RefreshChannels: Exploiting Dynamic Refresh Rate Switching for Mobile Device Attacks
Authors: 
Gaofeng Dong, Jason Wu, Julian De Gortari Briseno, Akash Deep Singh, Justin Feng, Ankur Sarker, 
Nader Sehatbakhsh, Mani SrivastavaAuthors Info & Claims
Gaofeng Dong, Jason Wu, Julian De Gortari Briseno, Akash Deep Singh, Justin Feng, Ankur Sarker, Nader Sehatbakhsh, Mani SrivastavaAuthors Info & ClaimsPages 359 - 371
Abstract
Mobile devices with dynamic refresh rate (DRR) switching displays have recently become increasingly common. For power optimization, these devices switch to lower refresh rates when idling, and switch to higher refresh rates when the content displayed requires smoother transitions. However, the security and privacy vulnerabilities of DRR switching have not been investigated properly. In this paper, we propose a novel attack vector called RefreshChannels that exploits DRR switching capabilities for mobile device attacks. Specifically, we first create a covert channel between two colluding apps that are able to stealthily share users' private information by modulating the data with the refresh rates, bypassing the OS sandboxing and isolation measures. Second, we further extend its applicability by creating a covert channel between a malicious app and either a phishing webpage or a malicious advertisement on a benign webpage. Our extensive evaluations on five popular mobile devices from four different vendors demonstrate the effectiveness and widespread impacts of these attacks. Finally, we investigate several countermeasures, such as restricting access to refresh rates, and find they are inadequate for thwarting RefreshChannels due to DDR's unique characteristics.
References
[1]
Nikolina Cveticanin. Hacking statistics to give you nightmares, 2023. https://dataprot.net/statistics/hacking-statistics/.
[2]
Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In NDSS, volume 25, pages 50--52, 2012.
[3]
Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. Mining apps for abnormal usage of sensitive data. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, volume 1, pages 426--436. IEEE, 2015.
[4]
Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. Boxify: Full-fledged app sandboxing for stock android. In 24th USENIX Security Symposium (USENIX Security 15), pages 691--706, 2015.
[5]
Swarup Chandra, Zhiqiang Lin, Ashish Kundu, and Latifur Khan. Towards a systematic study of the covert channel attacks in smartphones. In International Conference on Security and Privacy in Communication Networks, pages 427--435. Springer, 2014.
[6]
Nikolay Matyunin, Jakub Szefer, Sebastian Biedermann, and Stefan Katzenbeisser. Covert channels using mobile device's magnetic field sensors. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), pages 525--532. IEEE, 2016.
[7]
Roman Schlegel, Kehuan Zhang, Xiao-yong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In NDSS, volume 11, pages 17--33, 2011.
[8]
Carlton Shepherd, Jan Kalbantner, Benjamin Semal, and Konstantinos Markantonakis. A side-channel analysis of sensor multiplexing for covert channels and application fingerprinting on mobile devices. arXiv preprint arXiv:2110.06363, 2021.
[9]
Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system. In 28th USENIX security symposium (USENIX security 19), pages 603--620, 2019.
[10]
Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 51--60, 2012.
[11]
Ramya Jayaram Masti, Devendra Rai, Aanjhan Ranganathan, Christian Müller, Lothar Thiele, and Srdjan Capkun. Thermal covert channels on multi-core platforms. In 24th {USENIX} Security Symposium ({USENIX} Security 15), pages 865--880, 2015.
[12]
Kenneth Block, Sashank Narain, and Guevara Noubir. An autonomic and permissionless android covert channel. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 184--194, 2017.
[13]
Nikolay Matyunin, Yujue Wang, Tolga Arul, Kristian Kullmann, Jakub Szefer, and Stefan Katzenbeisser. Magneticspy: Exploiting magnetometer in mobile devices for website and application fingerprinting. In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, pages 135--149, 2019.
[14]
Nikolay Matyunin, Nikolaos A Anagnostopoulos, Spyros Boukoros, Markus Heinrich, André Schaller, Maksim Kolinichenko, and Stefan Katzenbeisser. Tracking private browsing sessions using cpu-based covert channels. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 63--74, 2018.
[15]
Peter Snyder, Soroush Karami, Arthur Edelstein, Benjamin Livshits, and Hamed Haddadi. {Pool-Party}: Exploiting browser resource pools for web tracking. In 32nd USENIX Security Symposium (USENIX Security 23), pages 7091--7105, 2023.
