The sensors inside modern smart phones present a range of security threats. An attacker who compromises a phone can, for example, track the owner’s location by GPS, use the camera to see the phone’s surroundings, or turn on its microphone to record conversations.
At a conference in Chicago on Thursday, a group of computer researchers from Georgia Tech will report on another potential threat. The researchers have shown that the accelerometer and orientation sensor of a phone resting on a surface can be used to eavesdrop as a password is entered using a keyboard on the same surface. They were able to capture the words typed on the keyboard with as much as 80 percent accuracy.
“There is information that is being leaked, and of the hardware on your phone, the accelerometer is the one thing that no one ever worried about,” says Patrick Traynor, assistant professor in the school of computer science at Georgia Tech and a member of the research team. “No one thought that you could turn on the accelerometer and get any meaningful data.”
The accelerometer in the phone the researchers used samples only 100 times a second, so they did not have enough data to determine the exact keys struck. Instead, the researchers used the data from the accelerometer to determine whether key taps were on the right or left side of the keyboard and to gauge the delays between keystrokes. Using this information, they were able to figure out a list of potential keystroke pairs. The results were then compared with a 58,000-entry dictionary. They will present the work at the ACM Conference on Computer and Communications Security.
A real-world attack would, of course, require a victim to habitually place a phone and keyboard on the same work surface. Vibrations inherent in the environment could also complicate matters. A tall building adds noise because it sways, and offices near a major road will be affected by traffic vibrations. The composition of the surface makes a big difference as well, says Traynor. Pine desktops conduct vibrations extremely well, as do glass ones, making them ideal surfaces for the attack. But a tiled kitchen counter is basically inscrutable.
To make the attack succeed, the dictionary would need to be tailored to the specific target. “The best-case scenario here, if you are an attacker, is to go after a very specific person,” says Traynor. “I think the attack is realistic in that case.”
As phone technology improves, attacks via the accelerometer could become more feasible. The researchers’ initial experiments used Apple’s iPhone 3GS, but the phone’s accelerometer lacked the necessary sensitivity. The researchers then moved to the iPhone 4, which uses a gyroscope to remove noise from the accelerometer data, and had much greater success.
While the attack technique is interesting, it’s unlikely to become a real threat for some time, says Charlie Miller, principal security consultant with Accuvant, a compliance and security research firm. “It’s cool because it is very James Bond-ish,” he says. “But it might easier to turn on the mike and listen to the target talk on the phone.”
This new data poisoning tool lets artists fight back against generative AI
The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
The Biggest Questions: What is death?
New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.
Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist
An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.
How to fix the internet
If we want online discourse to improve, we need to move beyond the big platforms.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.