How Your Smartphone's Motion Gives Away Keystrokes - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

How Your Smartphone's Motion Gives Away Keystrokes

Using a smartphone's accelerometers, security researchers achieved a 70% accuracy rate in deducing numeric keys pressed on a virtual keyboard.

Every tap of a virtual key on a touchscreen smartphone results in the device moving. Now, researchers have found that they can infer, with a notable degree of accuracy, exactly which key was pressed based on how the device moves.

That's the surprise finding made by two security researchers at the University of California, Davis, and detailed earlier this month in a presentation at the HotSec '11 conference in San Francisco.

According to the researchers' report: "Since typing on different locations on the screen causes different vibrations, motion data can be used to infer the keys being typed. To demonstrate this attack, we developed TouchLogger, an Android application that extracts features from device orientation data to infer keystrokes." TouchLogger achieved a 70% accuracy rate at inferring which keys were pressed on a numerical keyboard.

How did the researchers come to build a motion-driven keylogger? "We looked at new functionalities on mobile devices, and we realized they all have advanced sensors," said paper co-author Hao Chen during the HotSec presentation. "Obviously, some of the sensors are privacy-sensitive, such as the microphone, camera, or GPS."

But sensors required to deduce keystroke motions aren't normally protected against inappropriate use. "There are certain sensors ... you might not think that they're that privacy-sensitive, such as the accelerometer or gyroscope. Who would care if you bump your phone?" said Chen. "Well, it turned out that you can build a powerful keylogger by monitoring these motion sensors."

Don't fear the smartphone accelerometer keylogging attack just yet. To his knowledge, Chen said that no such eavesdropping tools have been built. Furthermore, the researchers tested only a virtual numeric keyboard, found, for example, in a smartphone calculator app.

Going forward, however, "we hope to extend this work on the full keyboard, to see how much the recognition rate will be," he said. "We're also interested in extending this work to tablet devices, such as the Motorola Xoom and the Samsung Galaxy Tab."

Interestingly, TouchLogger would likely have less accuracy when used to monitor a smartphone's full alphanumeric virtual keyboard, Chen told New Scientist. The opposite, however, would likely be true of a tablet, since the larger device would move more with each key press.

While in-the-wild attacks that use these techniques remain hypothetical, there are some immediate security steps that smartphone manufacturers could take to prevent related exploits. "Our takeaway message is that we should protect the motion sensors as diligently as we protect other privacy-sensitive sensors, such as the microphone or the camera," said Chen at HotSec.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
News
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll