Published on July 7th, 2019 📆 | 4269 Views ⚑
0Hackers may glean password by listening to you type on your phone
What if scammers could learn your password not from a massive cyberattack or taking control of your device, but from listening in as you type?
Thatâs the startling premise of a recent study by researchers at Cambridge University and Swedenâs LinkĂśping University who were able to glean passwords by deciphering the sound waves generated by fingers tapping on smartphone touch screens.
Malicious actors can decode what a person is typing by using a spying app that can access the smartphoneâs microphone, according to the study, which was first reported by The Wall Street Journal. âWe showed that the attack can successfully recover PIN codes, individual letters and whole words,â the researchers wrote.
A passive, sound-based attack could be executed if a person installs an app infected with such malware. âMany apps ask for this permission and most of us blindly accept the list of demanded permissions anyway,â the researchers wrote. Attackers also could also provide their target with a smartphone to which the malicious app was pre-installed.
The researchers designed a machine-learning algorithm that could decode vibrations for specific keystrokes. Among a test group of 45 people across several tests, the researchers could correctly replicate passwords on smartphones seven times out of 27, within 10 attempts. On tablets, the researchers achieved better results, nailing the password 19 times out of 27 within 10 attempts.
âWe found the deviceâs microphone(s) can recover this wave and âhearâ the fingerâs touch, and the waveâs distortions are characteristic of the tapâs location on the screen,â the researchers wrote. âHence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device.â
The experiment ran on an Android application that allowed participants to enter letters and words on two LG Nexus 5 phones and a Nexus 9 tablet, according the paper. As the participants tapped in the passwords, the app recorded audio through the devicesâ built-in microphones. To simulate a real-world environment, the researchers had participants enter passwords at three locations at a university, with different levels of background noise: a common room where a coffee machine was used, a reading room with computers and a library.
The study had not yet been peer reviewed, according to the report, or been published, but it is available online through a website maintained by Cornell University for academic research.
To guard against such attacks, the researchers suggested, smartphone makers might consider installing a switch that would allow users to shut off the microphone. Another option, they said, is to simply make it more obvious when the microphone is on, by flashing a light or an icon on the screen.
The research fits into a broader study of security vulnerabilities that exploit a deviceâs built-in sensors â such as cameras and accelerometers â to extract personal information from users without their knowledge.
Gloss