SmartProxy: Secure Smartphone-Assisted Login on Compromised Machines
Johannes Hoffmann, Sebastian Uellenbeck, Thorsten Holz
9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Heraklion, Greece, July 2012
In modern attacks, the attacker's goal often entails illegal gathering of user credentials such as passwords or browser cookies from a compromised web browser. An attacker first compromises the computer via some kind of attack, and then uses the control over the system to steal interesting data that she can utilize for other kinds of attacks (e.g., impersonation attacks). Protecting user credentials from such attacks is a challenging task, especially if we assume to not have trustworthy computer systems. While users may be inclined to trust their personal computers and smartphones, they might not invest the same confidence in the external machines of others, although they sometimes have no choice but to rely on them, e.g, in their co-workers' offices.
To relieve the user from the trust he or she has to grant to these computers, we propose a privacy proxy called SmartProxy, running on a smartphone. The point of this proxy is that it can be accessed from untrusted or even compromised machines via a WiFi or a USB connection, so as to enable secure logins, while at the same time preventing the attacker (who is controlling the machine) from seeing crucial data like user credentials or browser cookies. SmartProxy is capable of handling both HTTP and HTTPS connections and uses either the smartphone's Internet connection, or the fast connection provided by the computer it is linked to. Our solution combines the security benefits of a trusted smartphone with the comfort of using a regular, yet untrusted, computer, i.e., this functionality is especially appealing to those who value the use of a full-sized screen and keyboard.[PDF]