A new research project teaches smartphones to familiarize themselves with their owners' behavior so they can realize when someone might have stolen them, and lock themselves to keep them from accessing valuable information.
A NewScientist report highlights a project by researchers at Glasgow Caledonian University and the University of Edinburgh in Scotland to find a practical use of "implicit authentication," a process by which a smartphone requires a PIN for further use when the user is exhibiting unusual behavior.
The researchers suggest the device creates a specific “user profile” silently in the first week that the phone is in use. The smartphone is considered to be in “training mode” while it collects the data required to make up a user profile based on "sensor data from Wi-Fi networks, cell towers, application use, light and noise levels, and device system stats," among other information, the researchers explained in a report (PDF).
After collecting data for about a week, the smartphone would automatically transition from its "training mode" to "deployment mode," relying on the data gathered in training mode to recognize when it’s being used by its owner. This recognition is graded on a "comfort level," which basically dictates how familiar the smartphone user’s behavior is while it is in use. The comfort rating process is designed to account for repeated signs of unfamiliar use, not just random fluctuations that may occur when a user is traveling. From the paper:
"While the computed score provides a basis for comfort, a single event alone does not provide the sufficient level of granularity for establishing comfort. For example, even if the application was never used at a given location or hourly, events leading to the anomalous application use may indicate familiarity based on connected wifi and cell towers. This way, if the user is at a familiar location as established by wifi and cell tower models, an anomalous use of an application will produce ‘discomfort’ proportionally. Needless to say, if the available wifi networks are unfamiliar, cell towers indicate an unknown location and the application use is anomalous, the device will exhibit the most discomfort."
If the users' behavior strays far enough from the norm to dip below the "detection threshold," the smartphone would automatically lock itself and require a preset PIN or password. The researchers tested theft of these smartphones by "informed" attackers, or those who know the owners' behavior, and "uninformed" attackers who just found or stole a stranger's smartphone. Aside from attacks by "informed insiders," or those who had both the knowledge and access to replicate the device owner's specific behavior, the researchers reported a 95% detection rate.
"Even when the attacker attempted evasion, the device locked in under 15 minutes," the report reads.
A lot of effort has gone into the prevention of smartphone theft, particularly in the corporate world. With access to an increasing amount of valuable data – both personal and corporate – automated solutions that prevent unauthorized access to smartphones could become very valuable, if they're ever practical.
The researchers acknowledge that larger samples and more detailed research will be needed, but it’s definitely interesting, and potentially a glimpse into the future of smartphone security.