Elsevier

Computers & Security

Volume 76, July 2018, Pages 252-264
Computers & Security

JFCGuard: Detecting juice filming charging attack via processor usage analysis on smartphones

https://doi.org/10.1016/j.cose.2017.11.012Get rights and content

Highlights

  • We conduct a new study to explore the impact of JFC attack on both CPU and GPU usage.

  • There is a more noticeable usage change by considering both CPU and GPU usage than considering CPU usage alone.

  • We design JFCGuard, a security mechanism to intelligently detect JFC attacks for smartphone users.

  • In the evaluation, we perform a new user study with over 250 participants to investigate the performance of JFCGuard.

Abstract

Smartphones have become necessities in people's lives, so that many more public charging stations are under deployment worldwide to meet the increasing demand of phone charging (i.e., in airports, subways, shops, etc.). However, this situation may expose a hole for cyber-criminals to launch various attacks especially charging attacks and threaten users' privacy. As an example, juice filming charging (JFC) attack is able to steal users' sensitive and private information from both Android OS and iOS devices, through automatically recording phone screen and monitoring users' inputs during the whole charging period. More importantly, this attack does not need any permission or installing any pieces of apps on users' side. The rationale is that users' information can be leaked through a standard micro USB connector that employs the Mobile High-Definition Link (MHL) standard. Motivated by the potential damage of JFC attack, in this work, we investigate the impact of JFC attack on processor usage including both CPU and GPU usage. It is found that JFC attack would cause a noticeable usage increase when connecting the phone to the JFC charger. Then, we design a security mechanism, called JFCGuard, to detect JFC attack based on processor usage analysis for smartphone users. In the evaluation, we perform a user study with over 250 participants and the results demonstrate that JFCGuard can identify JFC attack in an effective way. Our work aims to complement existing research results and stimulate more research in this area.

Introduction

Due to the wide adaptation by millions of people, smartphones remain the most used handheld devices. International Data Corporation (IDC) reported that vendors shipped a total of 347.4 million smartphones worldwide in the first quarter of 2017 with an increase rate of 4.3%, which was slightly higher than the previous forecast of 3.6% growth (IDC, 2017). As smartphones can offer a variety of applications for communication and entertainment, more and more users are likely to store their personal data on the phones, and use their phones for sensitive operations and transactions (Mylonas et al., 2013; Schlegel et al., 2011). As a result, people are often constantly using smartphones in their daily lives, which would greatly increase the demand of recharging their mobile devices and deploying public charging stations. As an example, Singapore Power (SP) promised to provide 200 free public charging stations for people to charge their mobile devices (Singapore, 2015).

The free public charging stations are often available in public areas such as airports, shopping malls, and subways; however, these stations could expose a big hole for cyber-criminals to launch specific attacks, especially charging attacks, threatening smartphone privacy and security. An early charging attack was designed by Lau et al. (2013), where they presented Mactans, a malicious charger to launch charging attacks by injecting malware on an iOS6 device based on BeagleBoard during the charging process. Spolaor et al. (2017) then proposed PowerSnitch, a malicious application that can utilize power consumption to send out data over a USB charging cable to the public charging station. Since we are not sure that these charging facilities are not maliciously controlled by cyber-criminals including charging station developers, maintenance managers and government agencies, there is a need to pay particular attention on charging vulnerabilities in public charging facilities.

Mactans and PowerSnitch highlighted the impact of charging attacks, but they could be only effective on either iOS or Android devices. In recent literature, Meng et al. (2015) developed juice filming charging (JFC) attack, which is able to steal users' sensitive information on both Android OS and iOS devices, through automatically recording phone screen information during the charging process. All the interactions could be recorded as long as people keep charging and interacting with their phones. JFC attack is believed to be more scalable than Mactans and PowerSnitch, which can cause a wider impact on smartphone privacy. In summary, JFC attack can offer seven features: 1) can be easy to implement but quite efficient; 2) with less user awareness; 3) does not need to install any additional apps or components on phones; 4) does not need to ask for any permissions; 5) cannot be detected by any current anti-malware software; 6) can be scalable and effective on both Android OS and iOS devices; and 7) can automatically extract textual information from the collected videos by integrating OCR technology (Meng et al., 2016).

