Time to Correct Misunderstanding of Mouse
Contents
1. Distance 113 5 10 15 30 Loss rate O O 0 2 1 4 27 1 97 8 We now use emulation to show how packet loss af fects success rate of inferring passwords because it is not easy to control loss rate in real world experiments The data is from the large size on screen keyboard on open SUSE 11 1 For each loss rate we first randomly discard raw mouse packets from the original loss less data set of FTS4BT at a specific loss rate and form a new set of raw mouse packets We then apply either the basic inferring approach or the enhanced inferring approach to the new set of raw mouse packets In this way we can compute the success rate at the specific packet loss rate Figure 12 shows the success rate for the basic inferring approach at different packet loss rates We observe that when the packet loss rate is less than 2 i e when the distance is 10 meters or less the basic inferring approach can achieve a very high success rate of around 80 Figure 13 shows the success rate for the enhanced in ferring approach at different packet loss rates The con fidence interval for both figures is computed over 10 em ulations When the packet loss rate is less than 1 the enhanced inferring approach can achieve a success rate near 80 Comparing Figure 12 with Figure 13 we can see that when the packet loss rate is less than 1 the success rate will not decrease sharply for the basic and enhanced inferring2. 4 Inferring Character Sequence A cursor clicking topology is formed by connecting all clicking points in the reconstructed trajectory Recall that the reconstruction can be conducted by either the predic tion or replay attack from raw mouse movement data We now introduce the basic approach to infer the char acter sequence from a cursor clicking topology The ba sic approach directly maps the clicking topology to an on screen keyboard Assume that we have derived the raw mouse data that contain clicks on a soft keyboard we can derive the clicking topology However we do not know the exact starting point of the trajectory and there fore cannot determine which keys are clicked To derive all candidates i e all possible character sequences cor responding to the trajectory we move the cursor click ing topology from top left to bottom right in the area of the on screen keyboard When the topology moves the clicking points may produce a character sequence We record all different character sequences Hence a set of character sequences based on a cursor clicking topology can be derived We denote the set of character sequences as candidate character sequences The true character se quence must be one of candidates if there is no packet loss and the packet timing is correct The challenge of this approach is that it may generate a large number of candidates To reduce the number of candidate character se quences an enhanced inferr
3. i Bluetooth packet loss during sniffing and ii the randomness of packet arrival time 3 1 Impact of Bluetooth Packet Loss Bluetooth sniffer may miss packets due to various fading or interference such as that from wireless LAN We de signed the following experiments with FTS4BT to mea sure how many pixels may miss from the reconstructed cursor trajectory on screen if a Bluetooth packet is lost A user is using a computer with a Bluetooth mouse Logitech MX 5500 for surfing the Internet and play ing games At the same time we use FTS4BT to sniff the communication between the mouse and computer for 40 minutes The experiment generates tens of thousands of packets For example there are more than 39000 raw mouse packets in one experiment For the lightweight acceleration algorithm our em pirical result in Figure 3 left shows that the mean value of absolute raw mouse movement distance incurred by a Bluetooth mouse packet is 4 21 pixels with a confi dence interval of 4 16 4 26 at 95 confidence From Figure 3 right which is derived from Figure 3 left using Algorithm 2 the mean value of absolute on screen cur sor movement distance is 6 76 pixels with a confidence interval of 6 64 6 86 at 9596 confidence Therefore un der the lightweight acceleration algorithm missing one Bluetooth packet leads to an error of around six pixels in the predicted cursor trajectory For the complex accel eration algorithm losing packets deviates
4. lt A lt 2 Vn gt 84 lt V 1 lt 8 or 4 lt Vn 8 V 1 2 8 A 2 Vn gt 8 Vn_ 1 28 lt 6 33
5. mouse acceleration algorithm Hence we propose the replay attack as well The basic idea of the replay attack is to replay the sniffed Bluetooth packets to an impersonating computer Trajectory which uses the same OS as the victim computer OS and observes the cursor trajectory on the impersonating com puter directly For example we can use Computer B to impersonate the victim Bluetooth mouse and connect to the impersonating Computer A After setting up the connection the fake mouse i e Computer B will re play the sniffed Bluetooth mouse packets according to their timestamps Therefore the cursor movement on Computer A is the reconstructed mouse trajectory that we want We have implemented the fake mouse on a Linux computer and our fake mouse could emulate various mouse brands To guarantee that the replayed packet timing is accurate we use the high resolution timer nanosleep and real time clock in Linux The benefit of replay attack is that we do not need to understand the complex acceleration algorithm on the victim computer if we can impersonate the victim com puter in terms of the operating system We can know the type of operating system on the victim computer by using various scanning tools such as nmap and Nessus 3 Analysis In this section we discuss various factors that affect the accuracy of reconstructing the mouse cursor trajectory from sniffed raw mouse data Specifically we shall fo cus on two main factors
6. with a view to sniffing and injecting packets www cs ucl ac uk staff a bittau dom pdf May 2007 43 D Spill and A Bittau Bluesniff Eve meets alice and bluetooth In In Proceedings of USENIX Work shop on Offensive Technologies WOOT 2007 H Tao and C Adams Pass go A proposal to im prove the usability of graphical passwords Inter national Journal of Network Security 7 2 2008 WESTPAC Westpac online banking http ww westpac com au personal banking westpac online 2012 46 S Wiedenbeck J Waters J C Birget A Brod skiy and N Memon Passpoints design and longi tudinal evaluation of a graphical password system International Journal of Human Computer Studies 63 1 2 2005 47 Y Nakkabi I Traore and A A E Ahmed Improv ing mouse dynamics biometric performancs using varaiance reduction via extractors with separate features In JEEE Transactions on Systems Man and Cybernetics pages 1345 1353 2010 48 4 N Zheng A Paloski and H Wang An efficient user verification system via mouse movements In Proceedings of the 18th ACM conference on Com puter and Communications Security 2011 Appendix A In this Appendix we present an overview of Bluetooth and discuss how to sniff Bluetooth traffic Introduction to Bluetooth Bluetooth works in the unlicensed 2 4GHz Industrial Scientific Medical ISM band In USA Bluetooth divides the ISM band into 79 1MHz wide channe
7. Behavioral biometrics as a biometric authenti cation technology has proven useful in authenticating a user For example Pusara and Brodley 36 used mouse dynamics for conducting re authentication Due to lim ited experiments with only eleven users they concluded that mouse biometrics might not be sufficient for user 10Secure mouse http youtu be 781yYdc 308 13 re authentication Aimed and Traore 4 5 proposed an approach that aggregates low level mouse events as higher level actions including point and clicks or drag and drops action Aimed et al s work 4 5 47 achieved very high authentication accuracy from the analysis of 2000 mouse actions To deploy real time authentication such as online re authentication based on mouse bio metrics Zheng ef al 48 proposed fine grained angle based metrics to analyze mouse movement Based on these metrics they used the Support Vector Machines SVM to classify users Their results showed that a high accuracy based on few mouse actions could be achieved 7 Conclusion In this paper we first conducted a holistic investigation of privacy leakage from unencrypted Bluetooth mouse traffic By reviewing the process of establishing Blue tooth connections we demonstrated how one can sniff Bluetooth traffic through multiple sniffers or a single sniffer We then examined the Bluetooth mouse packet semantics and presented the prediction attack and replay attack The two attacks a
8. approaches When the packet loss rate is more than 1 the basic inferring approach can achieve much higher success rate than the enhanced in ferring approach Hence the basic inferring approach is adopted when the packet loss rate is more than 1 Nonetheless recall that the basic inferring approach has a larger candidate set and therefore a higher uncertainty of guessing the correct password Hence if the packet loss rate is less than 1 the enhanced inferring can be adopted for a lower uncertainty 2 1 D 16 B i 8 10 Packet Loss Rate Packet Loss Rate Figure 12 Success rate v s Figure 13 Success rate v s packet loss rate by the ba packet loss rate by the en sic approach hanced approach 10 4 2 5 Success Rate with Complex Acceleration in Prediction Attack As we discussed in Section 3 the packet arrival timing affects the attack accuracy on reconstructing the mouse cursor trajectory on screen for operating systems using the complex acceleration algorithm We conducted ex tensive real world experiments on Fedora Core 13 which uses the complex acceleration algorithm to investigate how the packet timing affects inferring passwords Note that the data for investigating is from the sniffer FTS4BT To reduce the impact from timing we should use the data starting at the time when the first click of passwords oc curs and this reduces the prediction error according to the discussion in Section 3 Table 3
