Researchers at the University of Illinois at Urbana-Champaign have demonstrated that they can discern 80% of a mobile phone conversation by turning the phone’s vibration motor into a microphone.
They’re calling their attack VibraPhone, and it’s based on the idea that any vibration motor is, technically, a speaker.
Those vibration motors, also called vibra-motors, are embedded in all types of phones and wearables and are used to provide tactile alerts to humans.
Vibra-motors work by applying voltage to a coil that moves a magnet to generate vibration. But the researchers found that external sound can also move the magnet, which induces a reverse voltage in the coil.
That voltage can be recorded and used to extract the original sound, the researchers say.
Could be good, could be bad, said the researchers, Nirupam Roy and Romit Roy Choudhury, in a paper titled Listening through a Vibration Motor.
The good: It could lead to voice-controlled wearables even in gadgets like Fitbit, which lack microphones, or to better microphones that use the motor as a second multiple input, multiple output (MIMO) antenna: that’s antenna technology for wireless communications in which multiple antennas are used at both the source (transmitter) and the destination (receiver) to improve data speed and call quality.
The bad: Snoopy eavesdropping malware!!!
A malware that has default access to a phone’s vibra-motor may now be able to eavesdrop into every phone conversation. Toys that have vibra-motors embedded could potentially listen into the ambience.
All a bad actor would have to do is:
- Get physical access to device.
- Break up phone.
- Rewire vibra-motor.
- Record sound waves of maximum frequencies of up to 2 kHz, the lower end of the spectrum, leaving out high-pitch noises.
- Scratch head at crappy recording, which sounds like a static-filled fog horn.
- Run it through any old off-the-shelf speech recognition software, which can decode at 60% accuracy without training or machine learning.
- Apply algorithms to the recorded sound wave in order to optimize its output and attempt to fill in the missing audio waves corresponding to the high-frequency sound.
- Reconstruct speech, which will now sound like the static-filled lilting of somebody submerged in a vat of glue but from which four out of five people can reportedly discern spoken words.
Anybody who might wonder why the researchers didn’t think of using their phone access to hack the phone’s ACTUAL MICROPHONE to record sounds is likely not familiar with the engineering efforts of Rube Goldberg, including his esoteric use of tools such as mothball-firing machine guns, frightened lambs, melting ice blocks and string.
But seriously, though the researchers’ efforts didn’t yield perfect results, and yes, malware writers would need to get their mitts on the actual phone to do their mischief, their work does outline the theoretical details that future attacks might build upon.
From the paper:
With basic signal processing techniques, combined with the structure of human speech, the vibra-motor’s output can be quite intelligible to most human listeners.
Even automatic speech recognizers were able to decode the majority of the detected words and phrases, especially at higher loudness. The application space of such systems remains open, and could … [include] malware eavesdropping …
3 comments on “Bugging phones the Rube Goldberg way”
love this one…I wonder what gets ordered when
you have the phone in your back pocket and fart into the motor?
A Butt call for pizza + chicken wings or a urologist that makes house calls?????
I believe you could get the same result by reading data from the acceleration sensors. And let’s not forget, mobile browsers let websites access acceleration data without confirmation from the user.
I was thinking that they’d written an app that somehow got access to the voltage level of the vibration motor. I agree with J Page that going after the acceleration sensors would make more sense, as rewiring wouldn’t be necessary, and neither would jailbreaking the microphone (which is usually limited to providing input to the phone app only when the phone is off hook)..