Go to ICLR 2026 Conference homepageRecSpy: Cognition-Driven PIN Inference on Randomized Soft Keyboards
Keywords: Side-channel Attack, Human Cognition
TL;DR: We propose the first cognition-driven side-channel attack that leverages LLM-based reasoning to infer PINs on randomized soft keyboards.
Abstract: As mobile devices have become deeply integrated into daily life, users often input sensitive data (i.e., PINs) to unlock services or authorize payments, which introduces high risks of side-channel attacks. To defend against potential attacks, in practice, soft keyboards for PIN entry are randomized in layout to mitigate such threats. In this paper, we present RecSpy, a novel cognition-driven acoustic side-channel attack that infers PINs on randomized soft keyboards. Unlike prior work that relies on video, power, or electromagnetic emanations, RecSpy exploits a previously unexplored vulnerability: distinct human recognition latencies for symbolic numbers. By modeling cognitive latency patterns and leveraging acoustic keystroke signatures, RecSpy learns individual and digit-level recognition features through contrastive and self-supervised learning. Furthermore, we also introduce a novel Logic-Guided Inference Network that integrates recognition patterns with the reasoning capabilities of a large language model (LLM) to prune the hypothesis space and infer complete PIN sequences. We extensively evaluate RecSpy on both Android and iOS devices, and results show that it improves the probability of successful inference by up to 4000×, which demonstrates a practical threat to current mobile authentication systems and shows that representation learning and LLMs can enable new side-channel attacks.
Primary Area: applications to neuroscience & cognitive science
Submission Number: 14592
Loading