What if a hacker could log every key you typed on your PC by placing a cellphone nearby? US researchers have shown how this is possible using any smartphone available today.
At a conference in Chicago on Thursday, a group of computer researchers from Georgia Tech will report on another potential threat. The researchers have shown that the accelerometer and orientation sensor of a phone resting on a surface can be used to eavesdrop as a password is entered using a keyboard on the same surface. They were able to capture the words typed on the keyboard with as much as 80 percent accuracy.
Normally when security researchers describe spyware on smartphones, they mean malicious code that can be used to snoop on calls, or to steal the data held on mobile phones.In this case, however, researchers have described how they have put software on smartphones to spy on activity outside the phone itself - specifically to track what a user might be doing on a regular desktop keyboard nearby.
The typing detection works by “using a smartphone accelerometer – the internal device that detects when and how the phone is tilted – to sense keyboard vibrations as you type to decipher complete sentences with up to 80% accuracy,” according to the Institute.
"We first tried our experiments with an iPhone 3GS, and the results were difficult to read," said Patrick Traynor of Georgia Tech. "But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the last two years are sophisticated enough to do this attack."
As phone technology improves, attacks via the accelerometer could become more feasible. The researchers' initial experiments used Apple's iPhone 3GS, but the phone's accelerometer lacked the necessary sensitivity. The researchers then moved to the iPhone 4, which uses a gyroscope to remove noise from the accelerometer data, and had much greater success.
"The way we see this attack working is that you, the phone's owner, would request or be asked to download an innocuous-looking application, which doesn't ask you for the use of any suspicious phone sensors," said Henry Carter, one of the study's co-authors . "Then the keyboarddetection malware is turned on, and the next time you place your phone next to the keyboard , it starts listening."