[16]
Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J Wang, and Crispin Cowan. User-driven access control: Rethinking permission granting in modern operating systems. In 2012 IEEE Symposium on Security and Privacy, pages 224--238. IEEE, 2012.
[17]
Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. Android permissions: User attention, comprehension, and behavior. In Proceedings of the eighth symposium on usable privacy and security, pages 1--14, 2012.
[18]
Android. Sensor rate limiting, 2022. https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-rate-limiting.
[19]
Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. The web's sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS '18, page 1515--1532, New York, NY, USA, 2018. Association for Computing Machinery. ISBN 9781450356930.
[20]
Yicheng Zhang, Carter Slocum, Jiasi Chen, and Nael Abu-Ghazaleh. It's all in your head (set): Side-channel attacks on ar/vr systems. In USENIX Security, 2023.
[21]
Michalis Diamantaris, Serafeim Moustakas, Lichao Sun, Sotiris Ioannidis, and Jason Polakis. This sneaky piggy went to the android ad market: Misusing mobile sensors for stealthy data exfiltration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 1065--1081, 2021.
[22]
Fenghao Xu, Wenrui Diao, Zhou Li, Jiongyi Chen, and Kehuan Zhang. Badbluetooth: Breaking android security mechanisms via malicious bluetooth peripherals. In NDSS, 2019.
[23]
Matthias Gazzari, Annemarie Mattmann, Max Maass, and Matthias Hollick. My (o) armband leaks passwords: An emg and imu based keylogging side-channel attack. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 5(4):1--24, 2021.
[24]
Ady Abraham. High refresh rate rendering on android, Apr 2020. https://android-developers.googleblog.com/2020/04/high-refresh-rate-rendering-on-android.html.
[25]
Apple. Optimizing promotion refresh rates for iphone 13 pro and ipad pro, 2021. https://developer.apple.com/documentation/quartzcore/optimizing_promotion_refresh_rates_for_iphone_13_pro_and_ipad_pro.
[26]
StatCounter. Mobile operating system market share worldwide, 2023. https://gs.statcounter.com/os-market-share/mobile/worldwide.
[27]
Android Open Source Project. Graphics, 2023. https://source.android.com/docs/core/graphics.
[28]
Android. Frame rate, 2023. https://developer.android.com/guide/topics/media/frame-rate.
[29]
Android. Refresh rate callback, 2023. https://developer.android.com/ndk/reference/group/choreographer#achoreographer_registerrefreshratecallback.
[30]
Android. Frame rate callback, 2023. https://developer.android.com/reference/android/view/Choreographer.FrameCallback.
[31]
Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard. {DRAMA}: Exploiting {DRAM} addressing for {Cross-CPU} attacks. In 25th USENIX security symposium (USENIX security 16), pages 565--581, 2016.
[32]
Hamed Okhravi, Stanley Bak, and Samuel T King. Design, implementation and evaluation of covert channel attacks. In 2010 IEEE International Conference on Technologies for Homeland Security (HST), pages 481--487. IEEE, 2010.
[33]
Riccardo Paccagnella, Licheng Luo, and Christopher W Fletcher. Lord of the ring (s): Side channel attacks on the {CPU}{On-Chip} ring interconnect are practical. In 30th USENIX Security Symposium (USENIX Security 21), pages 645--662, 2021.
[34]
Ed Novak, Yutao Tang, Zijiang Hao, Qun Li, and Yifan Zhang. Physical media covert channels on smart mobile devices. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, pages 367--378, 2015.
[35]
AndroidRank. Open android market data, 2023. https://www.androidrank.org/.
[36]
Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. Touchsignatures: Identification of user touch actions and pins based on mobile sensor data via javascript. Journal of Information Security and Applications, 26: 23--38, 2016. ISSN 2214-2126. URL https://www.sciencedirect.com/science/article/pii/S2214212615000678.
[37]
Jiexin Zhang, Alastair R Beresford, and Ian Sheret. Sensorid: Sensor calibration fingerprinting for smartphones. In 2019 IEEE Symposium on Security and Privacy (SP), pages 638--655. IEEE, 2019.
[38]
James Robinson and Cameron McCormack. Timing control for script-based animations, 2022. https://www.w3.org/TR/animation-timing/.
