A team of researchers at Georgia Tech have demonstrated how they were able to spy on what was typed on a regular desktop computer’s keyboard via the accelerometers of a smartphone placed nearby.
Normally when security researchers describe spyware on smartphones, they mean malicious code that can be used to snoop on calls, or to steal the data held on mobile phones.
In this case, however, researchers have described how they have put software on smartphones to spy on activity *outside* the phone itself – specifically to track what a user might be doing on a regular desktop keyboard nearby.
It sounds like the stuff of James Bond, but the researchers paint a scenario where a criminal could plant a smartphone on the desk close to their target’s keyboard and use specialist software to analyse vibrations and snoop on what was being typed.
It’s a quite beautiful twist on how bad guys could use microphones to “hear” keystrokes and spy on your passwords.
Patrick Traynor, an assistant professor in Georgia Tech’s School of Computer Science, admits that the technique is difficult to accomplish reliably but claims that the accelerometers built into modern smartphones can sense keyboard vibrations and decipher complete sentences with up to 80% accuracy.
“We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Traynor. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”
Indeed, a photograph of the researcher shows him posing with what appears to be an Android smartphone.
What’s quite interesting to those of a geeky mindset is the technique adopted by the university researchers to build up their cache of stolen data. It turns out that is largely based on probability.
Presently the spyware cannot determine the pressing of individual keys through the iPhone’s accelerometer, but “pairs of keystrokes” instead. The software determines whether the keys are on the right or left hand side of a standard QWERTY keyboard, and then whether the pair of keys are close together or far apart.
With the characteristics of each pair of keystrokes collected, it compares the results against a dictionary – where each word has been assigned similar measurements.
For example, take the word "canoe," which when typed breaks down into four keystroke pairs: "C-A, A-N, N-O and O-E." Those pairs then translate into the detection system’s code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF. This code is then compared to the preloaded dictionary and yields "canoe" as the statistically probable typed word.
For understandable reasons, the technique is said to only work reliably on words which have three or more letters.
Henry Carter, one of the study’s co-authors, explained the attack scenario that they envisaged could be used:
"The way we see this attack working is that you, the phone’s owner, would request or be asked to download an innocuous-looking application, which doesn’t ask you for the use of any suspicious phone sensors."
"Then the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening."
It’s an interesting piece of research, but I have to wonder how effective it would be in the real world.
For instance, hackers often want to steal passwords from individuals. If the computer users is following sensible security practice and is *not* using a dictionary word for their password then it’s hard to imagine that the technique in its current form would be able to determine what the password is.
And an 80% accuracy rate falls some way short of what most criminals would want.
I’m also curious as to how well the system would work when trying to steal numerical information – such as account numbers, credit card data or social security numbers. The dictionary wouldn’t be any help against them, and the placement of numerical keys (either along the top row of the keyboard or tightly fit on a numeric keypad) would make discrimination very difficult I suspect.
The study’s authors also determined that because the smartphone had to be within a range of just three inches from the keyboard, phone users who left their phones in their pockets or purses, or simply moved them further from the keyboard would be well defended.
The researchers admitted that the likelihood of an attack of this nature “right now is pretty low”, and I’m not planning to lose any sleep over the threat. Nevertheless, if you manage to get the chance do take some time to read the paper: “(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers”.
8 comments on “iPhone spyware can snoop on desktop typing”
I'm scared!… not..
I saw some security researcher from IOActive do this a year back or so Dunlop or Ridpath forgot who.
This really helped me because I’m doing a project and your blog is so informative. Thanks and keep up the good work.
Cool trick… but I wonder why they took such a difficult route. As you mentioned, attacking via an open mic is well known, although generally this is assumed to be the PC's own mic. Why not have the app listen for that keyboard via the phone mic instead of the accelerometer? My guess is that the range will be much better and, given the amount of time folks have worked on algorithms for such, I am sure there is more accurate code out there.
Another note: since the phone no doubt has autocorrect, why not use this functionality to improve accuracy?
It sounds like this technique is good enough to determine if someone is sending an email to a specific person at a specific time.
You don’t always have to know exactly what was sent, just that something was sent.
That narrows down the suspects, and then you can focus in on those persons.
I see possibilities. Now you can grab any keyboard, even a defect one, to type messages on your Iphone.
Unfortunately, I did not have an opportunity to read the (sp)iPhone paper.
Why plant a $200 smartphone nearby, when all sorts of other devices could do the same or better for 30% of the cost? Oh, the cheek of it! The article is quite interesting, no doubt. I wonder about the sound dampening properties of my silicon keyboard cover? An unexpected benefit as an additional layer of accidental security?