Forgot your password?
typodupeerror
Android Security Cellphones Wireless Networking

Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords 105

Posted by Soulskill
from the for-when-normal-keylogging-is-just-too-precise dept.
judgecorp writes "TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses information from the phone's motion sensor to deduce what keys the user has tapped (PDF), thus revealing otherwise-hidden information such as passwords and PINs."
This discussion has been archived. No new comments can be posted.

Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords

Comments Filter:
  • yikes! (Score:5, Insightful)

    by noh8rz3 (2593935) on Monday April 23, 2012 @02:17PM (#39774667)
    We talk often about mobile viruses and I've become somewhat inured to it (another malware embedded in rogue angry birds? yawn). But this is scary, brave new world scary.
    • by kthreadd (1558445)

      Not scary, open!

    • +1 good vocabulary
    • by jeffmeden (135043)

      Are you kidding? If you have a rogue app on your device it's probably going to find a way to steal all kinds of information. This is nothing more than a pretty interesting new use for motion sensors. It is not, however, any surprise that a rogue app can have whatever it wants from your smartphone, motion sensors or not.

      • Re:yikes! (Score:5, Insightful)

        by tchuladdiass (174342) on Monday April 23, 2012 @03:24PM (#39775405) Homepage

        The reason this is significant is that apps are usually installed with limited access to items it doesn't need. So normally a bad app won't be able to steal passwords, or lift your address book, unless you give it permissions. This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.

        • I wonder how hard would it be to issue an update that only allows accelerometer data to be passed to the app in the foreground.
          • by Anonymous Coward
            There are plenty of legitimate reasons to need accelerometer data in the background though. One app I use frequently logs data while I am jogging. I don't want it to stop logging if I have my music player or map in the foreground.
        • by Eraesr (1629799)
          I'm pretty sure most people don't look at what access they grant an app when they install it anyway. The whole "this app needs these permissions" screen on Android is worthless as a large scale (as in: for the majority of users) security measure.
    • Until it can be installed remotely or by some kind of drive by download, this isn't a problem. People who run any APK they find deserve to catch nasty diseases.
      • by noh8rz3 (2593935)
        You mean, people who run any APK they find deserve to infect their friends and colleagues with nasty diseases? Cuz I can't say I agree with that sort of laissez fairs attitude. Surely in the name of public health we should expend a little effort helping those who won't help themselves.
        • ... deserve to infect their friends and colleagues with nasty diseases? ...

          It's malware, but it's _not_ a virus, so I don't know why you'd be concerned with friends and colleagues catching anything.

          • by noh8rz3 (2593935)
            no, this is a new vector for malware. could be virus, or etc.
            • by aiht (1017790)

              no, this is a new vector for malware. could be virus, or etc.

              No, it isn't. This is a technique that could be used by malware after it's installed. In no way can it help malware to install itself. Do you actually know what vector means, in the context of diseases or viruses?

      • I don't think you understand the concept -- this functionality could easily be hidden in a legitimate app with motion sensing capabilities, like a step counter or a level.

    • really amazing
  • Swype (Score:5, Interesting)

    by Pat Attack (1353585) on Monday April 23, 2012 @02:19PM (#39774697)
    I wonder if it would work on those of us who use a Swype keyboard. Then again, I do tap out my passwords. A thought: If you randomize the keyboard for password entries, that would make it harder to discern from malware like that and the over-the-shoulder attack.
    • by Anonymous Coward on Monday April 23, 2012 @02:26PM (#39774791)

      Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

      • by Entropius (188861) on Monday April 23, 2012 @02:48PM (#39775015)

        This is just a further illustration of the basic idea that letting someone run arbitrary code on your system is a bad idea, and that access to external communications and sensors breaks sandboxing. Someone with the ability to turn on a webcam, for instance, can do all sorts of nefarious things, including seeing you type your password reflected in your glasses if it's high-enough resolution.

        • by h4rr4r (612664) on Monday April 23, 2012 @02:57PM (#39775089)

          So don't install their code. The flip side it that it is even worse if someone else gets to decide what arbitrary code is allowed to run on your system.

        • So you'd rather not be able to install the occasional important program from beyond the market ("arbitrary code") to gain a small amount of security instead of just being careful what APK you choose to install? That's sad.
          • by Entropius (188861)

            No, it means that I am not going to install code without trusting where it came from. People are criticizing this as a vulnerability in Android -- it's not. It's just a demonstration that someone who wants to hurt you and can run code on your system can do so.