9. impossible In particu lar the Universal Software Radio Peripheral2 USRP2 16 is a software defined radio device and works with the GNU Radio 26 which is a free software toolkit for building Software defined Radio devices and can be used to demodulate and process Bluetooth packets A USRP2 with a 2 48GHz daughterboard can be tuned to any Blue tooth channel One USRP2 can detect 25 channels si multaneously Thus four USRP2s are enough to sniff all 79 Bluetooth channels Multiple Ubertooths 33 can be used for sniffing all 79 frequency channels as well 34 2 Obtaining the hopping sequences of the target pi conet FTS4BT 17 is a commercial Bluetooth sniffer which uses this approach To sniff Bluetooth communi cation between two devices FTS4BT needs the MAC ad dresses of both as input which can be collected through Ubertooth 33 with plugins for Kismet and Wireshark FTS4BT has a few modes for sniffing The default mode is slave inquiry in which the sniffer performs an inquiry of the slave device to obtain its Bluetooth clock and en ters the page scan mode The sniffer can then pretend to be the salve as it can use the slave s Bluetooth clock and MAC address to calculate the correct page scan frequen cies Then when the master pages the slave the sniffer can switch to the master s Bluetooth clock and follow the master s frequency hopping sequence to capture all Bluetooth packets Another challenge to sniffing Blue
10. lt S V lt 1 when 0 lt V lt 1 24 Case 2 When 4 V 8 from 21 we have i 4 1 Ye _ 1 S Vn E n 3 a 4x4 1 5 1 1 25 Ax 1 1 10 pe cy Ls a 26 2 4 1 f 1 THU 27 20 18 Hence S V gt 0 and S V is monotonically increas ing when 4 lt V lt 8 We have the bound 1 5 lt S V lt 2 when 4 lt V lt 8 Q8 Case 3 When 1 lt V 4 S V is a constant We have S V 1 when 1 lt V lt 4 29 Case 4 Similar to Case 3 when V gt 8 S V isa constant Then we have S V 2 when V gt 8 30 Combining Equations 24 28 29 and 30 we can derive the range of S V 0 S V 1 O V l S W 21 I1 Va X4 G1 L5 S W 2 4 Va 8 W 22 W28 According to Equations 12 and 13 we can simplify the range of S V as follows S W 1 0 V X4 1 5 lt S Va lt 2 4 lt V lt 8 32 S Va 2 W28 Hence based on Equation 4 which calculates the acceleration from the current and last velocity as V and V4 1 we can numerically derive the bounds of the accel eration as follows A 21 0 V X40 V 4X4 1 083 lt A lt 1 167 0 lt V lt 4 4 lt V 1 lt 8 or 4 lt Va lt 8 0 lt Vp 1 lt 4 2 lt Itb lt 4 1 417 lt A lt 1 703 0 lt V lt 4 4 lt V 1 lt 8 or 4 lt Vn lt 8 0 lt Vp 1 4 4 lt etn 15 lt A lt 2 4 lt Va lt 8 4 lt V 1 8 1 583
11. movement to the on screen cursor coordinate In Linux each hardware is treated as a special file i e device file The device file allows user space applications to interact with the device driver via standard input output system calls In the kernel space the mousedev PS2 emulator driver creates these device files while the evdev generic input event driver provides APIs for user space applica tions In the user space Xserver enforces the mouse cursor acceleration which artificially increases the cur sor speed based on how fast a user moves the mouse For example consider a raw mouse movement of Ax and Ay pixels on X and Y respectively an extremely simple ac celeration algorithm may increase the amount of cursor movement by twice i e 2Ax 2Ay Raw Mouse Data Kernel Space Lens Lever pice Apes Mousedev Evdev Driver Generic input Generic input F ape ci Hl H s d SIT H PS2emulator gt Generic input Communication device driver for driver in the diver CODO SS with the device Bluetooth Input Core cove Evdev_drv User Space m Xserver input E event driver algorithm Figure 1 Linux Input Device Driver Stack To predict the cursor trajectory from the sniffed Blue tooth mouse packets we need to have a precise under standing of mouse acceleration implementation Mouse acceleration is a feature available in most operating sys tems today This feature defines the mapping betwe
12. of candidate passwords for both keyboards Figures 8 and 9 show the histogram of the number of password candidates on the small and large size soft keyboards respectively through the basic inferring ap proach Figures 10 and 11 show the histogram of pass word candidates from mouse clicking topologies on the two keyboards by the enhanced inferring approach us ing the hot area From those figures we can observe that the enhanced inferring approach sharply reduces the number of candidate passwords for both small and large keyboards In particular for the small keyboard the en hanced inferring method reduces the number of candi date passwords from the range of 0 425 to 0 22 For the large size keyboard the enhanced inferring method reduces the number of candidate passwords from the range of 0 400 to 0 15 From Figures 8 and 9 we can derive obscurity de gree Table 1 compares obscurity degree for basic and enhanced inferring with the lightweight acceleration al gorithm We can see that the enhanced inferring reduces 500 100 200 300 Number of Candidate Passwords Number of Candidate Passwords Figure 8 Histogram of Figure 9 Histogram of password candidates on password candidates on small on screen keyboard large on screen keyboard by basic inferring by basic inferring 400 1e io 5 10 15 20 25 9 oS Number of Candidate Passwords Number of Candidate Passwords Figure 10 Histogram of Figure 11 Histogram o
13. other 13 19 if the two devices are close to each other When the laptop receives the FHS packet from the mouse the laptop is ready to build a connection with that particular mouse At this point the laptop enters the substate of page and runs at the paging specific fre quency hopping sequence which is computed from the mouse s MAC address The mouse is in the substate of page scan The procedures of page and page scan are 16 similar to those of inquiry and inquiry scan The pag ing procedure is normally shorter than the inquiry proce dure since the laptop can estimate the mouse s hopping sequence and phase where phase refers to which fre quency the device currently stays at with regard to the hopping sequence from the FHS packet and has a better chance to catch up with the mouse The worst case page delay is 2 56 seconds r where r is a random variable uniformly distributed between Oms and 10ms Once the mouse receives the paging packet from the laptop it en ters the substate of page response and sends a response packet When the laptop receives the response it sends its own FHS packet to the mouse This FHS packet con tains the laptop Bluetooth adapter s MAC address and clock The mouse then acknowledges the FHS packet Once the laptop s FHS packet is acknowledged by the mouse the laptop and mouse have built the connection and can run upper layer applications such as service dis covery and pairing During the state of c
14. the other device has output capabilities 28 We now discuss which mode is appropriate for en crypting the communication between a mouse and com puter Passkey mode is not appropriate since it is awk ward to equip a mouse with a keypad or software keypad The out of band mode cannot be used because there is no additional channel between a mouse and computer The just works mode is subject to the MITM attack Lindell Attack Windows 8 picture password eLUNS pDuIE http youtu be 29 has proved that the numeric comparison mode for device pairing in Bluetooth version 2 1 or later is se cure Arming a mouse with a small display does not look very prohibitive If such a display shows 6 to 20 digital numbers or characters the numeric comparison can be applied for Bluetooth mouse to prevent the MITM attack showing whether there is a MITM or not 2 6 or higher Linux kernel with Bluez 4 x fully supports Bluetooth se cure simple pairing including the numerical comparison mode As a demo we have implemented the numeri cal comparison mode for our raw mouse data replay pro gram i e fake mouse for an Android tablet More and more people combine tablets wireless mouse and key board as a mobile computing platform Microsoft devel oped a Bluetooth mouse the wedge mouse for its Sur face tablet Please refer to the video at the footnote We also propose randomization of the key layout of a soft keyboard as a countermeasure to
15. the predicted mouse cursor trajectory as well The impact is more complicated because the complex acceleration algorithm considers the timing of arriving packets to compute the mouse acceleration The loss of a packet affects the com putation of mouse movement speed and acceleration We discuss the impact of timing in the following subsection 15000 10000 50001 2 20 40 60 80 50 100 150 Raw Mouse Moving Distance pixel Cursor Moving Distance pixel Figure 3 Histogram of Raw Mouse Movement and Cur sor Movement 3 2 Impact of Packet Arriving Time Bluetooth packet inter arrival interval as shown in Fig ure 4 has no effect on an operating system that uses the lightweight acceleration algorithm in Algorithm 2 while it affects the complex acceleration algorithm Accord ing to the analysis in Section 2 2 2 the estimated current velocity depends on the inter packet interval in Equation 2 and historic mouse events in the mouse event queue The current and previous estimated mouse velocity could affect the acceleration in terms of Equation 4 Eventu ally the acceleration determines the ultimate on screen mouse movement based on Equation 5 Therefore the Bluetooth packet timing and inter packet interval play an important role in estimating the ultimate mouse move ment In the prediction attack packet timestamps recorded during sniffing are not those seen by the victim com puter whose event schedul