Due to the potential damage of charging attacks, there is a great need to identify such threat in an instant way. As JFC attack does not need to install any piece of app or require any permission on smartphone's side, it could have a large impact on users' privacy and would be more difficult to be detected than Mactans and PowerSnitch. Therefore, the motivation of this work is to design an appropriate security mechanism to detect JFC attack.

Contributions. Understanding how applications consume energy during execution is a promising method for threat detection, e.g., malware detection (Hoffmann et al, 2013, Polakis et al, 2015). In our previous work (Jiang et al., 2017), it is found that JFC attack could cause an anomaly in CPU usage, however, raising awareness among common users is hard. Motivated by this, in this work, we focus on the detection of JFC attack and investigate its impact on processor usage including both CPU and GPU on smartphones. Then, we design JFCGuard, a security mechanism to identify JFC attacks for smartphone users. To our knowledge, this is an early work to discuss the detection of JFC attack via processor usage analysis. Our effort attempts to complement existing results and stimulate more attention on charging attacks. The main contributions of our work can be summarized as below.

  • Intuitively, it is hard to identify JFC attack via power consumption, as this attack occurs when the phone is connecting to a charger. It would be more feasible to detect charging attacks through analyzing processor usage. In this work, we first conduct a study to analyze processor usage including both CPU and GPU on smartphones during JFC attack with ten mobile devices. It is found that JFC attack may cause a noticeable usage change when connecting the phones to the JFC charger.

  • Since the processor usage may be affected by many applications, we further design JFCGuard, a security mechanism to intelligently detect JFC attacks for smartphone users. This mechanism employs a machine learning classifier to decide whether the current charging trial is a potential JFC attack. In the evaluation, we perform a study with over 250 participants to investigate the performance of JFCGuard. The results demonstrate that JFCGuard can promisingly detect JFC attack in an effective way.

Organization. In Section 2, we first introduce the background of juice filming charging (JFC) attack including how to implement it in a real scenario, and then review related work on charging threats and several kinds of attacks in inferring users' private information, e.g., malware, side channels and physical access attacks. Section 3 conducts a study to analyze processor usage during JFC attack with a set of smartphones, and Section 4 describes JFCGuard, a security mechanism to detect JFC attack in an intelligent and effective way for smartphone users. Section 5 conducts an evaluation with over 250 participants to investigate the performance of JFCGuard. Finally, we make a discussion in Section 6 and conclude our work in Section 7.

Section snippets

Background of juice filming charging attack

JFC attack (Meng et al, 2015, Meng et al, 2016) was developed based on the observation that no permissions would be asked and no compelling notification (the indicators are very small and last only few seconds) would be shown when connecting iPhones or Android phones to a projector, while the projector can automatically display the phone screen according to the Mobile High-Definition Link (MHL) standard. Taking advantage of these, JFC attack is able to automatically video-record phone screen

Processor usage analysis for JFC attack

As explained above, JFC attack does not need to install any pieces of applications on smartphone's side as well as not need any permissions from users, thus, it is very difficult for current security mechanisms to detect. However, our previous study (Jiang et al., 2017) showed that JFC would cause the change of CPU usage on smartphones, as it has to stream the screen information out of the phone. It was also found that JFC attack could cause CPU usage to increase in a range from 1% to 4% and

JFCGuard: A security mechanism against JFC attack

Our study shows that JFC attack could increase processor usage in a range from 6% to 14% and from 5% to 10% for both Android OS and iOS devices in a clean mobile environment and a normal scenario, respectively. This opens an opportunity to detect charging threats, but smartphone users often pay less attention to such anomaly in practice. To better protect users' privacy, there is a need to design an intelligent security mechanism to analyze processor usage in an effective way. Motivated by

Evaluation

In this section, we conduct a user study to investigate the performance of JFCGuard in detecting JFC attack in various scenarios, and collect users' feedback on smartphone malware and charging threats.

