Call Me Back!: Attacks on System Server and System Apps in Android through Synchronous Callback

MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection

Transparency Overlays and Applications

Heavy Hitter Estimation over Set-Valued Data with Local Differential Privacy

Mix&Slice: Efficient Access Revocation in the Cloud

ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices

Town Crier: An Authenticated Data Feed for Smart Contracts

Deep Learning with Differential Privacy

Statistical Deobfuscation of Android Applications

Breaking Kernel Address Space Layout Randomization with Intel TSX

Amortizing Secure Computation with Penalties

On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN

SmartWalk: Enhancing Social Network Security via Adaptive Random Walks

CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump

Garbling Gadgets for Boolean and Arithmetic Circuits

On the Security and Usability of Segment-based Visual Cryptographic Authentication Protocols

Chainsaw: Chained Automated Workflow-based Exploit Generation

Practical Detection of Entropy Loss in Pseudo-Random Number Generators

Computational Soundness for Dalvik Bytecode

C-FLAT: Control-Flow Attestation for Embedded Systems Software

FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature

"The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing

Efficient Batched Oblivious PRF with Applications to Private Set Intersection

Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices

My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printers

iLock: Immediate and Automatic Locking of Mobile Devices against Data Theft

Λολ: Functional Lattice Cryptography

Coverage-based Greybox Fuzzing as Markov Chain

When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals

Over-The-Top Bypass: Study of a Recent Telephony Fraud

∑oφoς: Forward Secure Searchable Encryption

Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments

On the Security of Cracking-Resistant Password Vaults

MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet

Hash First, Argue Later: Adaptive Verifiable Computations on Outsourced Data

Systematic Fuzzing and Testing of TLS Libraries

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records

Attribute-based Key Exchange with General Policies

The Shadow Nemesis: Inference Attacks on Efficiently Deployable, Efficiently Searchable Encryption

Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition

PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration

Secure Stable Matching at Scale

"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

Practical Censorship Evasion Leveraging Content Delivery Networks

POSTER: A Behavioural Authentication System for Mobile Users

DEMO: High-Throughput Secure Three-Party Computation of Kerberos Ticket Generation

Security on Wheels: Security and Privacy for Vehicular Communication Systems

PLAS'16: ACM SIGPLAN 11th Workshop on Programming Languages and Analysis for Security

CCSW'16: 8th ACM Cloud Computing Security Workshop

The Honey Badger of BFT Protocols

Differentially Private Bayesian Programming

Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android

Private Circuits III: Hardware Trojan-Resilience via Testing Amplification

The Ring of Gyges: Investigating the Future of Criminal Smart Contracts

Membership Privacy in MicroRNA-based Studies

Reliable Third-Party Library Detection in Android and its Security Applications

Enforcing Least Privilege Memory Views for Multithreaded Applications

MPC-Friendly Symmetric Key Primitives

A Systematic Analysis of the Juniper Dual EC Incident

High Fidelity Data Reduction for Big Data Security Dependency Analyses

Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-Bit Platforms

Optimizing Semi-Honest Secure Multiparty Computation for the Internet

Instant and Robust Authentication and Key Agreement among Mobile Devices

CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites

Build It, Break It, Fix It: Contesting Secure Development

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

A Software Approach to Defeating Side Channels in Last-Level Caches

The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio

Hypnoguard: Protecting Secrets across Sleep-wake Cycles

Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE

Error Handling of In-vehicle Networks Makes Them Vulnerable

VoiceLive: A Phoneme Localization based Liveness Detection for Voice Authentication on Smartphones

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks

What Else is Revealed by Order-Revealing Encryption?

A Comprehensive Formal Security Analysis of OAuth 2.0

Targeted Online Password Guessing: An Underestimated Threat

Protecting Insecure Communications with Topology-aware Network Tunnels

Practical Non-Malleable Codes from l-more Extractable Hash Functions

Attacking OpenSSL Implementation of ECDSA with a Few Signatures

Online Tracking: A 1-million-site Measurement and Analysis

Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks

Identity-Concealed Authenticated Encryption and Key Exchange

Breaking Web Applications Built On Top of Encrypted Data

Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service

Stemming Downlink Leakage from Training Sequences in Multi-User MIMO Networks

BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme

On the Provable Security of (EC)DSA Signatures

SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning

GAME OF DECOYS: Optimal Decoy Routing Through Game Theory

POSTER: A Keyless Efficient Algorithm for Data Protection by Means of Fragmentation

DEMO: Integrating MPC in Big Data Workflows

Condensed Cryptographic Currencies Crash Course (C5)

SafeConfig'16: Testing and Evaluation for Active and Resilient Cyber Systems

Second Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC'16)

Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds

POSTER: Accuracy vs. Time Cost: Detecting Android Malware through Pareto Ensemble Pruning

DEMO: OffPAD - Offline Personal Authenticating Device with Applications in Hospitals and e-Banking

Introduction to Credit Networks: Security, Privacy, and Applications

Sixth Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2016)

2nd International Workshop on Software Protection: SPRO 2016

POSTER: Attack on Non-Linear Physical Unclonable Function

DEMO: Starving Permission-Hungry Android Apps Using SecuRank

On the Security and Scalability of Bitcoin's Blockchain

Theory of Implementation Security Workshop (TIs 2016)