16. 000 recording user input from interfaces under windows and mac os x Behavior Research Methods 38 4 11 DinoMorelli Pointer acceleration 2006 http www x org wiki Development Documentation PointerAcceleration 2012 26 J P Lang Gnu radio http gnuradio org redmine projects gnuradio wiki 2012 12 D Spill and M Ossmann Gr bluetooth http 27 A Laurie M Holtmann and M Herfurt Hacking sourceforge net projects gr bluetooth bluetooth enabled mobile phones and beyond 2010 full disclosure http trifinite org Downloads 21c3 Bluetooth Hacking pdf December 2004 13 M Duflot M Kwiatkowska G Norman and D Parker A formal analysis of bluetooth de vice discovery Journal International Journal on 28 A Y Lindell Attacks on the pairing protocol of Software Tools for Technology Transfer STTT 8 6 621 632 October 2006 bluetooth v2 1 In n Proceedings of Black Hat US 2008 29 Y Lindell Comparison based key exchange and the security of the numeric comparison mode in bluetooth v2 1 In Proceedings of the RSA Con ference on Topics in Cryptology 2009 30 Logitech Logitech advanced 2 4 ghz technology revision 1 1h http www logitech com images pdf roem Logitech Adv 24 Ghz Whitepaper BPG2009 pdf March 2009 31 ii National Institute of Standards and Technology NIST Guide to bluetooth security http csrc nist gov publications d
17. A 2 according to Equations 7 When the coordinates are updated based on Equation 5 the cursor trajectory is changed 3 2 2 Impact from Packet Arriving Time Our experiments demonstrated the error of cursor tra jectory reconstruction caused by the difference of ar rival timing of Bluetooth packets seen by the target OS and the sniffer We use the sniffer FTS4BT to capture the Bluetooth traffic between a Bluetooth mouse Log itech MX 5500 and a Fedora core 13 computer which adopts the complex acceleration algorithm Astute read ers may question Since you are evaluating the impact of packet arrival time what if there is a packet loss during your sniffing by FTS4BT Actually to ensure there is no packet loss we use FTSABT and a HCI sniffing soft ware called hcidump to sniff packets simultaneously FTS4BT and hcidump capture the same Bluetooth traf fic between Computer A and the Bluetooth mouse Note that hcidump runs on Computer A and is able to sniff all the packets without loss We compare the data set from FTS4BT with the data set from hcidump to make sure there is no packet loss in the data set from FTS4BT Figures 5 and 6 use the sniffed data set from FTS4BT and show that in the prediction attack because the pre dicted acceleration deviates from the original one the predicted cursor trajectory does not exactly overlap with the original trajectory In our experiments the origi nal acceleration values and cursor tra
18. Distance D j n Subject to V n 2 n V j n 1 or IV n 2 n V jn V n 2 n V j n 02 3 where p lt j X n l Zn Zn i42 Figure 2 Mouse Event Queue When velocities are derived acceleration A can be de rived as follows A 6 3 4 where S is a velocity smoothing function Because F Va gt 1 we have A gt 1 Please refer to Appendix B for the explanation of S Once A is derived the cursor coordinate X Y on screen can be derived as follows X X FAx Ax 5 Y Y A x Ayn where Axn Ayn is the raw mouse movement If A 1 the system will not accelerate the mouse speed Oth erwise acceleration is in effect Note that A can be a decimal number and Equation 5 will produce a cursor position that is not an integer The Linux complex accel eration algorithm takes effort in rounding the coordinate and maintaining the residues Please refer to Appendix B for details 2 3 Reconstructing Cursor from Raw Mouse Data Given the raw Bluetooth mouse movement data if an at tacker knows the mouse acceleration algorithm used in an operating system the attacker can predict the cur sor trajectory on the target display of the victim system However the attacker may not know the mouse acceler ation algorithm before hand particularly if the operating system is proprietary It is not always trivial to reverse engineer those operating systems and derive the hidden
19. Obscurity degree 4 8114 0 5990 7 4084 2 1427 6 2582 1 1304 speaking graphical passwords can be divided into three categories 7 i recall based ii cued recall based and iii recognition based techniques In particular recall based techniques including DAS 24 BDAS 14 Pass Go 44 and GrIDsure 20 require that users recall and reproduce a drawing or repeat a selection that users cre ate during the personal identification registration phase In cued recall systems such as PassPoints 46 users are asked to remember and target specific locations within an image The image acts as a memory cue to these specific locations selected clicked by users Notice that the dif ference between the cued recall and recognition is that the cued recall only displays one picture and the user can register a graphical password by choosing different lo cations in this picture Hence the picture itself likes a cue for the user when he she inputs the graphical pass word The recognition will have a bunch of pictures and then the user can pick up some of them as his her graph ical password The recognition based techniques such as D j Vu 10 Story 9 and Passfaces 35 require users to select a set of images during the registration phase and then identify their pre selected images from a set of de coy images in order to be authenticated Our attack proposed in this paper can be applied to various recall based and cued re
20. Time to Correct Misunderstanding of Mouse Xian Pan Zhen Ling Aniket Pingley Wei Yu UMass Lowell Southeast University Intel Inc Towson University Kui Ren Nan Zhang Xinwen Fu University at Buffalo George Washington University UMass Lowell Abstract Wireless mouse may use 27 MHz Proprietary 2 4 GHz Logitech made the following statement in a white paper in 2009 Since the displacements of a mouse would not give any useful information to a hacker the mouse re ports are not encrypted It is time to correct this misun derstanding In this paper we investigate how sensitive user information leaks from displacements of Bluetooth mouse while our results can be easily extended to mouse using other radio links which are not encrypted either We begin with presenting multiple ways to sniff unen crypted Bluetooth packets containing raw mouse move ment data We then show that such data seemingly harmless may reveal extremely sensitive information including text based passwords clicked through software keyboard and graphical passwords such as Windows 8 picture password Nonetheless such a Bluetooth mouse data leakage attack can be challenging to perform be cause i packet loss is common for sniffing Bluetooth traffic and ii modern operating systems use complex mouse acceleration algorithms which introduce noise for reconstructing the on screen cursor coordinates from sniffed mouse movement data We have conducted a holistic study of th
21. UE i scheme in the bluetooth system Master s thesis 6 A Becker Bluetooth security amp hacks Polytechnic University 2002 http gayc es anto ubicuos2 20 GrIDsure corporate website Gridsure http Do es E pdf August gridsure security co uk 2012 21 J C Haartsen The bluetooth radio system IEEE 7 R Biddle S Chiasson and P V Oorschot Graphi Personal Communications 7 28 36 2000 cal passwords Learning from the first twelve years ACM Computing Surveys 44 4 2012 22 K HAATAJA Security Threats and Countermea sures in Bluetooth Enabled Systems PhD thesis 8 T Cuthbert A Gontarek E Jensen and P Rob University of Kuopio 2009 bins A bluetooth keyboard attack Technical re 23 HSBC i Security key demo http port University of Minnesota 2011 www banking us hsbc com personal 9 D Davis F Monrose and M K Reiter On user deud cam oamedenos Ht 201 choice in graphical password schemes In Porceed 24 ings of the 13th USENIX Security Symposium Se curity 2004 I Jermyn A Mayer F Monrose M K Reiter and A Rubin The design and analysis of graph ical passwords In Proceedings of the Sth USENIX Security Symposium Security 1999 10 R Dhamija and A Perrig D j A user study using images for authentication In Porceedings of the 9th_ 25 U Kukreja W E Stevenson and F E Ritter Rui USENIX Security Symposium Security 2
22. a tion in details and Section 5 1 also extends our attack to graphical passwords a selling security feature in Win dow 8 We develop two approaches to map a clicking topology to a password sequence entered by a user using the software keyboard In the basic inferring approach all candidate passwords are enumerated from a clicking topology In the enhanced inferring approach the sta tistical information of human clicking keys is utilized to reduce the number of candidate passwords from a click ing topology The entropy of candidates passwords per clicking topology is reduced from around 6 bits by the basic approach to around 1 bit by the enhanced inferring approach i e two passwords per clicking topology Our experiments on Fedora 13 and OpenSUSE 11 1 show that the basic inferring approach has a success rate of more than 98 recovering passwords while the enhanced in ferring approach has a success rate of more than 95 Third given that mouse acceleration algorithms are often proprietary and cannot always be easily reverse engineered on Windows and Mac systems we propose replay attack for reconstructing on screen cursor trajec tory without the knowledge of acceleration algorithms In a replay attack sniffed raw data is replayed on a com puter installed with the same operating system as the one on the victim computer In this way we can derive the clicking topology and apply either the basic inferring ap proach or the enhanced infer
23. above Yo FF and Yo FF respectively In this case the reconstruction of mouse movements is more complicated than Microsoft Bluetooth Mouse 5000 Specifically the hexadecimal values A F do not refer to the decimal 10 15 necessarily When ever A F do not represent 70 15 we would refer to the HASH table in Algorithm 1 which shows the algo rithm to calculate the raw mouse movement for Logitech mouse From Algorithm 1 we can see that F3 on X equals to 16 3 13 and FF on Y equals to 16 15 1 Algorithm 1 Raw Mouse Movement Mapping Algo rithm for Logitech Mouse Require HASH F 16 E 96 32 D gt 48 C gt 64 B gt 80 A 1 if Xo gt 127 in decimal then Left movement 2 X HASH first digit of Xo second digit of Xo 3 else right movement 4 X Xo 5 end if 6 if first digit of Yo 2 F then Up movement 7 Y HASH second digit of Yo 2 first digit of Yo 1 8 else Down movement 9 if Yo 2 00 then 10 Y first digit of Yo 1 11 else 12 Y result of concatenating second digit of Yo with first digit of Yo 1 13 end if 14 end if We would like to point out that the raw mouse move ment in the raw packet does not actually represent the on screen cursor movement because the operation system handles such mapping with its acceleration algorithm Figure 1 shows the Linux input driver stack where Xserver conducts the mapping from the raw mouse
