SPIES Lab, Computer Science and Engineering

ZEBRA Attack

Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks.

Deauthentication is an important component of any authentication system. The widespread use of computing devices in daily life has underscored the need for zero-effort deauthentication schemes. However, the quest for eliminating user effort may lead to hidden security flaws in the authentication schemes.
As a case in point, we investigate a prominent zero-effort bilateral deauthentication scheme called ZEBRA, which provides an interesting and a useful solution to a difficult problem as demonstrated in the original paper. ZEBRA is intended for scenarios where users authenticate to “terminals” (such as desktop computers). In such scenarios, users typically have to either manually deauthenticate themselves by logging out or locking the terminal, or the terminal can deauthenticate a user automatically after a sufficiently long period of inactivity. The former requires user effort while the latter sacrifices promptness. ZEBRA attempts to make the process of deauthentication both prompt and transparent: once a user is authenticated to a terminal (using say a password), it continuously, yet transparently re-authenticates the user so that prompt deauthentication is possible without explicit user action. A user is required to wear a bracelet equipped with sensors on his mouse holding hand. The bracelet is wirelessly connected to the terminal, which compares the sequence of events it observes (e.g., keyboard/mouse interactions) with the sequence of events inferred using measurements from the bracelet sensors. The logged-in user is deauthenticated when the two sequences no longer match.

benign

Figure1 : Normal operation of ZEBRA [Mare et al.; Oakland’14]

 
ZEBRA is particularly compelling because of its simplicity of design. However, the simplicity hides a design assumption that an adversary can exploit to defeat the scheme. We show how a more realistic adversary can circumvent ZEBRA. We identify a subtle incorrect assumption in its adversary model that leads to a fundamental design flaw. We exploit this to break the scheme with a class of attacks (Figure 2 shows the basic attack settings) that are much easier for a human to perform in a realistic adversary model, compared to the naive attacks studied in the ZEBRA paper. For example, one of our main attacks, where the human attacker has to opportunistically mimic only the victim’s keyboard typing activity at a nearby terminal, is significantly more successful compared to the naive attack that requires mimicking keyboard and mouse activities as well as keyboard-mouse movements. Further, by understanding the design flaws in ZEBRA as cases of tainted input, we show that we can draw on well-understood design principles to improve ZEBRA’s security.

attack-scenarios

Figure 2: Basic attack setting

 

People

Faculty

Student

External Collaborators:

  • Otto Huhta (PhD student; Aalto University; Now Master Expert at Nordea)
  • Swapnil Udar (MS student; Aalto University; Now Sr. Software Engineer at TomTom)
  • Mika Juuti (PhD student; Aalto University)
  • N. Asokan (Professor; Aalto University and the University of Helsinki)

Publications

Media Coverage