Bad vibrations: How smart phones could steal PC passwords

Smart phones are becoming sensitive enough that they could be used to steal passwords from people typing on a close-by keyboard by detecting the vibrations from the keystrokes, a Georgia Tech University research team says.

The research team found that the accelerometer on a smart phone sitting next to a keyboard could be used to interpret keyboard strokes with 80 percent accuracy, according to an announcement from Georgia Tech

Such an attack wouldn’t be easy, but it is possible, as smart phones become increasingly sensitive, Patrick Traynor, a Georgia Tech assistant professor of computer science who led the research team, said in the release.


Related story:

Android a likely target once mobile crime pays


Traynor said the research team first tested its idea with an iPhone 3GS but didn’t get good results. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better,” he said. “We believe that most smart phones made in the past two years are sophisticated enough to launch this attack.”

The technique also exploits a component of smart phones that has been overlooked as a potential weakness.

"There is information that is being leaked, and of the hardware on your phone, the accelerometer is the one thing that no one ever worried about," Traynor told Technology Review. "No one thought that you could turn on the accelerometer and get any meaningful data."

Accelerometers are devices inside phones that detect their position and motion. Depending on the device, they can be used to determine whether a phone’s screen should be in portrait or landscape mode or when it is in motion. Accelerometers are used in gaming devices such as the Nintendo Wii for motion input and in automotive systems for automatic collision detection.

An attack would likely start with a smart-phone user being induced to download a seemingly innocuous application that contains keyboard-detection malware, the researchers said. When within range of a keyboard, the software listens for pairs of keystrokes, models the patterns of those keystrokes and compares them to a preloaded dictionary, looking for the statistically probable word being typed.

Traynor said the attack is difficult and isn’t something people should worry much about. It’s also easily avoided. The researchers found it had an effective range of 3 inches, so users just need to keep their phones on the other side of the desks or in their pockets. (Also, strong passwords wouldn't be found in a preloaded dictionary, although if the accuracy of such an attack improves, it conceivably could be used to steal other data, such as personal information being entered.)

Phone manufacturers also could set accelerometers with a low sample rate and have phones show a permission request if a user downloads an app that asks for a higher rate.

The Georgia Tech researchers said the accelerometers on new phones sample for vibrations at about 100 times per second — a higher rate would produce more accurate results, a lower rate less accurate ones.

By contrast, a smart phone’s microphone samples for vibrations at about 44,000 per second. Although researchers have performed successful keystroke detection with microphones, manufacturers have programmed phones to ask permission for apps that request access to the device’s microphone and other sensors. To date, those protected sensors haven’t included accelerometers.

The researchers will present their results Oct. 20 at the 18th ACM Conference on Computer and Communications Security in Chicago.

Reader Comments

Mon, Oct 24, 2011

Right up there with all the extra money spent on Tempest-rated PCs years ago. Was there ever an actual exploit in the wild via that path? All sorts of things can be done in a lab that can't reliable be duplicated in the field.

Wed, Oct 19, 2011 Dave

As a white paper for funding I would give this article a C-, as a method for keystroke detection I would give it an F. Even assuming that the surface is a tuned cavity to determine modulation variations of keys along the cavity the dampening affect of the hand placement combined with other objects on the desk elevates the solution beyond the error of both sensors.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above