24. ate of standby or connection to perform inquiry The decision is up to the device manufacturer and implementor Master Slave Standby Standby Standby aad ereer oeeo EA UE PUT DEEP RENE REESE EUER v Y Inquiry Inquiry Scan Inquiry Response Page Connecting substates Page Scan Y Page Response Master Response Connection Connection Y Service Discovery Connection Pairing Figure 16 Establishing a Bluetooth Connection To improve the chance that the mouse receives inquiry messages transmitted at different frequencies the mouse listens for Ty inquiry scan Seconds at one frequency every Tinquiry scan seconds where Ty inquiry scan is large enough for receiving inquiry messages transmitted at one train of 16 frequencies If the inquiry message is not received with the current scan window the mouse will listen at next frequency following inquiry scan hopping sequence determined by GIAC as well Once the inquiry message is received the mouse gets into the substate of inquiry re sponse and sends a Frequency Hopping Synchronization FHS packet to the laptop which is also scheduled to lis ten for the FHS packet at the same frequency The FHS packet contains the mouse s MAC address and clock in formation Bluetooth designs the inquiry strategy so that at most 10 24 seconds are required for the two devices to find each
25. board could resist our proposed attack to some extent depend ing on how the keys are randomized Our proposed at tack suggests that a purely randomized key layout should be necessary for inputting sensitive information To demonstrate many systems are under the threat of attacks proposed in this paper we now give a brief sum mary of systems and applications along with the class of soft keyboards The classic soft keyboard has been used by various operating systems including Linux Win dows Mac an others In particular the well known anti virus software Kaspersky 1 believes that entering confidential data on a virtual keyboard is secure and makes the following statement When you enter your confidential data for example your login and password in an E Store using your keyboard there is a risk that this personal information is intercepted using the hard ware keyboard interceptors or keyloggers which are pro grams that register keystrokes Then this information will be transferred to hackers cyber criminals through the Internet Kaspersky Anti Virus includes Virtual key board that allows to avoid interception of sensitive data Online banking login system including HSBC 23 and Westpac Australia s First Bank 45 use the classical soft keyboard The randomized soft keyboard is used to a very limited extent Here are two examples the online login system for State Bank of Travancore in India 3 and an online chat syste
26. call based graphical passwords Because those recall based and cued recall based systems take advantage of personal drawing or pre selected points in an image the click topology is preserved within the image If a user uses a Bluetooth mouse as the input device for these graphical passwords we can capture the user s mouse movement and clicks and apply either the prediction or the replay attack that we proposed in this paper to recover the passwords As an example of a commercial recall based graphical pass word product GrIDsure 20 presents a user with a 5 x 5 square grid with 25 cells During the registration phase a user chooses a pattern comprising an ordered subset of the 25 cells by clicking the corresponding cells as a personal identification pattern During the login phase the user is presented with the fully populated grid filled with random numbers in cells The user input numbers corresponding to her personal identification pattern as a one time password In this case if the user adopts a Bluetooth mouse during the registration phase and the at tacker could capture the mouse movement data it will be 12 trivial to disclose the personal identification pattern and the attacker could login a victim computer as the user after the attack The video at the footnote demonstrates the replay at tack against Windows 8 graphical password which is a standard cued recall based graphical password system Under Windows 8 a user first
27. chooses a picture and then draws three gestures by using a mouse on PC The three gestures could be any combination of circles straight lines and taps The video shows the reconstructed cur sor trajectory could reveal those gestures and leaks user graphical password effectively This demonstrates that our proposed attack against Windows 8 is feasible and effective and Windows 8 should reconsider their choice of graphical password system 5 2 Potential Countermeasures We have demonstrated that eavesdropping Bluetooth mouse communication is feasible and may incur serious security and privacy breaches Hence we recommend encrypting Bluetooth mouse communication as a poten tial countermeasure 28 31 Bluetooth has four modes for secure pairing in which secret keys are negotiated between two pairing devices i The numeric comparison mode is used if both pairing devices have displays A user accepts the pairing if num bers on both displays are equal This mode is designed to resist the man in the middle MITM attack ii The just works mode is designed for devices without displays It is similar to the numeric comparison mode but with out number comparison and cannot defend against the MITM attack iii The out of band mode is used if an extra channel exists between pairing devices iv The passkey entry mode is designed for scenarios where one device has input capability but does not have the capabil ity to display six digits and
28. compares the results of inferring passwords for lightweight and complex acceleration algorithms We can see that passwords can be derived with a success rate of more than 95 for the complex acceleration al gorithm One reason for the high success rate is that the mouse movement during entering passwords clicking an on screen keyboard is different from the mouse move ment in other situations Each character on the on screen keyboard corresponds to a small area Users always take caution when inputting passwords and will not move the mouse too fast to miss a key This slow movement re duces the impact of packet timing on mouse acceleration and favors reconstructing a correct clicking topology We Observed in the experiments for the large size keyboard with the basic inferring approach that 98 of password clicking processes have a topology deviation in the range 0 25 pixels in both X and Y axes In only one case the deviation is 52 pixels on the X direction and 9 pix els in the Y direction However the large deviation does not always lead to a failure of password inference be cause the predicted clicking topology may be still in the characters areas on the soft keyboard We have observed similar results in experiments on the small keyboard 4 2 6 Replay Attack To evaluate the replay attack we conducted the following experiments on Fedora Core 13 Windows 7 and Mac OS X 10 6 5 After sniffing Bluetooth mouse raw data between the Bl
29. cts to the fake mouse After the Bluetooth connection is set up the fake mouse will replay the sniffed data according to their original time interval to the impersonating com puter For the clarity of demonstrating the attack impact at the beginning of each replay we move the cursor to the first character of the password and show that the re play attack correctly derives the positions of the rest of the password characters In the video we can see that the cursor on the target computer moves and clicks pass words automatically Here the word automatically means the cursor on the target computer is controlled by the fake mouse rather than a hand As we can see the victim s mouse movement trajectory and clicking topol ogy can be reconstructed from the cursor movement on the impersonating computer 5 Discussion In this section we first extend our attack to graphical passwords and then discuss how to improve the Blue tooth sniffing distance Finally potential countermea sures are proposed to fight against the proposed attacks 5 1 Attacking Graphical Passwords Graphical passwords have attracted great attention as po tential alternatives to text based passwords Generally 1500 Table 4 Performance of Replay Attack Fedora 13 Windows 7 Mac OSX 10 6 5 Basic Enhanced Basic Enhanced Basic Enhanced inferring inferring inferring inferring inferring inferring Success rate 69 31 100 92 44 16
30. d by YL logy mj n Obscurity degree 9 where n is the number of clicking topologies Note that obscurity degree is an information theoretic metric and a lower obscurity degree means fewer candidate passwords per clicking topology that an attacker has to guess 4 2 3 Success Rate without Packet Loss in Predic tion Attack We generated 100 random passwords of 8 characters long including uppercase letters lowercase letters and numbers and used a Bluetooth mouse Logitech MX 5500 to click on a soft keyboard xvkbd of size 449 x 149 pixels small size soft keyboard to input those pass words on a computer installed with openSUSE 11 1 which uses the lightweight mouse acceleration algo rithm At the same time the sniffer FTSABT was used to sniff all the Bluetooth traffic To check whether our approach works on soft keyboards with different sizes we conduct the similar set of experiments on a large size soft keyboard xvkbd of size 896 x 254 pixels We evaluate both basic and enhanced inferring ap proaches for inferring password on different sized soft keyboards on OpenSUSE 11 1 with the lightweight mouse acceleration algorithm For both small and large soft keyboards we achieve a success rate of 10046 for basic inferring and 99 for enhanced inferring We also evaluate the number of candidate passwords on both small and large soft keyboards and show that the enhanced inferring approach can significantly reduce the number
