Shoulder surfing attacks are an unfortunate consequence of entering passwords or PINs into computers, smartphones, PoS terminals, and ATMs. Such attacks generally involve observing the victim's input device. This project studies leakage of user secrets (passwords and PINs) based on observations of output devices (screens or projectors) that provide "helpful" feedback to users in the form of masking characters, each corresponding to a keystroke. To this end, we developed a new attack called Secret Information Leakage from Keystroke Timing Videos (SILK-TV). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM or PoS.
The paper detailing our attack is available at this link. The dataset used in our work can be downloaded from this link.
The New York Institute of Technology hereby grants to You a non-exclusive, non-transferable, revocable license to use the PIN Dataset solely for Your non-commercial, educational, and research purposes only, but without any right to copy or reproduce, publish or otherwise make available to the public or communicate to the public, sell, rent or lend the whole or any constituent part of the PIN Dataset thereof. The PIN Dataset shall not be redistributed without the express written prior approval of The New York Institute of Technology You agree to respect the privacy of those human subjects whose smartphone usage behavior data are included in the PIN Dataset. Do not attempt to reverse the anonymization process to identify specific identifiers including, without limitation, names, postal address information, telephone numbers, e-mail addresses, social security numbers, and biometric identifiers. You agree not to reverse engineer, separate or otherwise tamper with the PIN Dataset so that data can be extracted and used outside the scope of that permitted in this Agreement.
You agree to acknowledge the source of the PIN Dataset in all of Your publications and presentations based wholly or in part on the PIN Dataset. You agree to provide a disclaimer in any publication or presentation to the effect that The New York Institute of Technology does not bear any responsibility for Your analysis or interpretation of PIN Dataset.
You agree and acknowledge that The New York Institute of Technology may hold, process, and store any personal data submitted by You for validation and statistical purposes and for the purposes of the administration and management of PIN Dataset. You agree that any personal data submitted by You is accurate to the best of his or her knowledge.
The New York Institute of Technology provides the PIN Dataset "AS IS," without any warranty or promise of technical support, and disclaims any liability of any kind for any damages whatsoever resulting from use of the PIN Dataset.
The New York Institute of Technology makes no warranties, express or implied with respect to the PIN dataset, including any implied warranty of merchantability or fitness for a particular purpose, which are hereby expressly disclaimed.
Your acceptance and use of the PIN Dataset binds you to the terms and conditions of this License as stated herein.