Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Smart Phones Could Hear Your Password

The accelerometers on many phones are sensitive enough to allow surveillance via vibrations, say researchers.

The sensors inside modern smart phones present a range of security threats. An attacker who compromises a phone can, for example, track the owner’s location by GPS, use the camera to see the phone’s surroundings, or turn on its microphone to record conversations.

At a conference in Chicago on Thursday, a group of computer researchers from Georgia Tech will report on another potential threat. The researchers have shown that the accelerometer and orientation sensor of a phone resting on a surface can be used to eavesdrop as a password is entered using a keyboard on the same surface. They were able to capture the words typed on the keyboard with as much as 80 percent accuracy.

“There is information that is being leaked, and of the hardware on your phone, the accelerometer is the one thing that no one ever worried about,” says Patrick Traynor, assistant professor in the school of computer science at Georgia Tech and a member of the research team. “No one thought that you could turn on the accelerometer and get any meaningful data.”

The accelerometer in the phone the researchers used samples only 100 times a second, so they did not have enough data to determine the exact keys struck. Instead, the researchers used the data from the accelerometer to determine whether key taps were on the right or left side of the keyboard and to gauge the delays between keystrokes. Using this information, they were able to figure out a list of potential keystroke pairs. The results were then compared with a 58,000-entry dictionary. They will present the work at the ACM Conference on Computer and Communications Security.

Listening in: These graphs show measurements recorded by a smart phone as letters are typed on a nearby keyboard. The device can distinguish between “a” at the left of the keyboard and “l” on the right, as well as between two pairs: “pq” and “nm.”

A real-world attack would, of course, require a victim to habitually place a phone and keyboard on the same work surface. Vibrations inherent in the environment could also complicate matters. A tall building adds noise because it sways, and offices near a major road will be affected by traffic vibrations. The composition of the surface makes a big difference as well, says Traynor. Pine desktops conduct vibrations extremely well, as do glass ones, making them ideal surfaces for the attack. But a tiled kitchen counter is basically inscrutable.

To make the attack succeed, the dictionary would need to be tailored to the specific target. “The best-case scenario here, if you are an attacker, is to go after a very specific person,” says Traynor. “I think the attack is realistic in that case.”

As phone technology improves, attacks via the accelerometer could become more feasible. The researchers’ initial experiments used Apple’s iPhone 3GS, but the phone’s accelerometer lacked the necessary sensitivity. The researchers then moved to the iPhone 4, which uses a gyroscope to remove noise from the accelerometer data, and had much greater success.

While the attack technique is interesting, it’s unlikely to become a real threat for some time, says Charlie Miller, principal security consultant with Accuvant, a compliance and security research firm. “It’s cool because it is very James Bond-ish,” he says. “But it might easier to turn on the mike and listen to the target talk on the phone.”

Hear more about security from the experts at the EmTech Digital Conference, March 26-27, 2018 in San Francisco.

Learn more and register
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.