TY - JOUR
T1 - Password extraction via reconstructed wireless mouse trajectory
AU - Pan, Xian
AU - Ling, Zhen
AU - Pingley, Aniket
AU - Yu, Wei
AU - Zhang, Nan
AU - Ren, Kui
AU - Fu, Xinwen
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2016/7/1
Y1 - 2016/7/1
N2 - Logitech made the following statement in 2009: 'Since the displacements of a mouse would not give any useful information to a hacker, the mouse reports are not encrypted.' In this paper, we prove the exact opposite is true - i.e., it is indeed possible to leak sensitive information such as passwords through the displacements of a Bluetooth mouse. Our results can be easily extended to other wireless mice using different radio links. We begin by presenting multiple ways to sniff unencrypted Bluetooth packets containing raw mouse movement data. We then show that such data may reveal text-based passwords entered by clicking on software keyboards. We propose two attacks, the prediction attack and replay attack, which can reconstruct the on-screen cursor trajectories from sniffed mouse movement data. Two inference strategies are used to discover passwords from cursor trajectories. We conducted a holistic study over all popular operating systems and analyzed how mouse acceleration algorithms and packet losses may affect the reconstruction results. Our real-world experiments demonstrate the severity of privacy leakage from unencrypted Bluetooth mice. We also discuss countermeasures to prevent privacy leakage from wireless mice. To the best of our knowledge, our work is the first to demonstrate privacy leakage from raw mouse data.
AB - Logitech made the following statement in 2009: 'Since the displacements of a mouse would not give any useful information to a hacker, the mouse reports are not encrypted.' In this paper, we prove the exact opposite is true - i.e., it is indeed possible to leak sensitive information such as passwords through the displacements of a Bluetooth mouse. Our results can be easily extended to other wireless mice using different radio links. We begin by presenting multiple ways to sniff unencrypted Bluetooth packets containing raw mouse movement data. We then show that such data may reveal text-based passwords entered by clicking on software keyboards. We propose two attacks, the prediction attack and replay attack, which can reconstruct the on-screen cursor trajectories from sniffed mouse movement data. Two inference strategies are used to discover passwords from cursor trajectories. We conducted a holistic study over all popular operating systems and analyzed how mouse acceleration algorithms and packet losses may affect the reconstruction results. Our real-world experiments demonstrate the severity of privacy leakage from unencrypted Bluetooth mice. We also discuss countermeasures to prevent privacy leakage from wireless mice. To the best of our knowledge, our work is the first to demonstrate privacy leakage from raw mouse data.
UR - http://www.scopus.com/inward/record.url?scp=84978708604&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84978708604&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2015.2413410
DO - 10.1109/TDSC.2015.2413410
M3 - Article
AN - SCOPUS:84978708604
SN - 1545-5971
VL - 13
SP - 461
EP - 473
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 4
M1 - 7061471
ER -