Sixth International Workshop on Trustworthy Embedded Devices (TrustED 2016)

POSTER: ConcurORAM: High-Throughput Parallel Multi-Client ORAM

Privacy and Security in the Genomic Era

WISCS'16: The 3rd ACM Workshop on Information Sharing and Collaborative Security

MIST 2016: 8th International Workshop on Managing Insider Security Threats

POSTER: DataLair: A Storage Block Device with Plausible Deniability

Adversarial Data Mining: Big Data Meets Cyber Security

15th Workshop on Privacy in the Electronic Society (WPES 2016)

POSTER: DroidShield: Protecting User Applications from Normal World Access

POSTER: Efficient Cross-User Chunk-Level Client-Side Data Deduplication with Symmetrically Encrypted Two-Party Interactions

POSTER: Fingerprinting Tor Hidden Services

POSTER: I Don't Want That Content! On the Risks of Exploiting Bitcoin's Blockchain as a Content Store

POSTER: Identifying Dynamic Data Structures in Malware

POSTER: Improved Markov Strength Meters for Passwords

POSTER: Insights of Antivirus Relationships when Detecting Android Malware: A Data Analytics Approach

POSTER: KXRay: Introspecting the Kernel for Rootkit Timing Footprints

POSTER: Locally Virtualized Environment for Mitigating Ransomware Threat

POSTER: Mapping the Landscape of Large-Scale Vulnerability Notifications

POSTER: Phishing Website Detection with a Multiphase Framework to Find Visual Similarity

POSTER: Privacy Enhanced Secure Location Verification

POSTER: Re-Thinking Risks and Rewards for Trusted Third Parties

POSTER: RIA: an Audition-based Method to Protect the Runtime Integrity of MapReduce Applications

POSTER: Security Enhanced Administrative Role Based Access Control Models

POSTER: (Semi)-Supervised Machine Learning Approaches for Network Security in High-Dimensional Network Data

POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity

POSTER: The ART of App Compartmentalization

POSTER: Toward Automating the Generation of Malware Analysis Reports Using the Sandbox Logs

POSTER: Towards Collaboratively Supporting Decision Makers in Choosing Suitable Authentication Schemes

POSTER: Towards Exposing Internet of Things: A Roadmap

POSTER: Towards Highly Interactive Honeypots for Industrial Control Systems

POSTER: Towards Privacy-Preserving Biometric Identification in Cloud Computing

POSTER: VUDEC: A Framework for Vulnerability Management in Decentralized Communication Networks

POSTER: Weighing in eHealth Security

POSTER: WiPING: Wi-Fi signal-based PIN Guessing attack

The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio

Content Provider	ACM Digital Library
Author	Shrestha, Babins Shrestha, Prakash Shirvanian, Maliheh Saxena, Nitesh
Abstract	Reducing user burden underlying traditional two-factor authentication constitutes an important research effort. An interesting representative approach, Sound-Proof, leverages ambient sounds to detect the proximity between the second factor device (phone) and the login terminal (browser). Sound-Proof was shown to be secure against remote attackers and highly usable, and is now under early deployment phases. In this paper, we identify a weakness of the Sound-Proof system, namely, the remote attacker does not have to predict the ambient sounds near the phone as assumed in the Sound-Proof paper, but rather can deliberately make-or wait for-the phone to produce predictable or previously known sounds (e.g., ringer, notification or alarm sounds). Exploiting this weakness, we build Sound-Danger, a full attack system that can successfully compromise the security of Sound-Proof. The attack involves buzzing the victim user's phone, or waiting for the phone to buzz, and feeding the corresponding sounds at the browser to login on behalf of the user. The attack works precisely under Sound-Proof's threat model. Our contributions are three-fold. First, we design and develop the Sound-Danger attack system that exploits a wide range of a smartphone's functionality to break Sound-Proof, such as by actively making a phone or VoIP call, sending an SMS and creating an app-based notification, or by passively waiting for the phone to trigger an alarm. Second, we re-implement Sound-Proof's audio correlation algorithm and evaluate it against Sound-Danger under a large variety of attack settings. Our results show that many of our attacks succeed with a 100% chance such that the Sound-Proof correlation algorithm will accept the attacked audio samples as valid. Third, we collect general population statistics via an online survey to determine the phone usage habits relevant to our attacks. We then use these statistics to show how our different correlation-based attacks can be carefully executed to, for instance, compromise about 57% user accounts in just the first attempt and about 83% user accounts in less than a day. Finally, we provide some mitigation strategies and future directions that may help overcome some of our attacks and strengthen Sound-Proof.
Starting Page	908
Ending Page	919
Page Count	12
File Format	PDF
ISBN	9781450341394
DOI	10.1145/2976749.2978328
Language	English
Publisher	Association for Computing Machinery (ACM)
Publisher Date	2016-10-24
Publisher Place	New York
Access Restriction	Subscribed
Subject Keyword	Smartphones Two-factor authentication Ambient audio correlation Audio attack Zero-effort
Content Type	Text
Resource Type	Article

Central Library (ISO-9001:2015 Certified)
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, India | PIN - 721302

See location in the Map
03222 282435
Mail: support@ndl.gov.in

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in