CAPTCHuring Automated (Smart)Phone Attacks

In this work we expand the notion of Phone CAPTCHAs as a countermeasure against DIAL attacks. We explore several axes upon which they can be improved. We also propose their use as defense mechanisms against several recent attacks that target smartphones. Our key contributions are summarized as follows: As shown in our previous work, end telephone devices have little means to defend themselves from a DIAL attack. To mitigate this effect, we implemented a fully functional call center incorporating Phone CAPTCHAs for protecting telephone devices from such attacks. Furthermore, we propose a series of improvements to traditional audio CAPTCHAs to strengthen them against voice recognition attacks; We expand the idea of DIAL attacks and demonstrate that by exploiting a vulnerability in a smartphone, one can leverage cellular networks for flooding a target telephone device with calls; We propose the modification of smartphone operating system API calls to incorporate client-side Phone CAPTCHAs so as to prohibit compromised devices from issuing arbitrary calls; And we conduct a user study that demonstrates the applicability of Phone CAPTCHAs, as first-time, nonnative users managed to successfully solve the CAPTCHAs in 71% to 83% of the cases. We consider this to be very satisfactory for the newly introduced CAPTCHAs.