MIT and Georgia Tech researchers were able to use an iPhone as a keylogger to spy on someone using a regular computer keyboard nearby. But researchers concede that the likelihood such an attack would succeed with today's technology is low.
Researchers were able to use
accelerometers in a smartphone to track what a user sitting nearby was typing
on a desktop computer.
In a paper presented at the
ACM Conference on Computer and Communications Security on Oct. 20, MIT and
Georgia Tech researchers described a scenario in which a malicious adversary
could place a smartphone on the table close to the target and use the
accelerometer to analyze vibrations and snoop what was being typed. Most modern
smartphones have accelerometers to detect when the device is tilted or moved
and is used in a number of applications, and applications don't need permission
to access it.
While the technique is
difficult to accomplish reliably, modern smartphones can sense keyboard
vibrations and decipher complete sentences accurately 80 percent of the time,
according to Patric Traynor, an assistant professor in Georgia Tech's School of
Computer Science. The demonstrated method works best on English dictionary
words that are longer than three characters, he said. "We believe that
most smartphones made in the past two years are sophisticated enough to launch
this attack," Traynor said. As manufacturers improve and refine
accelerometer technologies, the attack will become more successful, he said.
Initial tests with an iPhone
3GS were not very promising, but the results from the iPhone 4 were "much
better," said Traynor. The iPhone 4 has a gyroscope to clean up the
accelerometer noise. The same methods can be used with Android phones as well.
The attack method requires
the user to download a spyware program designed to use the accelerometer as a
keylogger onto the smartphone, or somehow include the function within another
application, according to Henry Carter, a Ph.D. student in computer science at
Georgia Tech and one of the co-authors of the study. The application would
detect vibrations from someone typing nearby and try to figure out what is
being typed. The "innocuous-looking application" won't ask the user
for the use of any suspicious phone sensors.
keyboard-detection malware is turned on, and the next time you place your phone
next to the keyboard and start typing, it starts listening," Carter said
The likelihood of an attack
of this nature "right now is pretty low," and users shouldn't
"be paranoid that hackers are tracking their keystrokes," said
Traynor. Users can also just protect themselves by keeping the phone in the
pocket or a bag instead of on a table next to a keyboard. Placing the phone
further than three inches from the keyboard will also prevent the accelerometer
from picking up vibrations, researchers said.
"This was really hard to do.
But could people do it if they really wanted to? We think yes," Traynor
Researchers suggested that
the sampling rate for accelerometers should be cut in half to make it harder
for the eavesdropping application to detect and analyze keyboard vibrations.
Most phone applications would still be able to function with the lower
accelerometer rate, and if an application needs a higher sampling rate, the
user should be prompted to ensure it is a legitimate request, researchers said.