You shouldn’t let anyone see you enter your phone’s login password — but there could also be a danger from hackers hearing it over your smartphone’s microphone.
Experts from England and Sweden have shown how hacked microphones can be used to decode the sound of typing on a smartphone screen into the keys pressed.
In a test, their algorithm could correctly guess 31 out of 50 four-digit login pins in just 10 attempts based on recordings made of the participants as they typed.
These potential attacks would likely begin with the accidental download of malicious software — so users should keep themselves safe by only using trusted apps.
Limiting microphone access to only those apps that need it will also help to make your smartphone more secure.
Scroll down for video
You shouldn’t let anyone see you enter your phone’s login password — but there could also be a danger from hackers hearing it over your device’s microphone (stock image)
To show how your mobile’s microphone might be turned against you, researchers from the University of Cambridge, England and Linköping University in Sweden gave 45 participants Android tablets and smartphones rigged up to record them typing.
Researchers then fed the audio recordings into a machine-learning algorithm built to try to match each vibration to a particular point on the devices’ screen where the users had touched the on-screen keyboard while typing or entering a password.
The algorithm can do this because each touch of the screen creates sound waves that travel to the phone’s microphone(s) through both the screen and the air.
As the different waves travel at different speeds, the lag between the times that each wave arrives at the microphone(s) can reveal how far the wave has travelled and therefore roughly where on the screen it came from.
The researcher’s algorithm was able within 10 attempts to correctly guess 31 out of 50 four-digit login-screen pin codes that it had heard the participants typing.
The microphone-based attacks could also determine some of what users type using an on-screen keyboard, with the algorithm, given 10 attempts, correctly guessing 19 out of 27 words typed on the tablet devices, and 7 on the smaller phone handsets.
‘Right now it’s really hard to imagine anybody deploying these attacks,’ lead author Ilia Shumailov, of the University of Cambridge, told the Wall Street Journal.
‘In the near future they’re definitely going to be there,’ he cautioned.
At present, however, hackers would find these kind of approaches challenging, as current phone sensor technology is not precise enough to accurately extract acoustic information.
In addition, real-world hacks would have to face interference in audio signals from background environmental noise, which would greatly complicate the process of decoding sound recordings into specific keys that were pressed.
Nevertheless, future microphone-hijacking attacks could be set in motion by users accidentally downloading malware-infected apps onto their smartphones.
From such a digital beachhead, hackers might then be able to remotely access the device’s sensors, including not only the microphone but also the accelerometer, gyroscope and camera.
Similar acoustic attacks can certainly be performed by taking advantage of a device’s accelerometer — an instrument that measure’s a smartphones acceleration — a 2012 study from the University of Pennsylvania demonstrated.
There is also the possibility that phone accelerometers could be used to pick up on the vibrations created as users talk into their phones (stock image)
Typically used to measure things like user steps, this sensor can be exploited by hackers to record how a device’s screen vibrates as a user types, from which pins, passwords and other typed text can be discerned.
The 2012 investigation showed that machine-learning technology could, within five attempts, decipher Android phone pins 43% of the time and swipe-to-unlock patterns 73% of the time from the vibrations logged by device accelerometers.
There is also the possibility that phone accelerometers could be used to pick up on the vibrations created as users talk into their phones.
While challenging to process such data, it could provide an avenue for hackers to collect personal information by indirectly eavesdropping on callers.
These potential hacking attacks would likely begin with the accidental download of malicious software — so users should keep themselves safe by only using trusted apps
Accelerometer-based attacks could be more likely than those using other sensors as — unlike with microphones — smartphones typically do not request user permission before granting apps access to the accelerometer, making the incursion less obvious.
To address all these potential vulnerabilities, Mr Shumailov suggests that phone manufacturers start developing devices that display when the microphone and other sensors have been turned on — helping to flag possible eavesdropping attempts.
A pre-print version of the new article can be read on the arXiv repository.
HOW CAN YOU PROTECT YOUR INFORMATION ONLINE?
Because hackers are becoming more creative, security experts are warning that consumers need to take all possible measures to protect their identities (file photo)
- Make your authentication process two-pronged whenever possible. You should choose this option on websites that offer it because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information.
- Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Some fraudsters have begun to immediately discount secure phones altogether. Installing anti-malware can also be beneficial.
- Subscribe to alerts. A number of institutions that provide financial services, credit card issuers included, offer customers the chance to be notified when they detect suspicious activity. Turn those notifications on to stay informed about credit card activity linked to your account.
- Be careful when issuing transactions online. Again, some institutions offer notifications to help with this, which will alert you when your card is used online. It might also be helpful to institute limits on amounts that can be spent with your card online.
