Georgia Tech Turns iPhone Into spiPhone

[Eugen Leitl]

http://www.gatech.edu/newsroom/release.html?nid=71506

Georgia Tech Turns iPhone Into spiPhone

Posted October 17, 2011 Atlanta, GA For More Information Contact

Michael Terrazas

404-245-0707

mterraza at cc.gatech.edu

    Patrick Traynor - spiPhone (image/jpeg) Download image

ATLANTA b Oct. 18, 2011 b Itbs a pattern that no doubt repeats itself daily
in hundreds of millions of offices around the world: People sit down, turn on
their computers, set their mobile phones on their desks and begin to work.
What if a hacker could use that phone to track what the person was typing on
the keyboard just inches away?

A research team at Georgia Tech has discovered how to do exactly that, using
a smartphone accelerometerbthe internal device that detects when and how the
phone is tiltedbto sense keyboard vibrations and decipher complete sentences
with up to 80 percent accuracy. The procedure is not easy, they say, but is
definitely possible with the latest generations of smartphones.

bWe first tried our experiments with an iPhone 3GS, and the results were
difficult to read,b said Patrick Traynor, assistant professor in Georgia
Techbs School of Computer Science. bBut then we tried an iPhone 4, which has
an added gyroscope to clean up the accelerometer noise, and the results were
much better. We believe that most smartphones made in the past two years are
sophisticated enough to launch this attack.b

Previously, Traynor said, researchers have accomplished similar results using
microphones, but a microphone is a much more sensitive instrument than an
accelerometer. A typical smartphonebs microphone samples vibration roughly
44,000 times per second, while even newer phonesb accelerometers sample just
100 times per secondbtwo full orders of magnitude less often. Plus,
manufacturers have installed security around a phonebs microphone; the
phonebs operating system is programmed to ask users whether to give new
applications access to most built-in sensors, including the microphone.
Accelerometers typically are not protected in this way.

The technique works through probability and by detecting pairs of keystrokes,
rather than individual keys (which still is too difficult to accomplish
reliably, Traynor said). It models bkeyboard eventsb in pairs, then
determines whether the pair of keys pressed is on the left versus right side
of the keyboard, and whether they are close together or far apart. After the
system has determined these characteristics for each pair of keys depressed,
it compares the results against a preloaded dictionary, each word of which
has been broken down along similar measurements (i.e., are the letters
left/right, near/far on a standard QWERTY keyboard). Finally, the technique
only works reliably on words of three or more letters.

For example, take the word bcanoe,b which when typed breaks down into four
keystroke pairs: bC-A, A-N, N-O and O-E.b Those pairs then translate into the
detection systembs code as follows: Left-Left-Near, Left-Right-Far,
Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF. This code is then
compared to the preloaded dictionary and yields bcanoeb as the statistically
probable typed word. Working with dictionaries comprising about 58,000 words,
the system reached word-recovery rates as high as 80 percent.

bThe way we see this attack working is that you, the phonebs owner, would
request or be asked to download an innocuous-looking application, which
doesnbt ask you for the use of any suspicious phone sensors,b said Henry
Carter, a PhD student in computer science and one of the studybs co-authors.
bThen the keyboard-detection malware is turned on, and the next time you
place your phone next to the keyboard and start typing, it starts listening.b

Mitigation strategies for this vulnerability are pretty simple and
straightforward, Traynor said. First, since the study found an effective
range of just three inches from a keyboard, phone users can simply leave
their phones in their purses or pockets, or just move them further away from
the keyboard. But a fix that puts less onus on users is to add a layer of
security for phone accelerometers.

bThe sampling rate for accelerometers is already pretty low, and if you cut
it in half, you start to approach theoretical limitations that prevent
eavesdropping. The malware simply does not have the data to work with,b
Traynor said. bBut most phone applications can still function even with that
lower accelerometer rate. So manufacturers could set that as the default
rate, and if someone downloads an application like a game that needs the
higher sampling rate, that would prompt a permission question to the user to
reset the accelerometer.b

In the meantime, Traynor said, users shouldnbt be paranoid that hackers are
tracking their keystrokes through their iPhones.

bThe likelihood of someone falling victim to an attack like this right now is
pretty low,b he said. bThis was really hard to do. But could people do it if
they really wanted to? We think yes.b

The finding is reported in the paper, b(sp)iPhone: Decoding Vibrations From
Nearby Keyboards Using Mobile Phone Accelerometers,b and will be presented
Thursday, Oct. 20, at the 18th ACM Conference on Computer and Communications
Security in Chicago. In addition to Carter, Traynorbs coauthors include
Georgia Tech graduate student Arunabh Verman and Philip Marquardt of the MIT
Lincoln Laboratory.