AUT-3 and 4: Add usage of scrambled keypad as possible countermeasure
Threat ID:
AUT-3, AUT-4
Type of Comment:
T
Proposed Change:
Add as possible countermeasure the usage of scrambled keypad in pin/password entry prompts.
Justification:
The paper paper mentioned in exploit example (“Black Hat: Google Glass Can Steal Your Passcodes” [126]) suggests to use a Privacy Enhancing Keyboard and/or scrambled keyboard for privileged prompts.
Although this is not widely adopted in the industry cyanogenmod has it since 2014 with version 11.
Text from the paper
In order to defend against many computer vision based attacks including the one
in this paper, we designed a context aware randomized software keyboard for Android,
denoted as a Privacy Enhancing Keyboard (PEK). A PEK automatically shows a conventional
QWERTY keyboard for normal text input and pops up a randomized keyboard
for the input of sensitive information such as passcodes. The first PEK prototype
was demonstrated at the ACM Conference on Computer and Communications Security
(CCS) Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)
in October, 20121
AUT-3 and 4: Add usage of scrambled keypad as possible countermeasure
Threat ID: AUT-3, AUT-4
Type of Comment: T
Proposed Change: Add as possible countermeasure the usage of scrambled keypad in pin/password entry prompts.
Justification: The paper paper mentioned in exploit example (“Black Hat: Google Glass Can Steal Your Passcodes” [126]) suggests to use a Privacy Enhancing Keyboard and/or scrambled keyboard for privileged prompts.
Although this is not widely adopted in the industry cyanogenmod has it since 2014 with version 11.
Text from the paper In order to defend against many computer vision based attacks including the one in this paper, we designed a context aware randomized software keyboard for Android, denoted as a Privacy Enhancing Keyboard (PEK). A PEK automatically shows a conventional QWERTY keyboard for normal text input and pops up a randomized keyboard for the input of sensitive information such as passcodes. The first PEK prototype was demonstrated at the ACM Conference on Computer and Communications Security (CCS) Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) in October, 20121