        • by Sigg3.net (886486)

          Wow, your technical knowledge is just amazing! You should try to get a job at one of those Crime Scene Investigations units.

          Enhance!

      • Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

        Yes... But he said liberty, not usability.

    • by x1r8a3k (1170111)
      I have a slide out physical keyboard on my phone. I think thats the simplest way to defeat this.

      Also this seems to only be able to get the location of taps and infer what you've typed. What if I'm using a non standard keyboard layout?
      • by Qzukk (229616)

        What if I'm using a non standard keyboard

        They have merged it with a game to calibrate it to your usage. After you've typed all the letters of the alphabet several times each, it'll know how your wrists twist to get your thumbs to all the keys of whatever keyboard you're using, whether it's physical or onscreen.

        • As I understand the article, the game has nothing to do with the alphabet. They assume your layout is an ordinary numpad-layout and let the user play an icon matching game: In a 3x4 icon grid, "tap to pick up paired icons". So the game will not work with a physical keyboard and will not detect non-standard layout.
      • Re:Swype (Score:5, Interesting)

        by robmv (855035) on Monday April 23, 2012 @03:53PM (#39775751)

        long term better solution is that OS fields for passwords and PIN keypads disable applications access to motion sensor data. If you are custom drawing a password field and not using the OS provided one, add an API to hide motion sensor data when you need it

        • It wouldn't be that hard to introduce a system hook that requests a password from the user while disabling background data and sensors.

      • You're comparing an on-screen keyboard, with no easy way to discern accidental taps, with a physical keyboard with key action easily discernible from accidental taps. I think you might want to revise your stance a touch :-)

        Otoh, using an external keyboard would defeat this, as would restricting usage to those times when you're aboard a roller coaster.

        • by x1r8a3k (1170111)

          as would restricting usage to those times when you're aboard a roller coaster.

          That gives me an idea -- put in a more powerful vibrator and run it whenever a text field is active. I'm sure Google will pay millions for this!

    • by PickyH3D (680158)

      Not to attack the idea, but wouldn't a randomized keyboard slow down your typing as you search for the keys, thus enabling the shoulder-surfer to watch as you struggle? I agree that would likely beat the Malware assuming that the malware reading your motion sensors can't also figure out what keyboard is being displayed.

    • by HexaByte (817350)

      Better then that, we could all just start randomly moving our devices while typing our passwords, or dancing some hip-hop moves while doing so.

      I don't think they'll be able to adjust for that!

      • Brilliant! Obfuscation through too much data.
      • Attach it to your pleasuring device of choice.

      • eheh :-). Just jump while typing, that will do it.

        Seriously, this reminds me of an article I've read a few days ago about software being able to guess the characters pressed on a keyboard by listening to the sound and interval of they keypresses.

    • All the more reason to use passfaces. Shows random faces, except one, in random locations. Tap on the face you recognize. Since the location of the key face is in a random position, the sensor data is also random.
  • This is the next wave in mobile malware it affects iPhone as well I guess no smart phone is safe. I guess they did not bother with blackberry. lol
    • by Anonymous Coward

      Actually purely by coincidence this won't affect WP7, which doesn't allow apps to run in the background.

      • by PickyH3D (680158)

        WP7 does allow apps to run in the background. It does not allow apps to access certain APIs while running in the background, such as VOIP controls (e.g., Skype). That's not too dissimilar from what Apple does on iOS [apple.com].

        • WP7 does allow apps to run in the background. It does not allow apps to access certain APIs while running in the background, such as VOIP controls (e.g., Skype). That's not too dissimilar from what Apple does on iOS [apple.com].

          With WP7, background tasks cannot run constantly like they can do on Android. The OS schedules them every 30 min(on battery and cellular data) or every 15 mins(on plugged in power and WiFi) or totally shut off (battery is low and the battery saver is enabled).

    • by SJHillman (1966756) on Monday April 23, 2012 @02:33PM (#39774877)

      Blackberry is the OS/2 of the mobile world.

  • by jfengel (409917) on Monday April 23, 2012 @02:21PM (#39774727) Homepage Journal

    According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

    It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

    • Re: (Score:3, Funny)

      I always give pedos access to my vibration sensors.
    • by Lussarn (105276)

      Best way to defeat this would be to stop the sensors (for background apps) when the keyboard is up. But really, if you got some nasty trojan on there you got problems anyway, and password stealing by reading sensors is probably not the worst of them.