Discussion

User awareness on the change of processor usage. During the study, participants were invited to charge their phones to our deployed JFC charger. In the last step, all participants were asked to identify whether there is a usage change after connecting their phones to the charger. It is found that 91 (31.8%) participants were able to mention charging attack, while the others could not state the correct reason. As compared to the change scope in Jiang et al. (2017), there is a more noticeable

Conclusion

With the increasing need of recharging smartphones, public charging stations are widely available, which may open a potential hole for cyber-criminals to steal users' sensitive and private data by launching charging attacks, like juice filming charging (JFC) attack that can steal users' private information from both Android OS and iOS devices through automatically recording phone screen, including all users' inputs during the whole charging period. In this work, we focus on the detection of JFC

Acknowledgments

We would like to thank all participants for their hard work in the user study. This work was partially supported by National Natural Science Foundation of China (No. 61472091), Natural Science Foundation of Guangdong Province for Distinguished Young Scholars (2014A030306020), Science and Technology Planning Project of Guangdong Province, China (2015B010129015) and the Innovation Team Project of Guangdong Universities (No. 2015KCXTD014).

Weizhi Meng is currently an assistant professor in the Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Kongens Lyngby, Denmark. He obtained his Ph.D. degree in Computer Science from the City University of Hong Kong (CityU), Hong Kong in 2013. He won the Outstanding Academic Performance Award during his doctoral study and won the HKIE Outstanding Paper Award for Young Engineers/Researchers in both 2014 and 2017. He is a member of ACM and IEEE. His

References (45)

  • A.J. Aviv et al.

    Smudge attacks on smartphone touch screens

  • CaiL. et al.

    TouchLogger: inferring keystrokes on touch screen from smartphone motion

  • M. Curti et al.

    Towards energy-aware intrusion detection systems on mobile devices

  • HanJ. et al.

    ACComplice: location inference using accelerometers on smartphones

  • J. Hoffmann et al.

    Mobile malware detection based on energy fingerprints a dead end?

  • IDC

    Worldwide Smartphone Market Gains Steam in the First Quarter of 2017 with Shipments up 4.3%

  • JiangL. et al.

    Exploring energy consumption of juice filming charging attack on smartphones: a pilot study

  • D.F. Kune et al.

    Timing attacks on PIN input devices

  • B. Lau et al.

    Mactans: injecting malware into iOS devices via malicious chargers

    (2013)
  • LiW. et al.

    Trust it or not? An empirical study of rating mechanism and its impact on smartphone malware propagation

  • LinC.-C. et al.

    Screenmilker: how to milk your Android screen for secrets

  • P. Marquardt et al.

    (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers

  • Cited by (21)

    • USB powered devices: A survey of side-channel threats and countermeasures

      2021, High-Confidence Computing
      Citation Excerpt :

      However, the increased CPU usage by JFC attack has minimal effect on the user experience, being imperceptible by the average user. Based on these findings, Meng et al. in [61] further studied the impact of JFC attacks on both CPUs and GPUs usage to develop JFCGuard. This security mechanism monitors and analyzes CPU and GPU usage during the end device’s charging.

    • Toward supervised shape-based behavioral authentication on smartphones

      2020, Journal of Information Security and Applications
      Citation Excerpt :

      For example, users are difficult to remember a strong textual password due to the long-term memory limitations [5]. In addition, passwords can be easily compromised under an adversary scenario, i.e., phone charging attacks enable the recording of the screen during the charging period [6,7]. In the literature, various graphical passwords like [5,8] are proposed aiming to ease the memory burden of users by interacting with images, but such kind of password still suffers the same issues like charging attacks.

