UC Irvine

An increasing number of security-critical tasks require human involvement. These tasks assume that the human is the weakest point in the security chain, and are explicitly designed to be as robust as possible while remaining human-usable. Failures in performing such tasks are typically blamed on human error. However, the human’s sensory environment is usually not taken into consideration. The Internet of Things’s emergence has created settings where a user’s sensory inputs can be controlled remotely. To the best of our knowledge, there has been no prior work to evaluate the potential impact of malicious sensory input on human performance of security tasks.

In this dissertation, we evaluate usability of several security-critical tasks under differing forms of adversarial noise. Specifically, we conduct a series of unattended experiments to evaluate the impacts on subject failure rate and task completion times when attempting Bluetooth Pairing, CAPTCHA entry, and short-authentication-string entry when exposed to crafted auditory and visual stimuli. We conclude that there is a rich space for both beneficial sensory stimulation, as well as a broad attack surface for adversaries that control a user’s sensory environment. Additionally, we find that the impacts on task performance caused by unexpected sensory stimulation can be generalized according to the Brain Arousal Model.