Researchers at the Georgia Institute of Technology have discovered a security vulnerability in some iPhones that could affect users’ privacy:
Itâ€™s a pattern that no doubt repeats itself daily in hundreds of millions of offices around the world: People sit down, turn on their computers, set their mobile phones on their desks and begin to work. What if a hacker could use that phone to track what the person was typing on the keyboard just inches away?
A research team at Georgia Tech has discovered how to do exactly that, using a smartphone accelerometerâ€”the internal device that detects when and how the phone is tiltedâ€”to sense keyboard vibrations and decipher complete sentences with up to 80 percent accuracy. The procedure is not easy, they say, but is definitely possible with the latest generations of smartphones. […]
Previously, [said Patrick Traynor, assistant professor in Georgia Techâ€™s School of Computer Science], researchers have accomplished similar results using microphones, but a microphone is a much more sensitive instrument than an accelerometer. A typical smartphoneâ€™s microphone samples vibration roughly 44,000 times per second, while even newer phonesâ€™ accelerometers sample just 100 times per secondâ€”two full orders of magnitude less often. Plus, manufacturers have installed security around a phoneâ€™s microphone; the phoneâ€™s operating system is programmed to ask users whether to give new applications access to most built-in sensors, including the microphone. Accelerometers typically are not protected in this way. […]
â€œThe way we see this attack working is that you, the phoneâ€™s owner, would request or be asked to download an innocuous-looking application, which doesnâ€™t ask you for the use of any suspicious phone sensors,â€ said Henry Carter, a PhD student in computer science and one of the studyâ€™s co-authors. â€œThen the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening.â€
Mitigation strategies for this vulnerability are pretty simple and straightforward, Traynor said. First, since the study found an effective range of just three inches from a keyboard, phone users can simply leave their phones in their purses or pockets, or just move them further away from the keyboard. But a fix that puts less onus on users is to add a layer of security for phone accelerometers. […]
The finding is reported in the paper, â€œ(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers,â€ and will be presented Thursday, Oct. 20, at the 18th ACM Conference on Computer and Communications Security in Chicago. In addition to Carter, Traynorâ€™s coauthors include Georgia Tech graduate student Arunabh Verma and Philip Marquardt of the MIT Lincoln Laboratory.