Princeton University

School of Engineering & Applied Science

User Authentication and Security Vulnerabilities Using Smartphone Sensors and Machine Learning

Wei-han Lee
Prof. Lee
Engineering Quadrangle J-401
Monday, November 19, 2018 - 10:00am to 11:30am


The ubiquity of smartphones together with their ever-growing computing, networking, and sensing powers have been increasingly changing the landscape of our daily lives. These devices are often equipped with various embedded sensors including GPS, camera, microphone, environmental sensors, and motion sensors. There have been countless advances in effectively utilizing these sensors to improve the convenience of smartphone users. With the increasing development of embedded sensors in smartphones, the risks of leaking users' sensitive information through exploring these sensors have raised privacy and security concerns. In this thesis, we aim to 1) improve mobile security by developing advanced user authentication systems through utilizing mobile sensors; 2) discover new vulnerabilities of the innocuous motion sensors embedded in mobile devices.

User authentication is essential to thwart the privacy breaches possible through attacks on smartphones. Current login mechanisms use explicit authentication, which requires users' participation, e.g., passwords and fingerprints. However, repeated explicit authentications are not convenient for users and the system does not automatically authenticate the user again after the user passes the initial authentication. This creates significant risks for adversaries to take control of the users' smartphones, after the legitimate users' initial login. To protect smartphones from adversaries, we propose secure re-authentication systems that exploit the embedded sensors of smartphones to achieve accurate authentication performance implicitly, efficiently, and continuously.

Within the built-in sensors of mobile devices, some require users' permissions to obtain access because these sensors are explicitly utilized for collecting the users' sensitive information. Motion sensors, such as the accelerometer, gyroscope and rotation sensor, do not require users' permissions, probably due to the assumption that data collected by these sensors are not sensitive. However, motion sensors are still vulnerable to privacy attacks since their measurements are closely correlated with users' sensitive behavior patterns. We propose an attack to explore the feasibility of inferring users' inputs on the smartphone touchscreen using sensor data collected from motion sensors.

Overall, this work analyzes various aspects of authentication and security vulnerabilities of smartphone sensors, in order to discover new opportunities and challenges for smartphone security.