Hacking in the Blind:(Almost) Invisible Runtime User Interface Attacks

Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun

{firstname.lastname}@inf.ethz.ch knellt@student.ethz.ch

• Used for daily and critical tasks

• Consists of input and output

Computer System

User Interfaces

2

Output

InputUser Interface

User Interface Attacks

3

Input Output

Computer System

App

App…

UI Attacks are often possible

1. Brief and non-invasive

2. Bypass security features

• Drawbacks

- Registers new peripherals- Installs malware- Assume user not present

Existing Command Injection Attacks

4

1. New Keyboard2. New Mouse

Limitations

5

• Observations

1. Hardened devices

2. Malware installation not possible

3. Damaging attacks possible only when user is present

Can we attack without installing malware?

• Benefits

+ Does not install new peripherals

+ Does not install malware

+ Assume user is present

Our Attack

6

!!!

1. Click Blocked2. Inject Events

Heart rate = 100

1. Click Blocked2. Inject Events3. Heart rate = 1000

Our Attack

7

!!!

Attack Demonstration

8

Attack Overview

9

Mouse Location Estimator

10

Mouse Events:Up 10px Left 10px

Mouse Events:Up 100px Left 100px

Mouse Events:Right 150px Down 150px

Username:

Password:

State Tracking

11

CancelLogin

John Doe

******

CancelLogin

State Tracking

12

CancelOK

Button 2Button 1

2 Click “Login”

State 0

State 2State 1State 0

3 Click “Cancel”1 Click outside

State Tracking

• Maintain all possible options

• Strategies to assign probabilities

1. Both buttons are equally likely

2. “Cancel” is more likely (more area)

3. “Login” is more likely (clicked more often)

• Introduce expert knowledge through assumptions on probabilities

13

CancelLogin

Attack Overview

14

User Interface Models

15

Pay to:

Amount:

CancelSubmit

Text

Button

Button

Full Model

Partial Model E-Banking UI

Text

Application

Attack Applicability

16

UI unique?

Partial model App simple?

Not applicableFull model

Yes No

Yes No

Evaluation

17Simulated Pacemaker Programmer

State Estimation Accuracy:90% after 10 clicks

Attack Success Rate: >90%

Evaluation

18E-Banking

Attack Success Rate: >90% Processing Delay: 40ms

Countermeasures

19

• Preventing our attack

1. Trusted path

2. Biometrics

3. Randomized UIs

(See paper for others)

Discussion

20

• No signs of attacks in the wild, but hardware exists

• Attack device easy to minimize

• Small footprint

Conclusion

21

• Hacking-in-the-Blind

• A novel UI attack

• Easy to deploy

• Invisible to malware detection

• Accurate and stealthy

Thank you!