31. e have implemented the numerical com parison mode for our raw mouse data replay program i e fake mouse for an Android tablet More and more people combine tablets wireless mouse and keyboard as a mobile computing platform Microsoft developed a Bluetooth mouse the wedge mouse for its Surface tablet Please refer to the video at the footnote As a lightweight countermeasure the software keyboard lay out can be randomized to resist the attack when users input sensitive information Most operating systems and applications do not provide such an option for users Mi crosoft also needs to reconsider their choice of graphical password system The rest of this paper is organized as follows In Sec tion 2 we discuss our proposed techniques for recon structing the mouse cursor trajectory We analyze vari ous factors that affect the accuracy of trajectory recon struction in Section 3 In Section 4 we evaluate the ac curacy of inferring passwords from the sniffed Bluetooth mouse movements using the software keyboard attack as an example In Section 5 we extend our attack to obtain graphical passwords on Window 8 improve the sniffing distance and discuss countermeasures to the proposed attacks In Section 6 we briefly introduce the most re lated work followed by the conclusion in Section 7 2 Reconstruction of Cursor Trajectory Please refer to Appendix A for the principle of sniff ing Bluetooth for raw mouse packets In this sect
32. e such sniffers to sniff Bluetooth communication One question often raised for Bluetooth attack is the at tack distance Although Bluetooth is designed as a short range radio technology researchers have modified Blue tooth devices and successfully implemented the long dis tance attack from over one mile away 27 6 With a customized antenna for USRP2 we were able to success fully sniff Bluetooth packets at a distance of 30m in the corridor of a campus building Once raw mouse data are eavesdropped we intro duce a trajectory reconstruction technique reconstruct ing the on screen mouse cursor trajectory and the topol ogy formed by the positions where mouse clicks denoted as clicking topology Clicking topology may reveal sen sitive information including the text based password in putting through software keyboard and graphical pass word such as the one used in Window 8 To the best of our knowledge our work is the first to retrieve sensitive information from sniffed mouse raw data Our major contributions is summarized as follows First we examine mouse data semantics and investigate how mouse events are processed in an operating system and propose prediction attack to reconstruct cursor tra jectory Sniffed mouse packets contain raw movement data However an operating system uses acceleration al gorithms to accelerate the raw movement and produce the cursor movement on screen To reconstruct an on screen cursor traject
33. en the on screen cursor motion and the physical movement of a mouse It provides users with the ability to effec tively navigate screens with high resolution with mini mal physical movement of a mouse We derive the Linux mouse acceleration from its source code and examine it in detail as an example listed below Because we can not obtain the source code of Windows and Mac mouse acceleration algorithms we will propose the replay at tack to reconstruct the on screen cursor trajectory with no need of understanding the mouse acceleration algo rithm being used 2 2 Linux Mouse Acceleration An OS may use an acceleration algorithm to calculate the cursor position based on the raw mouse movement data Based on whether packet arrival time is considered in calculating the cursor movement on screen we clas sify mouse acceleration algorithms into two categorizes 1 lightweight acceleration algorithm and ii complex acceleration algorithm Lightweight acceleration algo rithm does not consider the packet arrival time and it is used in Linux OS with Xserver version before 1 5 Com plex Acceleration Algorithm takes the packet arrival time into account and is adopted in Linux OS with Xserver version after 1 5 11 current Windows and Mac OS X We now explain these two types of algorithms in details 2 2 1 Lightweight Acceleration Algorithm Algorithm 2 illustrates the lightweight acceleration algo rithm in Linux If a mouse is physically m
34. erring approach is that the uncertainty of the clicked character sequence is significantly reduced 4 2 Inferring Passwords To evaluate our method of inferring a character sequence from the reconstructed cursor topology in the prediction attack and replay attack we conducted extensive experi ments Please note that all of our analysis and figures in the following are derived from the sniffed data by FTS4BT if not explicitly noted 4 2 1 In this paper we use the example of reconstructing a password clicked on a soft keyboard to demonstrate the privacy leakage from sniffing Bluetooth mouse raw data We believe that this is an extremely severe threat to user security and a good example that shows a new weakest link of a system Bluetooth mouse communication Various systems and applications provide soft key board as an alternative input method Users may click these soft keyboards and input sensitive information which is under the threat of attacks investigated in this paper We classify those soft keyboards into two cate gories i classical soft keyboard and ii randomized soft keyboard The classical soft keyboard emulates the physical QWERTY keyboard and the randomized soft keyboards has a randomized key layout The random ization is for defending against other attacks such as the keystroke logging attack which are different from at Why the Password Attack is Dangerous tacks investigated in this paper A randomized key
35. ese issues over all popular operating systems and analyze how mouse acceleration algorithms and packet loss during sniffing may affect reconstruc tion results Our real world experiments demonstrate the severity of privacy leakage from un encrypted Bluetooth mouse We also discuss countermeasures to prevent pri vacy leaking from Bluetooth mouse To the best of our knowledge our work is the first to retrieve sensitive in formation from sniffed mouse raw data 1 Introduction Logitech made the following statement in a white paper published on March 2 2009 30 Since the displace ments of a mouse would not give any useful informa tion to a hacker the mouse reports are not encrypted or Bluetooth 2 4 GHz radio link From our interview with major brand name manufacturers including Log itech Microsoft Apple and Lenovo and the study of bib liography no wireless mouse encrypts its communica tion 37 38 This practice is also reflected in the design of mouse communication protocols Bluetooth Human Interface Device HID profile 40 requires support of authentication and encryption for keyboards as well as other HIDs such as fingerprint scanner which transmits identification or biometric information 40 28 39 but leaves the support optional for Bluetooth mouse In this paper we show mouse movement data could leak extremely sensitive information Timings and posi tions of mouse movements are often used as an entropy source f
36. f password candidates on password candidates on small on screen keyboard large on screen keyboard by enhanced inferring by enhanced inferring the obscurity of guessing a password sharply The basic inferring approach has an obscurity degree of around 6 bits while the enhanced inferring approach has an obscu rity degree of around 1 bit corresponding to two pass words per clicking topology that an attacker has to guess Table 1 Obscurity Degree for Basic and Enhanced In ferring for Lightweight Acceleration Small Large keyboard keyboard Basic inferring 6 1903 5 8845 Enhanced inferring 1 6972 1 1062 4 2 4 Success Rate with Packet Loss in Prediction Attack Recall that during sniffing Bluetooth packets may drop due to fading and interference To reduce the packet loss rate we use two FTS4BT dongles in the redundant mode to sniff the same Piconet Table 2 lists the packet loss rate in terms of distance between the sniffer and the tar get The experiments were conducted in a corridor of a campus building We can see that the sniffer has a loss rate of only 1 4 at a distance of 10 meters This demon strates that the attack can be deployed stealthily from a reasonable long distance When the distance is more than 10 meters the loss increases dramatically In Section 5 a we will discuss how to use customized devices to further improve the sniffing distance Table 2 Packet Loss Rate v s Distance meter
37. iation leading to a low success rate Based on our experiments Mac OSX seems less vulner able to the replay attack Please see the footnotes for videos of successful re play attack on different target OS Fedora Core 13 Windows 7 default installation Mac OSX 10 6 55 These videos show the replay attack process and do not Attack Fedora 13 http youtu be qnjqgCCTVTk 7 Attack Windows 7 http youtu be FVJK_m3UPj0 8 Attack Mac OSX http youtu be iFJoHBiYDWg 11 Original Acceleration Replayed Acceleration Original Cursor Trajectory Replayed Cursor Trajectory 5 10 15 20 25 30 35 Poo 1250 1300 1350 1400 1450 Bluetooth Mouse Packet Number X pixel Figure 14 Acceleration in Figure 15 Cursor trajec replay attack tory in replay attack include the sniffing process In each demo two comput ers are used One emulates the Bluetooth mouse denoted as fake mouse The other computer is the impersonat ing computer installed with the same OS as the victim computer OS In the video the fake mouse is a laptop installed with Ubuntu 8 04 and the impersonating com puter is either a laptop or computer The fake mouse re plays sniffed data to the impersonating computer The sniffed data is derived by FTS4BT At the beginning of each video we begin with the mouse device registration and replay programs on the fake mouse The impersonating computer then conne
