Georgia Tech turns an iPhone into a SpyPhone

Still searching for the iPhone 5
Still searching for the iPhone 5

The 2009 iSuppli research into accelerometer smartphones predicted that the feature would become commonplace in mobile handsets because of their innate flexibility, Infosecurity notes.

That theme was picked up in discussions by the Chaos Computer Club at its December 2009 meeting in Berlin, but crackers said at the time that the sensitivity of the handset accelerometers of the time was a limiting factor.

Advances in hardware design and processor power, however, have changed all that and, although they admit the process is not easy, using suitable external software, monitoring is now technically feasible.

“We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

Traynor added that researchers accomplished similar results using microphones, but a microphone is a much more sensitive instrument than an accelerometer.

A typical smartphone’s microphone, he says, samples vibration roughly 44,000 times per second, while even newer phones’ accelerometers sample just 100 times per second – two full orders of magnitude less often.

In addition, manufacturers have installed security around a phone’s microphone; the phone’s operating system is programmed to ask users whether to give new applications access to most built-in sensors, including the microphone. Accelerometers, said Traynor's team, are typically not protected in this way.

The technique, says Georgia Tech, works through probability and by detecting pairs of keystrokes, rather than individual keys – which still is too difficult to accomplish reliably, Traynor said.

The methodology models 'keyboard events' in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements.

Finally, said the researchers, the technique only works reliably on words of three or more letters and, using dictionaries of 58,000 words, the system has now reached word-recovery rates as high as 80%.

“The way we see this attack working is that you, the phone’s owner, would request or be asked to download an innocuous-looking application, which doesn’t ask you for the use of any suspicious phone sensors”, said Henry Carter, a PhD student in computer science and one of the study’s co-authors. “Then the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening.”

Traynor said that the likelihood of someone falling victim to an attack like this right now is pretty low because the process is extremely hard to pull off. “But could people do it if they really wanted to? We think yes”, he added.

What’s Hot on Infosecurity Magazine?