[39]
Michael Schwarz, Clémentine Maurice, Daniel Gruss, and Stefan Mangard. Fantastic timers and where to find them: High-resolution microarchitectural attacks in javascript. In Aggelos Kiayias, editor, Financial Cryptography and Data Security, pages 247--267, Cham, 2017. Springer International Publishing. ISBN 978-3-319-70972-7.
[40]
StatCounter. Browser market share worldwide, 2023. https://gs.statcounter.com/browser-market-share.
[41]
Thomas Rokicki, Clémentine Maurice, and Pierre Laperdrix. Sok: In search of lost time: A review of javascript timers in browsers. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P), pages 472--486, 2021.
[42]
Chao Liu, Ryen W White, and Susan Dumais. Understanding web browsing behaviors through weibull analysis of dwell time. In Proceedings of the 33rd international ACM SIGIR conference on Research and development in information retrieval, pages 379--386, 2010.
[43]
Amit Kumar Sikder, Hidayet Aksu, and A Selcuk Uluagac. 6thsense: A context-aware sensor-based attack detector for smart devices. In USENIX Security Symposium, pages 397--414, 2017.
[44]
Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. "andromaly": a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems, 38(1):161--190, 2012.
[45]
Prakash Shrestha, Manar Mohamed, and Nitesh Saxena. Slogger: Smashing motion-based touchstroke logging with transparent system noise. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 67--77, 2016.
[46]
Michael Schwarz, Moritz Lipp, Daniel Gruss, Samuel Weiser, Clémentine Maurice, Raphael Spreitzer, and Stefan Mangard. Keydrown: Eliminating software-based keystroke timing side-channel attacks. In Network and Distributed System Security Symposium. Internet Society, 2018.
[47]
Denis Foo Kune and Yongdae Kim. Timing attacks on pin input devices. In Proceedings of the 17th ACM conference on Computer and communications security, pages 678--680, 2010.
[48]
Yingchen Wang, Riccardo Paccagnella, Elizabeth Tang He, Hovav Shacham, Christopher W Fletcher, and David Kohlbrenner. Hertzbleed: Turning power {Side-Channel} attacks into remote timing attacks on x86. In 31st USENIX Security Symposium (USENIX Security 22), pages 679--697, 2022.
[49]
Gaofeng Dong, Ping Wang, Ping Chen, Ruizhe Gu, and Honggang Hu. Floatingpoint multiplication timing attack on deep neural network. In 2019 IEEE International Conference on Smart Internet of Things (SmartIoT), pages 155--161. IEEE, 2019.
[50]
Paul C Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Advances in Cryptology---CRYPTO'96: 16th Annual International Cryptology Conference Santa Barbara, California, USA August 18--22, 1996 Proceedings 16, pages 104--113. Springer, 1996.
[51]
Dawn Xiaodong Song, David A Wagner, Xuqing Tian, et al. Timing analysis of keystrokes and timing attacks on ssh. In USENIX Security Symposium, volume 2001, 2001.
[52]
Mengyuan Li, Yan Meng, Junyi Liu, Haojin Zhu, Xiaohui Liang, Yao Liu, and Na Ruan. When csi meets public wifi: inferring your mobile phone password via wifi signals. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 1068--1079, 2016.
[53]
Jingchao Sun, Xiaocong Jin, Yimin Chen, Jinxue Zhang, Yanchao Zhang, and Rui Zhang. Visible: Video-assisted keystroke inference from tablet backside motion. In NDSS, 2016.
[54]
Wenqiang Jin, Srinivasan Murali, Huadi Zhu, and Ming Li. Periscope: A keystroke inference attack using human coupled electromagnetic emanations. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 700--714, 2021.
[55]
Ximing Liu, Yingjiu Li, Robert H Deng, Bing Chang, and Shujun Li. When human cognitive modeling meets pins: User-independent inter-keystroke timing attacks. Computers & Security, 80:90--107, 2019.
[56]
Ke Sun, Chunyu Xia, Songlin Xu, and Xinyu Zhang. StealthyIMU: Extracting permission-protected private information from smartphone voice assistant using zero-permission sensors. In NDSS, 2023.
[57]
Yuxuan Yan, Zhenhua Li, Qi Alfred Chen, Christo Wilson, Tianyin Xu, Ennan Zhai, Yong Li, and Yunhao Liu. Understanding and detecting overlay-based android malware at market scales. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, pages 168--179, 2019.
