Just because you don’t give an application access to your microphone doesn’t mean that it can’t listen to you. Researchers have created an attack called Spearphone that uses the motion sensors in Android phones to listen to phone calls, interactions with your voice assistant, and more.
When you install an Android app, it has to ask your permission if it wants access to your microphone so that it can listen to what you’re saying. However, the researchers discovered a workaround.
Most modern smartphones have accelerometers that are supposed to sense how quickly you’re moving. They’re useful for fitness apps, for example. Android apps don’t need permission to use the phone’s accelerometer, so the researchers used it as a listening device. The smartphone’s loudspeaker causes the device’s body to vibrate, and they were able to hijack the accelerometer to sample these vibrations.
The attack used a combination of signal processing and machine learning to convert the vibration samples into speech. The technique works whether the phone is lying on a table or held in the user’s hand, as long as the phone plays sound through the loudspeaker and not through an earpiece.
Motion sensor sample rates (the frequency at which they read data) are low, but the researchers still got good results. After cranking up the sample rates as high as possible, they could determine the remote speaker’s gender and identity with 90% and 80% probability respectively, with as little as one spoken word, the researchers claimed.
The researchers’ paper lists several possible attacks. Software could eavesdrop on a phone call, detecting the gender and possibly the identity of the remote party. It could also use speech recognition to understand what they’re saying.
The software could also use the technique to listen in on audio files, it warned, suggesting a sneaky commercial application:
Advertisement companies could use this information to target victims with tailor-made ads, inline with the victim’s preferences.
Finally, the motion sensors could listen to your digital voice assistant’s responses, to find out that you just asked it how to get to a local meeting place, for example.
The most obvious countermeasure is to turn on permissions-based controls for the accelerometer, as Google has done for other sensors like the GPS. However, this would directly affect the usability of the smartphones, the researchers argued, and in any case, users don’t always take notice of permission notifications anyway.
What the researchers are describing here is a side-channel attack, and it isn’t the first. Earlier this month, another team of researchers highlighted several apps and third-party libraries that used alternative information gathered by the phone to infer things like location when they couldn’t get permission to use the GPS. In June, researchers at Cambridge University also found that sensors could uniquely identify individual phones.