PITTの電気・コンピュータエンジニアが、Android携帯電話のハードウェアセキュリティの脆弱性を発見 Pitt Electrical and Computer Engineers Uncover Hardware Security Vulnerability on Android Phones
2022-04-01 ピッツバーグ大学(PITT)
<関連情報>
- https://news.engineering.pitt.edu/pitt-prevents-potential-phone-password-plunder/
- https://dl.acm.org/doi/abs/10.1145/3503222.3507757
スマートフォンのGPUサイドチャネルを経由したユーザー認証情報の盗聴について Eavesdropping user credentials via GPU side channels on smartphones
Boyuan Yang,Ruirong Chen,Kai Huang,Jun Yang,Wei Gao
ACM Journals Published:28 February 2022
https://doi.org/10.1145/3503222.3507757
ABSTRACT
Graphics Processing Unit (GPU) on smartphones is an effective target for hardware attacks. In this paper, we present a new side channel attack on mobile GPUs of Android smartphones, allowing an unprivileged attacker to eavesdrop the user’s credentials, such as login usernames and passwords, from their inputs through on-screen keyboard. Our attack targets on Qualcomm Adreno GPUs and investigate the amount of GPU overdraw when rendering the popups of user’s key presses of inputs. Such GPU overdraw caused by each key press corresponds to unique variations of selected GPU performance counters, from which these key presses can be accurately inferred. Experiment results from practical use on multiple models of Android smartphones show that our attack can correctly infer more than 80% of user’s credential inputs, but incur negligible amounts of computing overhead and network traffic on the victim device. To counter this attack, this paper suggests mitigations of access control on GPU performance counters, or applying obfuscations on the values of GPU performance counters.