[58]
Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. Cloak and dagger: from two permissions to complete control of the ui feedback loop. In 2017 IEEE Symposium on Security and Privacy (SP), pages 1041--1057. IEEE, 2017.
[59]
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. ARMageddon: Cache attacks on mobile devices. In 25th USENIX Security Symposium (USENIX Security 16), pages 549--564, Austin, TX, August 2016. USENIX Association. ISBN 978-1-931971-32-4. URL https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lipp.
[60]
Wen Qi, Wanfu Ding, Xinyu Wang, Yonghang Jiang, Yichen Xu, Jianping Wang, and Kejie Lu. Construction and mitigation of user-behavior-based covert channels on smartphones. IEEE Transactions on Mobile Computing, 17(1):44--57, 2017.
[61]
Liang Cai and Hao Chen. Touchlogger: Inferring keystrokes on touch screen from smartphone motion. In 6th USENIX Workshop on Hot Topics in Security (HotSec 11), 2011.
[62]
Anupam Das, Nikita Borisov, and Matthew Caesar. Tracking mobile web users through motion sensors: Attacks and defenses. In NDSS, 2016.
[63]
Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. Accelprint: Imperfections of accelerometers make smartphones trackable. In NDSS, volume 14, pages 23--26. Citeseer, 2014.
[64]
Yuval Yarom and Katrina Falkner. {FLUSH+ RELOAD}: A high resolution, low noise, l3 cache {Side-Channel} attack. In 23rd USENIX security symposium (USENIX security 14), pages 719--732, 2014.
[65]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium (USENIX Security 18), 2018.
[66]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution. In 40th IEEE Symposium on Security and Privacy (S&P'19), 2019.
[67]
Catherine Easdon, Michael Schwarz, Martin Schwarzl, and Daniel Gruss. Rapid prototyping for microarchitectural attacks. In USENIX Security Symposium, 2022.
[68]
Ben Gras, Cristiano Giuffrida, Michael Kurth, Herbert Bos, and Kaveh Razavi. Absynthe: Automatic blackbox side-channel synthesis on commodity microarchitectures. In NDSS, 2020.
[69]
Yuval Yarom. Mastik: A micro-architectural side-channel toolkit. https://cs.adelaide.edu.au/~yval/Mastik/, 2016.
[70]
Marc Green, Leandro Rodrigues-Lima, Andreas Zankl, Gorka Irazoqui, Johann Heyszl, and Thomas Eisenbarth. {AutoLock}: Why cache attacks on {ARM} are harder than you think. In 26th USENIX Security Symposium (USENIX Security 17), pages 1075--1091, 2017.
[71]
Xiaokuan Zhang, Xueqiang Wang, Xiaolong Bai, Yinqian Zhang, and XiaoFeng Wang. Os-level side channels without procfs: Exploring cross-app information leakage on ios. In Proceedings of the Symposium on Network and Distributed System Security, 2018.
Index Terms
- RefreshChannels: Exploiting Dynamic Refresh Rate Switching for Mobile Device Attacks
Recommendations
Distributed denial of service attacks and its defenses in IoT: a survey
AbstractA distributed denial of service (DDoS) attack is an attempt to partially or completely shut down the targeted server with a flood of internet traffic. The primary aim of this attack is to disrupt regular traffic flow to the victim’s server or ...
Exploiting Refresh Effect of DRAM Read Operations: A Practical Approach to Low-Power Refresh
Dynamic random access memory (DRAM) requires periodic refresh operations to retain its data. In practice, DRAM retention times are normally distributed from 64 ms to several seconds. However, the conventional refresh method uses 64 ms as the refresh ...
Comments
Information & Contributors
Information
Published In
June 2024
778 pages
ISBN:9798400705816
DOI:10.1145/3643832
- Chairs:
- Tadashi Okoshi,
- JeongGil Ko,
- Program Chair:
- Robert LiKamWa
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
MOBISYS '24
Sponsor:
MOBISYS '24: 22nd Annual International Conference on Mobile Systems, Applications and Services
June 3 - 7, 2024
Minato-ku, Tokyo, Japan
Acceptance Rates
Overall Acceptance Rate 274 of 1,679 submissions, 16%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 317Total Downloads
- Downloads (Last 12 months)317
- Downloads (Last 6 weeks)101
Reflects downloads up to 14 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in