LSU Computer Science Faculty Furthering Research Into Smartphone Security
March 1, 2023
BATON ROUGE, LA – Every day, smartphone users utilize biometric data like their fingerprint, facial ID, PIN number, and/or voice recognition to unlock their devices. They also use such data to login to apps, make online purchases, pay bills, etc.
But what if that information could be duplicated and reused? Because such biometrics are static and unchanged, once they are leaked, they would never be secure to use for future authentication.
That dilemma is at the heart of LSU Computer Science Assistant Professor Chen Wang’s developing research into hand gripping as a verification method. Last year, with the help of a grant from the Louisiana Board of Regents, Wang’s research focused on notification privacy and using a smartphone’s own musical sounds/vibrations during notification for verification. This time around, and with the backing of a National Science Foundation grant of more than $470,000, his focus has expanded to include a variety of smartphone functions, as well as notification privacy.
“This research focuses on addressing two long-standing issues in mobile device authentication, obtrusiveness and replay threats,” Wang said. “The aim is to reduce the user effort involved in authentication so that they can handle in-situation privacy provisions and to make biometric data not reusable so that an adversary cannot replay your biometrics to spoof your identity.
“The current 3D scanning and printing technologies can forge your fingers, hands, and face. Besides, if the transmission and the storage of your biometric data are not carefully secured, such data could be leaked and reused by an adversary. The biometric data required [for authentication] is all static and never changed. This means that if the biometric data is leaked, an adversary can reuse it to access your device and online accounts.”
So, how does using one’s hand grip for authentication work? When authentication is requested, the smartphone sends barely inaudible ultrasounds encoded into multiple narrow frequency bands within 17-22 KHz. This encoded acoustic signal propagates on the phone’s surface and is absorbed and reflected by the user’s hand. Because of the hand’s unique biometric features—such as palm size, finger widths/lengths, gripping strengths, and gripping behaviors—the resulting signals from the hand-grip impacts are different and ultimately received by the phone’s microphone. Wang and his graduate students then develop a deep-learning algorithm to learn the user’s encoded hand biometric features from the microphone-acquired signals. Because the biometric features are encoded differently during sensing each time, the user needn’t worry that his or her biometric data could be reused by an attacker.
“The cross-domain method developed for notification tones is to leverage the fact that sound and vibration co-exist,” Wang said. “We find that media sounds, such as musical sounds and notification tones, cause the phone’s surface to vibrate more easily than ultrasounds, which can be sensed by the inertial sensors of the phone. The user’s gripping hand affects both the phone’s media sounds and the vibration of the phone’s surface, and the resulting sounds and vibrations are captured by the phone’s microphone and inertial sensors, respectively.
“Thus, we utilize both the acoustic domain and the vibration domain data to verify the user, no matter whether the notification signal is a tone or a vibration alert. An additional security benefit is that the cross-domain sensing information makes replay attacks harder because you will have to forge sensor data in two domains, which further exhibit a unique relationship.”
While Wang’s research may be in progress, his paper on the project, co-authored by Long Huang, was published last year at the Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security & Privacy, which has a paper-acceptance rate of only 15.2%. The event is one of the “Big 4” cybersecurity academic conferences, and Wang’s paper was the first by an LSU researcher as lead author to be accepted at the conference.
He’s confident he won’t be the last.
“I am sure there will be more top-tier security papers published by LSU researchers in the future, as this area arouses increasing attention,” Wang said. “Besides, more and more talented students come and choose their careers in this area. We also have an increasing number of outstanding [cybersecurity] faculty joining LSU. The university’s cybersecurity strategy is significant, and the [LSU Computer Science] department has great support.”
Like us on Facebook (@lsuengineering) or follow us on Twitter and Instagram (@lsuengineering).
Contact: Joshua Duplechain
Director of Communications