38. ing algorithm adds random ness into timestamps when packets get into the OS In the replay attack we use a high resolution timer to relay the sniffed packets However the randomness is added into packet timestamps too when they get into the imper sonating computer There is no guarantee that the imper sonating computer behaves the same as the victim com x10 L5 p 0 0 200 400 600 800 1000 Inter packet Interval millisecond Figure 4 Histogram of Bluetooth Mouse Inter packet In terval puter The effect of event scheduling on packet times tamps is similar to that in the case of prediction attack Hence in both attacks we cannot obtain the same packet timestamps seen by the victim computer The Bluetooth packet arrival time is a factor that could affect the ac curacy of reconstructing mouse cursor trajectory from sniffed raw mouse data in the air 3 2 1 Bound of Complex Acceleration Algorithm We now derive bounds of acceleration for the complex acceleration algorithm under Linux in terms of the mouse velocity in order to understand how the error of predicted mouse velocity caused by packet timing affects the ac celeration leading to the reconstructed cursor trajectory Consider the system default mouse settings with the sim ple smoothen profile as discussed in Section 2 2 2 i e h 4 and a 2 Let the current and previous estimated velocity be V and V respectively The bound of the smoothed
39. ing approach is proposed to utilize the statistical information of the area where peo ple click on the on screen keyboard Intuitively when hitting a key the user tends to click in the middle region rather than the edge of the area belonging to the key We denote this area as the Aot area for the key Because the size of keys on the soft keyboard is different to derive a normalized hot area we first obtain more than 1000 clicking positions for random characters on the same on screen keyboard and then normalize the rectangle area Ce ee ee OE EO ITE TI T eee ees Xx octies per X E o HO OR EEE E HOP dokebr Hob Reb Re o 0x oe ee REPETE t H o geerrtre T 3 24 s 0 04 02 03 0 4 i 0 5 0 6 07 0 8 0 9 1 Normalized X in Each Button Area Figure 7 Normalized Clicking Positions on Large On screen Keyboard of a key to a 1 x 1 square area Figure 7 shows clicking positions for these 1000 characters on an on screen key board by the normalization method The hot area is the area that contains 99 of the clicked positions After ob taining the hot area we map a cursor clicking topology to an on screen keyboard from top left to bottom right A character sequence will be considered as a candidate sequence only if all characters clicking positions are in the hot area With the hot area the number of candidate character sequences will sharply decrease The benefit of the enhanced inf
40. ion we first investigate raw Bluetooth mouse data semantics and then review various mouse cursor acceleration algo rithms used in modern operating systems Finally we introduce the prediction attack and the replay attack for reconstructing an on screen cursor trajectory 2 1 Raw Bluetooth Mouse Data In this paper we use Logitech MX 5500 Bluetooth Mouse as an example most of the time We investigated many other Bluetooth mouses e g Microsoft Bluetooth Mouse 5000 and found mouse under the same brand tends to have the same semantics The semantics have been understood by reverse engineering and referring to HCI profile specification and related work including a general introduction to raw mouse data semantics 15 For comparison we briefly discuss Microsoft Blue tooth Mouse 5000 which has a simple raw packet pay load format The following is an example of its payload A1 11 00 01 FE 00 00 The fields in bold give the X and Y movement respectively This data is expressed in the two s complement form Thus the corresponding Secure mouse http youtu be 781yYdc 308 movement will be 1 and 2 i e a unit movement on right and two units in the upward direction An example of Logitech MX 5500 mouse raw packet payload is listed as follows A1 02 00 F3 FF FF 00 00 00 The three fields in bold are used to compute mouse movement Following rules are applied to ob tain the movement Let the three fields be Xo F3 in the example
41. jectory are obtained from logs from a revised Linux kernel e Original Acceleration e Predicted Acceleration Acceleration ho 5 10 15 20 Bluetooth Mouse Packet Number vspace 4mm X pixel vspace 4mm Figure 5 Acceleration in Figure 6 Predicted cursor prediction attack trajectory 4 Evaluation of Reconstructing Cursor Topology by Inferring Passwords In this section we evaluate how well the reconstructed cursor trajectory enable an attacker to compromise sen sitive information of a user In particular to quantify 25 30 35 Moo 800 900 1000 M00 1200 1300 1400 results we consider the scenario of inferring character sequences from a reconstructed cursor clicking topol ogy when a user is clicking on an on screen soft key board and evaluate how well we can infer passwords based on the reconstructed clicking topology We con ducted extensive experiments and attacks were success ful on Linux Windows and Mac OS X Both the pre diction attack and replay attack were deployed against Linux Because we could not get the mouse accelera tion source code for Windows and Mac OS X the re play attack was mainly deployed against these two oper ating systems Although we referred to various materials and gained moderate success with the prediction attack against Windows and Mac OS X we feel that the replay attack is more general and methodological against these two operating systems
42. ll achieved when the basic inferring is used The de tection rate for the enhanced inferring is 31 Hence the basic inferring is recommended for the replay attack on Linux OS with Xserver version after 1 5 On Windows 7 we conduct the replay attack on its de fault soft keyboard To log the cursor clicking topology we install RUI a tool Recording User Input from inter faces under Windows and Mac OS X 25 on the imper sonating computer Once a clicking topology is logged either the basic inferring approach or the enhanced infer ring approach can be used to map the clicking topology to the soft keyboard As we can see from Table 4 the success rate of basic inferring approach achieves 100 while the success rate of enhanced inferring approach reaches 92 with an obscurity degree of only around 2 corresponding to 4 passwords on average for the attacker to choose and be successful in recovering the password It demonstrates that our replay attack against Windows 7 is feasible and effective On Mac OSX 10 6 5 we conduct replay attack on its default soft keyboard RUI is used to log the cursor clicking topology on the impersonating computer As we can see from Table 4 the success rate of basic in ferring is 44 while the success rate of enhanced infer ring is 14 It seems that Mac OSX adopts more sensi tive mouse acceleration algorithm and randomness intro duced into the packet timing by the replay attack brings more trajectory dev
43. ls and uses frequency hopping for communication For a thorough introduction to Blue tooth please refer to the core specifications of Bluetooth 41 In the following we focus on technical details re lated to sniffing Bluetooth traffic 19 21 41 Figure 16 shows how a laptop equipped with a Blue tooth adapter communicates with a Bluetooth mouse and forms a Bluetooth network i e piconet Assume that the laptop has never connected with the mouse before Initially both the laptop and the mouse are in the state of standby which is a low power mode In this state both devices run at their native clocks independently To find the mouse and other Bluetooth devices nearby a user using an application commands the laptop Blue tooth adapter to enter the substate of inquiry and send out inquiry messages consciously over the inquiry hopping sequence of channels The inquiry hopping sequence is determined by the General Inquiry Access Code GIAC specified in the standard and known to all devices It con sists of two groups of frequencies train A and train B each of which is 16 frequencies long In Bluetooth the device that initiates the communication is the master In our case the laptop is the master while the mouse is the slave To make the mouse discoverable a user pushes the button on the mouse to have the mouse enter the connect ing substate of inquiry scan The Bluetooth specification does not specify how a device leaves the st
44. m QQ 2 Hence the attack of reconstructing a password clicked on a soft keyboard is truly realistic in various scenar ios The fact that Bluetooth mouse leaks passwords is significant We also extended our attack against graph ical passwords in Section 5 1 which has been adopted by Windows 8 To the best of our knowledge we be lieve that the aforesaid hidden vulnerability of Bluetooth mouse was largely ignored Thus we intend to sound a warning bell to the industry that unencrypted communi cation over Bluetooth mouse may be detrimental to user online privacy and security In Section 5 we discuss the encryption of Bluetooth mouse and a pure random ized soft keyboard as countermeasures to the proposed attacks 4 2 2 Performance Metrics We consider two metrics for evaluating how well we can infer passwords based on the reconstructed clicking topology One is success rate which is defined as the percentage of real passwords that are included in the set of candidate passwords The other is obscurity degree which measures the average number of passwords corre sponding to a clicking topology Apparently an attacker prefers a small number of passwords from a given click ing topology Assume that each candidate password has the equal probability to be the real password Hence if the cardinality of a set is m its entropy is log m The average entropy for all the clicking topologies is defined as the obscurity degree and is derive
