Researchers from MIT and Georgia Tech have developed a new technique that enables them to use the accelerometer in an iPhone or other smartphone to capture keystrokes from a nearby PC and decipher the typed words with about 80 percent accuracy. The tactic, while quite complicated, could be used to conduct password-recovery or other attacks on unsuspecting victims.
The research relies on the fact that the accelerometers in modern smartphones have become sensitive enough to detect the vibrations produced by someone typing on a keyboard a few inches away on a surface such as a desk or table. The accelerometer is designed to detect when the phone is tilted or moved and is used in a number of applications, including the feature that flips the image on the screen when the phone is turned. However, the research team of Patrick Traynor, Arunabh Verma and Henry Carter of Georgia Tech and Philip Marquardt of MIT’s Lincoln Laboratory discovered that it can also function as a discreet keylogger.
“In this paper, we demonstrate that unfettered access to the accelerometers available on many mobile phones can allow for significant unintended leakage of information from a user’s environment. We show that a malicious application with access to the accelerometer feed can record and reconstruct the keypresses made on a nearby keyboard based solely on the observed vibrations. We develop profiles for pairs of keypress events using a neural network, which creates an abstract representation of the relationship between consecutive events. We then recover the typed content by translating from our intermediary form to English words using a number of different dictionaries,” the write in their paper, “(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers”, which they will present at the ACM Conference on Computer and Communications Security on Thursday.
The technique that they developed is by no means simple and required them to develop a custom method for grouping keystrokes into consecutive pairs and then judging whether the keys pressed were on the near or far side of the keyboard. The team used an iPhone 4 in their experiments, and discovered that when the phone was within a few inches of the keyboard on an amplifying surface, they could record the vibrations of the keystrokes using the accelerometer. They then compared the results against various dictionaries in order to determine which words the target had typed. In some circumstances the researchers were able to get to an accuracy level of about 80 percent.
There have been similar attacks developed using sound or electromagnetic emanations from PCs to capture keystrokes or words on a screen. But the team from MIT and Georgia Tech used only the data from the accelerometer, which they say is two to six orders of magnitude less sensitive than the equipment used to perform the acoustic or electromagnetic attacks.
“Note that for all its apparent obstacles, our approach has a significant advantage over previous work. Attacks designed to compromise keystrokes using electromagnetic and acoustic emanations have thus far required that an adversary gain undetected physical access to the space occupied by their target. Our approach eliminates this requirement by allowing our malicious application to run on a device most users are likely to already be carrying with them,” they write in the paper.
The most likely attack scenario for implementing their technique would involve the target user downloading a seemingly benign app containing a malicious component. The app would access the accelerometer, which is not protected in any real way and that access does not trigger a permission request from the operating system. Then, when the user places the phone near her keyboard, the app would begin listening and recording the keystrokes.
There are some limitations and mitigating factors for the attack, including the distance between the phone and the keyboard and the kind of surface that the devices are on. Also, the researchers found that their method only worked on words of three letters or more. Also, users could protect themselves by simply keeping their phones in their pocket or backpack. But, many users habitually set their phones down next to their PCs as they work.
“The sampling rate for accelerometers is already pretty low, and if you cut it in half, you start to approach theoretical limitations that prevent eavesdropping. The malware simply does not have the data to work with,” Traynor said in a statement. “But most phone applications can still function even with that lower accelerometer rate. So manufacturers could set that as the default rate, and if someone downloads an application like a game that needs the higher sampling rate, that would prompt a permission question to the user to reset the accelerometer.”