Tired of trying to guess your coworker's social security number? There's an app for that.
A team of computer security researchers recently developed a proof-of-concept 'spy' app for the iPhone 4 capable of tracking typing on a nearby keyboard using the device's native accelerometer and gyroscope. Even a basic, widely available mobile device such as the iPhone is sensitive enough to enable the app to pick up data such as whether the keystrokes come from the left or right side of the keyboard and the relative distance between punched keys. The program can predict with 80 percent accuracy the words being typed based on the seismic fingerprints of the vibrations emitted each time a key is pressed.
The team, led by Philip Marquardt of MIT, presented its findings at the 18th Association for Computing Machinery computer security conference in Chicago earlier this month. The paper, titled (sp)iPhone: Decoding Vibrations from Nearby Keyboards Using Mobile Phone, outlines the manner in which the app gathers information and expresses concern over the intelligence gathering capacity of commercially available devices.
In of themselves, accelerometers and gyroscopes don't sound like 007-type material. Accelerometers are often used to detect when the device experiences shaking, vibrations, or falls by detecting movement along one of three axes, and in earlier iPhones were used for purposes of screen rotation, motion-sensitive games, and to correct for shaky hands when taking photographs. Gyroscopes also detect angular tilt, allowing for more precise detection of tilt. In the iPhone 4, the introduction of an accelerometer paired with a three-axis microelectromechanical systems (MEMS) micro-scale gyroscope was primarily intended to allow for more precise controls in games. Apps like Hungry Shark by Future Games of London are controlled solely by the way the user tilts his or her phone: tilting slightly to one side moves the shark in that direction, while tilting more sharply increases the speed at which the shark swims.
Yet, the incredible sensitivity of these devices is reaching a point where their data-gathering ability poses a true security risk. Two researchers from the University of California Davis recently presented a keylogger that guesses smartphone keystrokes based on the gyroscopic tilt of an Android phone using a 10-button pad with up to 71.5% accuracy. Keylogging attacks have so far been largely limited to computers with defined keys, but by hacking into a smartphone's gyroscope, viruses could hypothetically access keystrokes, compromising security.
Concepts like this and the seismic vibration app are still in their early stages, but security professionals are already hard at work trying to preempt the exploitation of native hardware on increasingly sophisticated smartphones and other mobile devices.