45. mouse velocity S V is as follows The de tailed proof can be found in Appendix C S Va 1 0 Wx4 1 5 lt S V x2 4 lt V lt 8 6 V 22 V gt 8 Based on the bound of S V we derive the bound of the mouse acceleration A as follows A 1 0 V X400 V 1X4 1 083 lt A lt 1 167 0 lt V lt 4 4 V 8 or 4 V 80 V 4 lt 4 2 lt tet lt 4 1 417 lt A 1 703 0 lt V lt 4 4 V 1 8 or 4 V 80 V 1i lt 4 4 lt mn 6 15 lt A lt 2 4 lt V lt 84 lt V _1 lt 8 1 583 lt A lt 2 Vn gt 8 4 lt V lt 8 or 4 lt Va lt 8 V 1 gt 8 A 2 Vn 8 Vn 1 8 7 where A has non continuous subdomains The acceleration bound in Equations 7 implies that the packet arrival timing may affect the acceleration and the cursor trajectory according to the cursor coordinate calculation Equation 5 Recall that V is V k n when Equation 3 is satisfied VS Dn xax n k When the packet arrival timing has a change Ar the ve locity changes to V k n D k n Vn tn fg At xa x p 8 Hence V will change with packet arrival timing as well Specifically a small change of timing may switch V and V 1 in Equation 7 from one subdomain such as 0 4 to another subdomain such as 4 8 For example if At shifts 0 lt V lt 4 and 0 V lt 4to4 lt V lt 8and4 lt V 1 lt 8 respectively the acceleration will be changed from A 1 to 1 5
46. onnection traf fic exchange follows the channel hopping sequence de termined by the MAC address of the master device i e the laptop in our example The master s clock determines the phase in the channel hopping sequence Sniffing Bluetooth To provide privacy Bluetooth supports optional encryption at the link layer Bluetooth human interface devices such as keyboard mouse and remote monitoring devices follow the Bluetooth Human Interface Device HID Profile which defines the proto cols procedures and features This profile requires sup port for authentication and encryption for keyboards and other HIDs that transmit identification or biometric in formation 40 Encryption is optional for other types of HIDs such as mouse In many scenarios Bluetooth mouse traffic is sent without encryption because of three possible reasons 1 The Bluetooth mouse manufacturer does not encrypt the traffic by default 11 people void the encryption for Bluetooth mouse for convenience of use or iii the mouse encryption is often weak 28 39 This leaves the chance for an attacker to sniff Bluetooth mouse communication and exploit the mouse cursor in formation One challenge to sniff Bluetooth communication is how to deal with the channel hopping There are two possible ways to deal with this problem 1 Sniffing all the 79 frequencies via multiple Blue tooth sniffers With the advancement of hardware sniff ing the whole ISM band is not
47. or random number secret generation Leaked mouse movement data could reduce the entropy of seed ing random number generation From a reconstructed mouse trajectory on screen an attacker may build a user computer usage profile identify applications or even ob tain user passwords We will use the inference of pass words through a software keyboard and graphical pass words such as the one used by Windows 8 to demonstrate the threat This problem is particularly serious given that conventional belief of mouse traffic being insensi tive lends users a false sense of security We will investigate privacy leaking from Bluetooth mouse while our results can be easily extended to mouse using other radio links 37 38 Our attack begins with sniffing Bluetooth mouse communication Various off the shelf tools are available to conduct Bluetooth sniff ing In particular USRP2 Universal Software Radio Pe ripheral 2 16 a software defined radio device can be tuned to any Bluetooth channel with a 2 48GHz daugh terboard To sniff all Bluetooth channels four USRP2s are needed Tools such as Ubertooths 33 42 43 can be used to determine the MAC address of undiscover able devices which can in turn be fed into FTSABT 18 a commercial product that is able to synchronize with victim Bluetooth devices FTSABT is able to follow the Bluetooth frequency hopping sequence and thereby sniff an entire communication session We shall describe how to us
48. ory we carefully investigate various mouse acceleration algorithms and derive their mathe matical models Once these acceleration algorithms are known we develop an inference algorithm denoted as prediction attack for estimating the on screen cursor tra jectory We analyze the impact of packet loss and the timing of mouse packet arrivals on the accuracy of re constructing cursor trajectory Because almost all com plex mouse acceleration algorithms take into account the packet inter arrival interval as a factor in accelerating cursor movement we found a strong correlation between the accuracy of measuring packet arrival time and the ac curacy of reconstructing the cursor trajectory This is the most challenging part where we spent a long time on analysis and experiments to reach this conclusion We have also derived the upper and lower bounds of the com plex mouse acceleration to study reconstruction errors Second by analyzing the reconstructed cursor tra jectory we can infer much information about a user s interaction with the computer Various systems in cluding Windows Linux Mac and critical applications 1 23 45 provide software keyboard as an alterna tive input method Users may click the software key board and input various sensitive information We use the attack against the soft keyboard based authentication scheme as an example to demonstrate the severity of such privacy leakage Section 4 2 1 explains the motiv
49. oved more than T units the algorithm amplifies the movement by M times along X and Y axes respectively where T and M are pre determined parameters It is important to note that T is computed as the Manhattan distance instead of Euclidean distance of the reported mouse movements For example if a mouse reports a movement of 3 4 the corresponding cursor movement will be 6 8 when T 6 and M 2 on X and Y axes respectively Algorithm 2 Lightweight Acceleration Algorithm Require Raw mouse movement Ax Ay Threshold T Acceleration Factor M 1 if Ax Ay T then 2 cursor movement Ax Ay 3 else 4 5 cursor movement M x Ax M x Ay end if 2 2 2 Complex Acceleration Algorithm We explain the complex acceleration algorithm based on Linux OS with Xserver version after 1 5 With this al gorithm when a new mouse event arrives and a mouse event is created for the mouse packet the system first computes the velocity of mouse movement and then cal culates acceleration based on the derived velocity Based on the raw movement information in the mouse packet and derived acceleration the system determines the cur sor movement on screen To determine the mouse velocity we first compute the distance between two mouse events Denote the se quence of raw mouse events as Z Z2 Z A mouse event Z includes three elements mouse relative motion Axi Ay and timestamp t Denote D k n as the di
50. pectively a is derived by acceleration numerator divided by acceleration denominator with default val ues of 2 and 1 respectively Notice that the accelera tion threshold numerator and denominator can be set in a configuration file i e usr share X11 xorg conf d 10 17 evdev conf In addition F x in Equation 10 is used to compute the penumbral gradient F x 054 2x 1 4 1 mE Farcsin 2x 1 10 The smoothed mouse velocity 7 V is derived as fol lows F 0 5 1 V 2 1 0 lt V lt 1 P Vn 1 y 1 lt V lt h MT 12 2 amp a 1 h V h a a VW2hesa 11 and if Z V4 lt 1 A Vn 1 12 Hence we know that BS 13 Simpson s rule is then used to compute the mouse ac celeration A as follows S Va S V4 Ax sr tl 6 Because Y V gt 1 we have A gt 1 Let X Y be the current cursor coordinate If A 1 the system will not accelerate the mouse speed We can derive the cursor coordinate after the raw mouse movement Ax Ayn as follows A 14 X X Ay 15 Y Y Ayy un If A gt 1 the system will accelerate the mouse speed Before accelerating the mouse speed the system first softens the mouse relative motion Ax and Ay as follows Axn 0 5 Any gt AXsy 1 Ax 16 Ax 0 5 At lt Axy_1 and Ayn 0 5 Ayn gt Ayn 1 Ay 2 Yn Yn Yn 1 17 Ayn 0 5 Ayn Ayn 1 Based on Ax and Ay we can obtain the accelerated mo
51. plan to give demos at various technical and academic security conferences and appeal to the Bluetooth RF mouse manufacturers to encrypt its data and enforce use of more secure device pairing mechanisms References 14 P Dunphy and J Yan Do background images im prove draw a secret graphical passwords In Pro ceedings of the 14th ACM Conference on Computer and Communications Security CCS 2007 1 Kaspersky internet security http support kaspersky com kis2012 service page 2 amp qid 208286483 2012 15 T Engdahl Pc mouse information http www 2 Qq international http www imqq com 2012 epanorama net documents pc mouse html 2012 3 State bank of travancorg virtual keyboard 16 Ms Bas Usp podie rn aet https www sbtonline in sbijava sbt com 2012 virtualkeyboard html 2012 17 Frontline Test Equipment Inc Frontline test sys 4 A A E Ahmed and I Traore Anomaly intrusion de tem fts4bt user manual http www fte com tection based on biometrics In Proceedings of the docs fts4bt 20user 20manual pdf 2012 IEEE Workshop on Information Assurance 2005 18 Frontline Test Equipment Inc Fts4bt bluetooth 5 A A E Ahmed and LTraore A new biometric protocol analyzer and packet sniffer http www technology based on mouse dynamics In JEEE fte com products fts4bt aspx 2012 Ti ti D dable and S C t rs cde He T dic cc LO 19 Y Gelzayd An alternate connection establishment B
52. rafts 800 121r1 Draft SP800 121_Rev1 pdf September 2011 32 M Ossmann Bluetooth keyboards who owns your keystrokes http ossmann com shmoo 2010 2012 33 M Ossmann Project ubertooth http ubertooth sourceforge net 2012 34 M Ossmann and D Spill Building an all channel bluetooth monitor ShmooCon an American hacker convention organized by The Shmoo Group 2009 o2 UA Passfaces Corporation The science behind pass faces http www realuser com published The 20Science 20Behind 20Passfaces pdf 2012 36 M Pusara and C E Brodley User re authentication via mouse movements In Proceed ings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security 2004 o2 N T Schroeder and M Moser Keykeriki Univer sal wireless keyboard sniffing for the masses ph neutral7d9 2009 38 T Schroeder and M Moser Practical exploitation of modern wireless devices CanSecWest 2010 39 Y Shaked and A Wool Cracking the bluetooth pin In n Proceedings 3rd USENIX ACM Conf Mobile Systems Applications and Services Mo biSys pages 39 50 2005 40 B SIG Bluetooth human interface device profile http www bluetooth com 2003 41 B SIG Adopted bluetooth core specifications https www bluetooth org Technical Specifications adopted htm 2012 15 42 D Spill Final report Implementation of the blue tooth stack for software defined radio
