A11y Attacks: Exploiting Accessibility in Operating Systems Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee School of Computer Science, College of Computing Georgia Institute of Technology, Atlanta, GA, USA {yeongjin.jang,csong84,pchung,tielei.wang,wenke}@cc.gatech.edu ABSTRACT Keywords Driven in part by federal law, accessibility (a11y) support for dis- Accessibility; Assistive Technology; Attacks abled users is becoming ubiquitous in commodity OSs. Some assis- tive technologies such as natural language user interfaces in mobile 1 Introduction devices are welcomed by the general user population. Unfortunately, adding new features in modern, complex OSs usually introduces On August 9, 1998, the United States Congress amended the Re- new security vulnerabilities. Accessibility support is no exception. habilitation Act of 1973 to eliminate barriers in electronic and in- Assistive technologies can be defined as computing subsystems formation technology for people with disabilities [32]. Effective that either transform user input into interaction requests for other June 21, 2001, the law is enforced on the development, procure- applications and the underlying OS, or transform application and ment, maintenance, or use of electronic and information technology OS output for display on alternative devices. Inadequate security by the federal government [21]. Driven by this requirement, OS checks on these new I/O paths make it possible to launch attacks vendors [2, 15, 24] have included accessibility features such as from accessibility interfaces. In this paper, we present the first secu- on-screen keyboards, screen magnifiers, voice commands, screen rity evaluation of accessibility support for four of the most popular readers, etc. in their products to comply with federal law. computing platforms: Microsoft Windows, Ubuntu Linux, iOS, and Assistive technologies, especially natural language voice proces- Android. We identify twelve attacks that can bypass state-of-the-art sors, are gaining widespread market acceptance. Since the iPhone defense mechanisms deployed on these OSs, including UAC, the 4S, Apple has included in iOS a voice-based personal assistant, Siri, Yama security module, the iOS sandbox, and the Android sandbox. which can help the user complete a variety of tasks, such as placing Further analysis of the identified vulnerabilities shows that their a call, sending a text, and modifying personal calendars. Google root cause is that the design and implementation of accessibility also added a similar feature, Voice Action, to its Android platform. support involves inevitable trade-offs among compatibility, usability, Furthermore, wearable devices such as Google Glass use voice as security, and (economic) cost. These trade-offs make it difficult to the main interaction interface. secure a system against misuse of accessibility support. Based on In general, adding new features into modern complex OSs usually our findings, we propose a number of recommendations to either introduces new security vulnerabilities. Accessibility support is no make the implementation of all necessary security checks easier exception. For example, in 2007, it was reported that Windows Vista and more intuitive, or to alleviate the impact of missing/incorrect could be compromised through its speech recognition software [28]; checks. We also point out open problems and challenges in auto- in 2013, a flaw was discovered in Siri that allowed the bypass matically analyzing accessibility support and identifying security of an iPhone’s lock screen to access photos and email [11]. As vulnerabilities. accessibility features are being used by more and more people, Categories and Subject Descriptors security issues caused by such vulnerabilities can become more serious. D.4.6 [Operating Systems]: Security and Protection In this paper, we present the first security evaluation of the accessi- General Terms bility support of commodity OSs. Our hypothesis is that alternative I/O subsystems such as assistive technologies bring a common chal- Security lenge to many widely deployed security mechanisms in modern OSs. Modern OSs support restricted execution environments (e.g., sandboxes) and ask for the user’s approval before applying a security sensitive change to the system (e.g., User Access Control (UAC) on Windows [25] and remote view on iOS [4]). However, accessibil- Permission to make digital or hard copies of all or part of this work for personal or ity support usually offers interfaces to programmatically generate classroom use is granted without fee provided that copies are not made or distributed user inputs, such as keystrokes and mouse clicks, which essentially for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the enables the interface to act as a human being. Consequently, it author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or might be possible to bypass these defense mechanisms and abuse a republish, to post on servers or to redistribute to lists, requires prior specific permission user’s permissions by generating synthesized user inputs. Similarly, and/or a fee. Request permissions from [email protected]. attackers may also be able to steal security sensitive information CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA. displayed on screen through the accessibility interfaces. Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2957-6/14/11 ...$15.00. To verify our hypothesis, we examined the security of accessibility http://dx.doi.org/10.1145/2660267.2660295. on four commodity OSs: Microsoft Windows 8.1, Ubuntu 13.10, iOS 6, and Android 4.4. We were able to identify twelve1 attacks2 Assistive Technology App that can bypass many state-of-the-art defense mechanisms deployed on these OSs, including UAC, the Yama security module, the iOS Process Process App Input Input Output Ouptut Handler App sandbox, and the Android sandbox. When designing new interfaces that provide access to comput- ing systems, one must ensure that these new features do not break existing security mechanisms. However, current designs and imple- mentations of accessibility support have failed to meet this require- A11y ment. Our analysis shows that current architectures for providing Library accessibility features make it extremely difficult to balance compat- ibility, usability, security, and (economic) cost. In particular, we OS found that security has received less consideration compared to the other factors. Under current architectures, there is not a single OS A11y Input component that has all the information necessary to enforce mean- (Voice) ingful security policy; instead, the security of accessibility features Original I/O path Regular depends on security checks implemented in the assistive technology, A11y Output Screen Input Devices the OS, and the applications. Unfortunately, in our evaluation, we Alt. input through a11y (Speaker) Output found that security checks are either entirely missed or implemented Alt. output through a11y incorrectly (or incompletely) at all levels. Based on our findings, we Figure 1: General architecture for implementing accessibility features. believe a fundamental solution to the problem will involve a new Supporting an accessibility feature creates new paths for I/O on the architecture that is designed with security in mind. Proposing this system (two dotted lines), while original I/O from/to hardware devices new architecture is beyond the scope of our work. Instead, we pro- (e.g., keyboard/mouse and screen) is indicated on the right side. pose several recommendations that work under current architectures to either make the implementation of all necessary security checks 2.1 Accessibility Features easier and more intuitive, or to alleviate the impact of missing/incor- rect checks. We also point out some open problems and challenges In compliance with the amended Rehabilitation Act, software ven- in automatically analyzing a11y support and identifying security dors have incorporated various accessibility features into their sys- vulnerabilities. tems. In this paper, we define computer accessibility (a11y) features In summary, this paper makes the following contributions: as new I/O subsystems that provide alternative ways for users with disabilities to interact with the system. For example, for visually • We performed a security evaluation of accessibility support impaired users, text-to-speech based Narrator (on MS Windows), for four major OSs: Windows, Ubuntu Linux, iOS, and An- VoiceOver (on OS X), and TalkBack (on Android) provide an output droid; subsystem that communicates with the user through speech. For • We found several new vulnerabilities that can be exploited to hearing impaired users, accessibility features like captioning ser- bypass many state-of-the-art defense mechanisms deployed vices turn the system’s audio output into visual output. Similarly, on these systems, including UAC and application sandboxes; some systems can alert the user about the presence of audio output by flashing the screen. For users with motor disabilities, traditional • We analyzed the root cause of these vulnerabilities and pro- mouse/keyboard based input systems are replaced by systems based posed a number of recommendations to improve the security on voice input. In general, we can see these accessibility features as of a11y support; implemented within