    • by m85476585 (884822)
      Georgia Tech published something on this a while back.
      http://www.gatech.edu/newsroom/release.html?nid=71506 [gatech.edu]
    • by jeffmeden (135043)

      According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

      It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

      The dead giveaway would be the app that keeps the motion sensors alive all the time crushing the battery usage stats on the phone. Not that many are bothered to check for such things, but its a dead giveaway that an app thats not supposed to be running is alive and doing nefarious things (especially if the motion driver is high on the usage list too).

  • by ThunderBird89 (1293256) <(zalanmeggyesi) (at) (yahoo.com)> on Monday April 23, 2012 @02:22PM (#39774739)

    I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation. Also, if the phone is placed on the table to enter the passwords, most of the supposed motion is eliminated, significantly frustrating the attack.

    • by SJHillman (1966756) on Monday April 23, 2012 @02:37PM (#39774917)

      It's not a perfect attack, but it doesn't need to be successful against every single user on every single phone. Most modern smartphones don't require physical abuse to register motion and most smartphone users don't put the phone down, put the password in, then pick it back up every single time. How about an analogy? Let's say there's a PC virus that exploits the wheel function of a USB mouse. Not every PC will have a USB mouse with a wheel, and even among those that do, not every user will use it. However, there's still enough vulnerable PCs that this theoretical virus could be highly successful.

      • True enough, I guess.
        Although when I said 'tap', I really meant tapping the phone against the desk, usually cushioned by my finger, so the screen rotates, not slam it down.

        I still have doubts about the sensitivity of the motion sensor. Based on a few quick scans from the Tricorder app, I couldn't pick out any spikes in the thermal noise from the sensor, apart from my hand shaking (which was apparently chaotic, so taps could not be inferred from the infrequent peaks).

        • My phone (LG Optimus Slider, 6 months old) is probably too insensitive for it to register as well, but some of the higher end Android phones I've played with have shown an amazing level of sensitivity and accuracy. Within a year or two, that will likely trickle down to the lower end models so that all new smartphones are sensitive enough for this to work.

          • My Nexus S is usually pretty sensitive, reliably detecting acceleration as low as 0,1-0,01 m/s^2 (which seems to be still to little for this 'taplogging' to work). For some reason, it's only the screen rotation that seems to suffer from lag.

        • by X0563511 (793323)

          The accelerometer can detect sudden accelerations much better than a steady one, such as gravity. Those sudden accelerations are exactly what you would get while "typing"

    • by jeremyjo (1857008)

      I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation.

      The motion sensor is sending data, it's just that the application you're using doesn't have the the processing power to do anything about it right then. Luckily malware tends to be coded much more efficiently than desirable apps.

    • by x1r8a3k (1170111)
      I just checked on my phone with the raw data from the sensors. If i put if flat on a table, they stay still, but just holding it it can detect the small changes of me just not being able to hold it perfectly still. It will even register if I leave one side on a table and raise the other side by about 1mm. I think the rotation thing is more smoothed out in software to prevent it changing too often.
    • by PickyH3D (680158)

      In the first case, that's if you do not have a very good motion sensor. In the second case, that's if you know that you need to try and avoid such an attack.

    • You probably also find it hard to believe that recording a phone call when someone types their password can reveal the password by dint of each key making a unique sound. "Training" is essential in this case too, either by having the user type some known piece of text, or by analysing a great amount of audio-recorded typing.

      You probably also find it hard to believe that we can detect planets around stars which themselves are barely visible; or subatomic particles.

      Isn't science cool, kids?

    • I recall being able to buy monitor stands that converted your monitor into a touch-screen by using a similar technique - It doesn't shock me that the same can be done with phones.
  • Penn State!
    • by Entropius (188861)

      They are also an excellent research university, drunken antics and football-coach-kiddie-fiddling notwithstanding.

  • Easy enough to fix (Score:4, Insightful)

    by Baloroth (2370816) on Monday April 23, 2012 @02:23PM (#39774747)

    Just don't allow programs in the background to have access to the motion sensors. Is there any actual reason a background program would need such information anyways? It sounds like they just allowed it because developers didn't realize it could give away sensitive details. Now they know, it can be restricted pretty easily, I should think.

    And if you do have a program that actually needs the motion sensor information while not in the foreground, just have it ask for special permission.

