Using smartphones — instead of body parts — for identification to deter cybercrime

First observed in conventional digital cameras, PRNU analysis is common in digital forensic science. For example, it can help settle copyright lawsuits involving photographs.

But it hasn’t been applied to cybersecurity — despite the ubiquity of smartphones — because extracting it had required analyzing fifty photos taken by a camera, and experts though that customers wouldn’t be willing to supply that many photos. Plus, savvy cybercriminals can fake the pattern by analyzing images taken with a smartphone that victims post on unsecured websites.

Applying the technique to cybersecurity
The study addresses how each of these challenges can be overcome.

Compared to a conventional digital camera, the image sensor of a smartphone is much smaller. The reduction amplifies the pixels’ dimensional non-uniformity and generates a much stronger PRNU. As a result, it’s possible to match a photo to a smartphone camera using one photo instead of the fifty normally required for digital forensics.

“I think most people assumed you would need 50 images to identify a smartphone camera. But our research shows that’s not the case,” says Ren, an IEEE (Institute of Electrical and Electronics Engineers) Fellow and an ACM (Association for Computing Machinery) Distinguished Scientist.

To prevent forgeries, Ren designed a protocol — it is part of the authentication process described below — which detects and stops two types of attacks.

How the new security protocol works
The study discusses how such a system might work. First, a customer registers with a business — such as a bank or retailer — and provides that business with a photo that serves as a reference.

When a customer initiates a transaction, the retailer asks the customer (likely through an app) to photograph two QR codes (a type of barcode that contains information about the transaction) presented on an ATM, cash register or other screen.

Using the app, the customer then sends the photograph back to the retailer, which scans the picture to measure the smartphone’s PRNU. The retailer can detect a forgery because the PRNU of the attacker’s camera will alter the PRNU component of the photograph.

More savvy cybercriminals could potentially remove the PRNU from their device. But Ren’s protocol can spot this because the QR codes include an embedded probe signal that will be weakened by the removal process.

The transaction is either approved or denied based upon these tests.

Results and what’s next
Buffalo notes that the protocol defeats three of the most common tactics used by cybercriminals: fingerprint forgery attacks, man-in-the-middle attacks and replay attacks. It was 99.5 percent accurate in tests involving 16,000 images and 30 different iPhone 6s smartphones and 10 different Galaxy Note 5s smartphones.

Ren plans to lead future experiments on smartphones that include two cameras, which he said could be used to make the forgery attacks more difficult.