![Page 1: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/1.jpg)
Hacking in the Blind:(Almost) Invisible Runtime User Interface Attacks
Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun
{firstname.lastname}@inf.ethz.ch [email protected]
![Page 2: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/2.jpg)
• Used for daily and critical tasks
• Consists of input and output
Computer System
User Interfaces
2
Output
InputUser Interface
![Page 3: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/3.jpg)
User Interface Attacks
3
Input Output
Computer System
App
App…
UI Attacks are often possible
1. Brief and non-invasive
2. Bypass security features
![Page 4: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/4.jpg)
• Drawbacks
- Registers new peripherals- Installs malware- Assume user not present
Existing Command Injection Attacks
4
1. New Keyboard2. New Mouse
![Page 5: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/5.jpg)
Limitations
5
• Observations
1. Hardened devices
2. Malware installation not possible
3. Damaging attacks possible only when user is present
Can we attack without installing malware?
![Page 6: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/6.jpg)
• Benefits
+ Does not install new peripherals
+ Does not install malware
+ Assume user is present
Our Attack
6
!!!
1. Click Blocked2. Inject Events
Heart rate = 100
1. Click Blocked2. Inject Events3. Heart rate = 1000
![Page 7: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/7.jpg)
Our Attack
7
!!!
![Page 8: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/8.jpg)
Attack Demonstration
8
![Page 9: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/9.jpg)
Attack Overview
9
![Page 10: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/10.jpg)
Mouse Location Estimator
10
Mouse Events:Up 10px Left 10px
Mouse Events:Up 100px Left 100px
Mouse Events:Right 150px Down 150px
![Page 11: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/11.jpg)
Username:
Password:
State Tracking
11
CancelLogin
John Doe
******
![Page 12: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/12.jpg)
CancelLogin
State Tracking
12
CancelOK
Button 2Button 1
2 Click “Login”
State 0
State 2State 1State 0
3 Click “Cancel”1 Click outside
![Page 13: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/13.jpg)
State Tracking
• Maintain all possible options
• Strategies to assign probabilities
1. Both buttons are equally likely
2. “Cancel” is more likely (more area)
3. “Login” is more likely (clicked more often)
• Introduce expert knowledge through assumptions on probabilities
13
CancelLogin
![Page 14: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/14.jpg)
Attack Overview
14
![Page 15: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/15.jpg)
User Interface Models
15
Pay to:
Amount:
CancelSubmit
Text
Button
Button
Full Model
Partial Model E-Banking UI
Text
Application
![Page 16: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/16.jpg)
Attack Applicability
16
UI unique?
Partial model App simple?
Not applicableFull model
Yes No
Yes No
![Page 17: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/17.jpg)
Evaluation
17Simulated Pacemaker Programmer
State Estimation Accuracy:90% after 10 clicks
Attack Success Rate: >90%
![Page 18: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/18.jpg)
Evaluation
18E-Banking
Attack Success Rate: >90% Processing Delay: 40ms
![Page 19: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/19.jpg)
Countermeasures
19
• Preventing our attack
1. Trusted path
2. Biometrics
3. Randomized UIs
(See paper for others)
![Page 20: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/20.jpg)
Discussion
20
• No signs of attacks in the wild, but hardware exists
• Attack device easy to minimize
• Small footprint
![Page 21: Hacking in the BlindHacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa, Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch](https://reader034.vdocument.in/reader034/viewer/2022042913/5f4c40324d133c3a5634d8c6/html5/thumbnails/21.jpg)
Conclusion
21
• Hacking-in-the-Blind
• A novel UI attack
• Easy to deploy
• Invisible to malware detection
• Accurate and stealthy
Thank you!