    • Well that would certainly break the pedometer apps out there.
      • by X0563511 (793323)

        So? Pedometers are cheap. If you are not stationary, just use the GPS to determine distance/speed. If you are stationary, chances are the platform knows how "far" you have gone and how "fast" you are going.

        If you're jogging in place... well, deal with it :P

        • I'm not sure how well the GPS is going to work inside the buildings I spend most of my day inside of. Having a pedometer on my phone seems to work much better than any pedometer that I've ever used in the past as it doesn't accidentally get reset, and I don't have to worry about clipping it somewhere just to have it count my steps.
        • ... chances are the platform knows how "far" you have gone and how "fast" you are going...

          Without the gyro/motion data I fail to see how it could work out these things.

          • by X0563511 (793323)

            Then you didn't think very hard. If you are stationary then you are either jogging in place (nothing I can say about that, except perhaps start counting?) then you are on a machine with moving parts. The machines have sensors and "see" the metrics required to calculate it.

    • by CastrTroy (595695)
      Yes, but that would require that people actually be able to change permissions on what individual programs can access. I recently got an Android phone and find it quite laughable what kind of permissions some apps are asking for. Why does a tic-tac-toe game need access to my contact list, the internet (ok ads are one explanation), and my phone information (call information, when I make a call, who the call is to, my phone number etc)? I should be able to lock down my phone by default. There should be no r
      • If you're rooted, there are apps on the market that allow you to manage permissions. Cyanogenmod includes this capability in the ROM itself. It would be a nice feature for stock Android to have, but I doubt that will happen.
    • by Entropius (188861)

      Seems like you could sanitize motion sensor information being passed to untrusted apps by reducing the resolution of the data to what's needed to determine which way is up to fix this. An app that wants high-resolution motion sensor info can ask for it.

    • by Morlenden (108782)

      The camera will also have to be disabled because tap-induced camera motion could be read that way.
      It may also be possible to get tap position information from the microphone.

  • Simple fix (Score:5, Insightful)

    by PPH (736903) on Monday April 23, 2012 @03:36PM (#39775539)

    Just have the password entry widget lock the accelerometer (or whatever) resource while in focus.

    • by robmv (855035)

      That solves the PIN entry widget, malware could hypothetical capture passwords from password fields, so those fields need to be protected too. The problem remain with apps that don't use native toolkits, so to add an API that locks hardware devices that could be used to capture sensitive information is enough in an ideal world. In the real world many app developers will simply ignore to use it

      • by PPH (736903)

        Expand the concept to include some set of resources that need to be locked when an entry field's 'secure' parameter is set to true. As new hacks are discovered, add them to that resource set.

        Flog developers that don't adhere to programming/toolkit standards. Since this fraction approaches unity, this should satisfy the sadist in every PHB.

  • by ScentCone (795499) on Monday April 23, 2012 @03:53PM (#39775741)
    We use the internal motion sensors on Android phones to provide all of the inertial navigation input we need to control the external thrusters on the capsules of the hihg altitude balloons we send up for biometric testing of the subjects inside. The subjects, usually kids about five years old, play Angry Birds and type out phrases of Shakespeare until they black out. If they disable background motion sensor use, it's possible we're going to lose more like 8 out of 10 kids we send up, instead of the usual 5 or 6. I can see already that we might have to go back to using spider monkeys, or those expensive parrots. Which means re-working the whole app, again. Man, science is hard.
  • Placing your phone on a table/counter/desk can save your data!
  • ...I've just watched an episode of NCIS where someone placed a bug in a computer keyboard that used subsonic acoustics to determine which key had been pressed... Hollywood science?

    • It sounds plausible, maybe. I suppose it would depend on the type of keyboard, and might need to be trained for each keyboard. (Would all those bagel crumbs that fell in between the keys alter the acoustics?) It might be easier from outside the keyboard. Stranger things have been done - bouncing a laser off a window to pick up the sounds in a room (the vibration of the window modulates the laser beam); I think that sounds picked up through a wall have been used to place people inside the room, behind th

  • There is nothing new here. You "could" potentially write a program that does a lot of things. The beauty of Android is that you essentially have a computer in the palm of your hand.

    To those concerned that viruses will spread, research the Android permissions and security model. This model has not been broken. A user must give permission to the app first. Most users who are too stupid to read the permissions, are also too stupid to find alternative APK sources. So there is nothing to worry about. If you f

Can't open /usr/fortunes. Lid stuck on cookie jar.

Working...