When Your Fitness Tracker Betrays You: Quantifying the Predictability of Biometric Features Across Contexts
2018 IEEE Symposium on Security and Privacy (SP) (2018)
San Francisco, CA, US
May 21, 2018 to May 23, 2018
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2018.00053
Simon Eberz , University of Oxford
Giulio Lovisotto , University of Oxford
Andrea Patanč , University of Oxford
Marta Kwiatkowska , University of Oxford
Vincent Lenders , armasuisse
Ivan Martinovic , University of Oxford
Attacks on behavioral biometrics have become increasingly popular. Most research has been focused on presenting a previously obtained feature vector to the biometric sensor, often by the attacker training themselves to change their behavior to match that of the victim. However, obtaining the victim's biometric information may not be easy, especially when the user's template on the authentication device is adequately secured. As such, if the authentication device is inaccessible, the attacker may have to obtain data elsewhere. In this paper, we present an analytic framework that enables us to measure how easily features can be predicted based on data gathered in a different context (e.g., different sensor, performed task or environment). This framework is used to assess how resilient individual features or entire biometrics are against such cross-context attacks. In order to be able to compare existing biometrics with regard to this property, we perform a user study to gather biometric data from 30 participants and ?ve biometrics (ECG, eye movements, mouse movements, touchscreen dynamics and gait) in a variety of contexts. We make this dataset publicly available online. Our results show that many attack scenarios are viable in practice as features are easily predicted from a variety of contexts. All biometrics include features that are particularly predictable (e.g., amplitude features for ECG or curvature for mouse movements). Overall, we observe that cross-context attacks on eye movements, mouse movements and touchscreen inputs are comparatively easy while ECG and gait exhibit much more chaotic cross-context changes.
S. Eberz, G. Lovisotto, A. Patanč, M. Kwiatkowska, V. Lenders and I. Martinovic, "When Your Fitness Tracker Betrays You: Quantifying the Predictability of Biometric Features Across Contexts," 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, , pp. 740-756.