    • Detecting insider attacks in medical cyber–physical networks based on behavioral profiling

      2020, Future Generation Computer Systems
      Citation Excerpt :

      For instance, the number of information security breaches reported by healthcare providers had an increase of 60% from 2013 to 2014, where the increase rate is only 30% in other industries [[6]]. As medical industry is evolving rapidly, the security of medical CPS should be given much more attention [[7]]. Motivations.

    • Towards detection of juice filming charging attacks via supervised CPU usage analysis on smartphones

      2019, Computers and Electrical Engineering
      Citation Excerpt :

      However, JFC attack detection can be made more effective if we know the average users’ usage behavior and measure the device’s CPU usage for different application types during the charging. This is an area that has not been explored in the literature, such as those of [8–10]. We posit the importance of having a better understanding of device usage, as such information (e.g., the types of applications typically used while a device is being charged) can inform the mitigation of such attacks.

    • A blockchain-based location privacy-preserving crowdsensing system

      2019, Future Generation Computer Systems
      Citation Excerpt :

      Executing of the smart contract allows for safe and fair trading, which has positive impacts on the efficiency of transactions between workers and requesters. Various technologies have been proposed to protect a worker’s location information [22–31]. For example, dummy locations [22] protects user locations by adding false positions to the true location information before sending it to the server.

    View all citing articles on Scopus

    Weizhi Meng is currently an assistant professor in the Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Kongens Lyngby, Denmark. He obtained his Ph.D. degree in Computer Science from the City University of Hong Kong (CityU), Hong Kong in 2013. He won the Outstanding Academic Performance Award during his doctoral study and won the HKIE Outstanding Paper Award for Young Engineers/Researchers in both 2014 and 2017. He is a member of ACM and IEEE. His primary research interests are cyber security and intelligent technology in security including intrusion detection, mobile security, biometric authentication, HCI security, cloud security, trust computation, and vulnerability analysis.

    Lijun Jiang is a master student in the Department of Computer Science, City University of Hong Kong. He has actively participated in many research projects with board research interests including network security, intrusion detection, spam detection, and HCI security.

    Yu Wang received his Ph.D. degree in Computer Science from Deakin University, Victoria, Australia. He is currently an associate professor at the School of Computer Science, Guangzhou University, China. His research interests include network traffic analysis, mobile networks, social networks, and cyber security.

    Jin Li received his B.S. degree (2002) in Mathematics from Southwest University and the Ph.D. degree in Information Security from Sun Yat-sen University in 2007. Currently, he is a professor at Guangzhou University. He has been selected as one of the science and technology new stars in Guangdong province. His research interests include security in cloud computing and applied cryptography. He has published over 80 research papers in refereed international conferences and journals, and has served as the Program Chair or Program Committee Member in many international conferences.

    Jun Zhang leads a research and development team working in cyber security. He received his Ph.D. from University of Wollongong, Australia, in 2011. Jun Zhang is currently an associate professor in School of Software and Electrical Engineering, Swinburne University of Technology. He is also the deputy director of Swinburne Cybersecurity Lab (SCLab). He has published more than 80 research papers in refereed international journals and conferences and received 2009 Chinese government award for outstanding student abroad. He is a member of the IEEE.

    Yang Xiang received his Ph.D. in Computer Science from Deakin University, Australia. He is the Dean of Digital Research and Innovation Capability Platform, Swinburne University of Technology, Australia. His research interests include cyber security, which covers network and system security, data analytics, distributed systems, and networking. In particular, he is currently leading his team developing active defense systems against large-scale distributed network attacks. He has published more than 200 research papers in many international journals and conferences. He is the Coordinator, Asia for IEEE Computer Society Technical Committee on Distributed Processing (TCDP). He is a Senior Member of the IEEE.

    1

    The author was previously known as Yuxin Meng, and the work was finalized during a visit at Guangzhou University.

    View full text