Smart phones these days are bristling with sensors. Forget about the camera and microphone – there are accelerometers, Global Positioning System components, not to mention Bluetooth and NFC transmitters. All those remote sensors enable all kinds of cool features – from finding the nearest Starbucks to mobile payments. But they also pose a risk to the privacy of the phone’s owner – as malicious actors (and the occasional national government) look for ways to turn cameras and other sensors into powerful, cheap and convenient spying tools.
Now researchers at The University of Cambridge have demonstrated one possible, new attack type: harnessing the built-in video camera and microphone on Android devices to spy on an owner’s movements and guess his or her password. The technique could be a way for cyber criminals to defeat anti-keylogging technology like secure “soft” keyboards used to enter banking PINs and other sensitive information.
The work was presented at the 20th ACM Conference on Computer and Communications Security (CCS) in Berlin, Germany last week and was discussed on Cambridge University’s blog, Light Blue Touchpaper. In it, researchers Laurent Simon and Ross Anderson, both of the University of Cambridge, describe a method for using a phone’s video camera and microphone to infer pins, based on the owner’s movements and finger touches.
In the hack, the microphone is used to detect “touch events” (the user’s finger touching a number on the keypad) while the camera is used to infer the orientation of the phone and correlate the touches to digits on the keypad, the researchers wrote. The method proved to be effective: guessing from a set of 200 possible passwords with 60% accuracy within 10 tries (the most allowed before lockout on the Android phone used in the test.) For a smaller password set of 50 passwords, the correct password was guessed within two tries about 30% of the time, and within 5 tries 50% of the time, the researchers found.
The tests were only a “proof of concept” and used only a small set of users (four) and just a couple of devices: Samsung’s Galaxy S3 and Nexus S smart phones. Still, there are serious implications for banks and e-commerce vendors who are looking to thwart key logging software by leveraging platform features like a Trusted Execution Environment (so-called Trusted Computing) and software-only keyboards to protect sensitive data like passwords and banking PINs, according to Simon and Anderson.
“For mobile device makers, especially those building frameworks for mobile payments (and) banking, they need to be aware of the risks,” he said in an e-mail exchange with The Security Ledger. “The security principles used on desktops do not necessarily work as well on mobile devices. And attacks tend to get better,” he wrote.
Simon and Anderson stacked the deck to get the results they did. Subjects in the study stayed seated to avoid “noise” caused by the movement and changing orientation of the phone while walking. Participants were also required to play a mobile phone game designed to “train” the guessing algorithm prior to entering the PIN. The two also filtered out much of the noise (literally and figuratively) that would be present in any “real world” case. Background noise and vibrations or an active environment would make isolating the data needed to generate a table of possible passwords much more difficult.
Still, they found that now-standard features such as built-in video cameras, microphones and accelerometers can make for potent spying tools if properly used against a phone’s owner. For example, the sensors could detect subtle shifts in how the owner handles the phone when reaching for a digit on a pin pad. Their research revealed subtle shifts in the orientation of the phone as users reach for an OK button and a digit on a soft keyboard. By correlating that with video and audio surreptitiously taken as the owner entered the PIN, the researchers were able to generate a reliable list of possible PIN values for the phone. (It’s much more complicated than this, of course. For the gory details, check out the full paper here.)
The lesson for mobile application developers and device makers is that “mobile devices are fundamentally different from traditional servers (and) desktops in the way we use them.” Smart phones and other devices that are “aware” of the physical world are vulnerable to new types of attacks. “This physical-world interaction needs to be considered when designing secure devices,” he wrote.