53. re able to reconstruct on screen cursor trajectories based on sniffed raw mouse move ment data when a lightweight or complex mouse accel eration algorithm is used We also presented a careful analysis of how packet loss and variations of packet ar rival timing may affect the accuracy of reconstructed cur sor trajectories Finally we performed an extensive eval uation of an application of Bluetooth mouse sniffing the inference of passwords that a user enters through an on screen soft keyboard and the inference of graphical passwords used by Window 8 We proposed two ap proaches for password inference a basic inferring ap proach to enumerate all candidate passwords from the clicking topology and an enhanced inferring approach that utilizes the statistical distribution of human click ing patterns to reduce the number of candidate passwords corresponding to a clicking topology Our real world ex periments showed the severity of privacy leakage from unencrypted Bluetooth mouse We also discussed potential countermeasures to the proposed attacks We recommend the use of numerical comparison mode for encrypting Bluetooth mouse traf fic to prevent the man in the middle attack A random ized software keyboard can also resist the attack against software keyboard while we suggest Microsoft choose a better graphical password system for Windows 8 Our fu ture work includes the development of a full band Blue tooth sniffer using USRP2s We also
54. ring approach to derive the password Our real world experiments show that the suc cess rate of replay attack against software keyboard on Fedora 13 Windows 7 and Mac OSX 10 6 5 achieves 69 100 and 44 respectively Please see the foot notes for videos of successful replay attacks on different target OS Fedora Core 13 Windows 7 default installa tion and Mac OSX 10 6 5 In these videos our pro gram replays real raw mouse data sniffed by FTSABT The data corresponds to clicks on a software keyboard For the clarity of demonstrating the impact of the attack at the beginning of each replay we move the cursor to the first character of the password and show that the re play attack can correctly derive the positions of the rest of the password character Please refer to Section 4 2 6 for a detailed introduction to these videos In addition the video at this footnote demonstrates the replay attack against the Windows 8 picture password Our contributions also include a discussion of poten tial countermeasures to the proposed attacks Bluetooth l Attack Fedora 13 http youtu be qnjqgCCTVTk Attack Windows 7 http youtu be FVJK m3UPjO 3 Attack Mac OSX http youtu be iFJoHBiYDWg Attack Windows 8 picture password http youtu be eLUNS pDuIE has four modes for secure pairing in which secret keys are negotiated between two pairing devices We suggest the numerical comparison mode for Bluetooth mouse As a demo w
55. stance between mouse events Z and Z where 1 lt k n 2 2 D k n Lar V Ay 1 i k i k Based on distance D k n we can derive mouse velocity V k n between Z and Z as D k n n k V k n x x D Q where ot and f are velocity scaling and velocity softening parameters with default values as 10 and 1 respectively Linux command xinput returns these parameters To compute the current mouse velocity V note that V is not velocity V k n between Z and Z the sys tem uses a mouse event queue to buffer mouse events and calculates V based on the past mouse events in the queue Figure 2 shows a mouse event queue with length l whose default value is 16 Denote Z as the new mouse event arriving at the queue We now calculate V p n V p 1 1 V n 1 n mouse velocity between mouse event Z and those in the queue based on Equation 2 where n 1 1 p E n 1 tj tyi gt 300ms and ty ty lt 300ms It can be observed that mouse events that happened 300ms before the current event Z do not participate in the calculation of mouse velocity V for Zn V is derived as follows If there is only one mouse event before the mouse event Z the current mouse velocity V V n 1 n If there are two mouse events before Zn Vn V n 2 n If there are more than two past mouse events V j n could be selected as the current mouse velocity V by solving the following problem Maximize
56. the proposed at tacks Surprisingly no major operating systems provide a choice of randomized keyboard neither do most ap plications We did find that a few applications use ran domized soft keyboard However those applications in cluding ones used by the State Bank of Travancore in India 3 and an online chat system QQ 2 often adopt some rules to alternate a limited number of key layouts For example the rules may be based on a state machine This implies that the entered characters are not purely random in terms of on screen positions An attacker who is familiar with those rules may still reconstruct the pass word from sniffed raw mouse data Hence the soft key board should be completely randomized while users in put sensitive information or careful analysis should be performed to study the security of those randomization strategies We leave such analysis as our future work 6 Related Work Although there are various attacks against Bluetooth our work is the first on reconstructing the Bluetooth mouse trajectory and deriving sensitive information such as passwords Bluetooth sniffing has been investigated in 43 12 33 17 Attacks on the pairing procedure for deriving link keys are introduced in 39 28 Attacks against Bluetooth keyboard are investigated in 8 32 For a comprehensive study of Bluetooth security and re lated attacks please refer to 22 31 Mouse movement can also be used as behavioral bio metrics
57. tooth is that all Bluetooth packets are whitened by default 43 That is data in the header and payload are scrambled be fore transmission The sniffed mouse data must be un whitened to obtain the original mouse data The whiten ing process uses the 6 bits of the clock as input to a linear feedback shift register LFSR in order to get a pseudo random sequence and then does an XOR of the sequence with the packet data Fortunately for the attacker there are only 64 possible starting statuses of LFSR making it easy to un whiten a packet in a bruteforce manner No tice that the Header Error Code HEC which is in the packet s header is also calculated based on the LFSR and initialized with the UAP upper address part of the master device and thus also needs to be un whitened Spill et al 43 42 proposed a mechanism to un white Bluetooth data which is used by Ubertooth FTSABT emulates the whole process of Bluetooth communication and can un white the Bluetooth data automatically In this paper we use FTSABT to conduct sniffing in all experiments We leave the development of a full band Bluetooth sniffer using USRP2s as our future work Appendix B In this appendix we introduce how acceleration A in Sec tion 2 2 2 is derived in detail Before computing mouse acceleration mouse velocity V will be smoothed Let h and a be the acceleration threshold and acceleration factor respectively Default values of h and a are 4 and 2 res
58. uetooth mouse and a victim computer by FTS4BT we used another computer as the attack com puter which was installed Ubuntu 8 04 to replay the sniffed mouse data to an impersonating computer which is installed with the same OS as the victim computer OS We now show the results of replay attack and exam ine the impact of packet timing change caused by the re play attack We first provide the result for a victim com puter installed with Fedora Core 13 Figures 14 and 15 show that acceleration and cursor trajectory are changed during the reconstruction in the replay attack Because acceleration in the replay attack deviates from the origi Table 3 Password Reconstruction Success Rate for Lightweight and Complex Acceleration Algorithms Basic Inferring Enhanced Inferring Small keyboard Large keyboard Small keyboard Large keyboard Lightweight acceleration 100 100 99 99 Complex acceleration 99 98 98 95 nal one the cursor trajectory derived by the replay attack does not overlap with the original trajectory Table 4 shows the success rate and obscurity degree for the replay attack with a large keyboard for 100 pass words On Fedora 13 we can see that because of more impact from replayed Bluetooth packet timing the per formance of the replay attack is not as good as the predic tion attack Bluetooth packet timing is seriously distorted during the replay However a detection rate of 69 is sti
59. use movement as follows Ax Av A 4 18 Ay Ay A 4 where Z and amp are the last remainder of mouse mo tion The system will then update the remainders Ry Ax round Ax iy i 19 Sy Ay round Ay Finally we can obtain the cursor coordinate on screen X X round Ax 20 Y Y round Ay ao Appendix C In this Appendix we provide the detail of computing the upper bound and lower bound of the complex accelera tion strategy in Linux We assume that a user uses the default mouse setting in the original system configura tion file That is the Simple Smooth Profile will be used and the default values of the acceleration threshold h and acceleration factor a are h 4 and a 2 respectively Based on Equations 11 and 10 we rewrite S V as follows 2x HE gren O lt y lt 1 11 V lt 4 S v 9 1 1 Ye 1 2 aresin 1 15 i 4A lt Vn lt 8 2 V4 8 21 We now prove the monotonicity of function S V in each subdomain From the monotonicity of function S V we can derive the upper bound and lower bound of S V in each subdomain Case 1 When 0 lt V lt 1 from Equation 21 we can derive S V the derivative of S V as follows 2 V2 1 S W 4 1 V2 i 22 n XW1 V2 4 A V2 4x 1 V2 23 When 0 lt V lt 1 we have S V gt 0 That is S V is monotonically increasing The bound is 0
Download Pdf Manuals
Related Search