How Your Smartphone Can Spy On What You Type 77
mikejuk writes "We all do it — place our phones down on the desk next to the keyboard. This might not be such a good idea if you want to keep your work to yourself. A team of researchers from MIT and the Georgia Institute of Technology have provided proof of concept for logging keystrokes using nothing but the sensors inside a smartphone — an iPhone 4 to be precise, as the iPhone 3GS wasn't up to it. A pair of neural networks were trained to recognize which keys were being pressed just based on the vibration — and it was remarkably good at it for such a small device. There have been systems that read the keys by listening but this is the first system that can hide in mobile phone malware."
Over-generalisation? (Score:5, Insightful)
We all do it — place our phones down on the desk next to the keyboard.
I love a good over-generalisation.
Even worse... (Score:4, Insightful)
it can spy on what you say!!!
Seriously, if my phone is compromised, everything else is pretty much moot.
Re:Wonder the accuracy rate (Score:3, Insightful)
Isn't this just a proof of concept though - like most technologies start?
Their study can be used as a reference, and over time, the underlying technology and techniques can be perfected so that it can work as an additional attack vector. Do you think Acoustic Keyloggers worked right off the bat from conception to implementation? And your premise relies on the postulation that sensors in mobile phones won't improve over time as well - or that multiple technologies will just cease to improve, for that matter.
Re:Wow! What a vulnerability!! (Score:3, Insightful)
First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."
You know, the same smartass attitude was held by our government officials regarding the "hollywood" possibility of hackers gaining control over power grids, missile launch systems, water distribution systems, etc. And then Stuxnet showed up, and took out a key element of a country's nuclear weapons program. It is exceptionally arrogant to say because you can't see a problem, one doesn't exist.
This is a proof of concept; It demonstrates that such an attack is now possible. Everything Stuxnet achieved, it did based on proof of concept code, which was then studied, refined, and weaponized. It's just a matter of time now. As mobile devices are loaded with more sensors, and yet retain their closed-source, integrated black box SoCs, etc., attacks of this sort will not only be practical, but one day trivial.
Re:Reminds me... (Score:1, Insightful)
Obviously that was long ago before the internet, but I have never trusted any system since then unless it was open source and open hardware, and even then I am not sure because I have seen spooks at the chip fab and I am sure they weren't there to get coffee.
Having the source, or the blueprints, does you little good if you do not know how to read and use them, and if you stopped to go through these things for every item you own, you would turn grey and cold long before completing this epic assignment. Technology is advancing at a breakneck pace and it simply isn't possible for any one person, or even a small group of people, to retain adequate working knowledge of all the technologies we come in contact with on a daily basis enough to provide viable protection from the multitude of potential attack vectors. This is something only large governments or organizations employing tens to hundreds of thousands of people can manage, and at that, still only manage to vet a fraction of the potential workload.
The simple truth here is that our technology has become an extension of a long-existant problem in human cultures; How can you trust someone you haven't met? There are billions of humans now on this planet, and yet we have meaningful relationships with perhaps 150-200 at any point in time -- this being the maximal amount, with the median being far, far lower. Think of the many tens of thousands of people that were responsible for the design of your car, your house, the power grid, the computer you're reading this on, your toaster... when you consider all the people that are abstractly involved in your life, it quickly becomes clear that trust is explicitly needed for society to work.
For the most part, it does. People are inherently social creatures. We don't harm one another, even abstractly, as a general rule. And this alone is what has allowed society to develop, indeed, allowed humans to become the dominant species on the planet. But our technology is continuously integrating itself, merging, reforming, reconnecting, in new and unexpected ways, and with ever-increasing complexity mirroring that of life itself, it is inevitable that vulnerabilities will become so prolific that anyone who chooses to will be able to find at least a few that haven't been discovered by others and use them to his/her advantage.
This is the essence of the hacker mindset. Stripped of everything else, it is "Knowledge is power", and hackers intuitively understand that the system being hacked is not the computer, but the people using it. It is the trust placed in the system that it will do as they expect it to, but without a deeper understanding of why it works as expected. Hackers know that sufficient time and effort put into understanding something will eventually take them to a place beyond the currently-accepted boundaries of human possibility. That is to say, they will have reached the edge of what is known, and may now contribute to pushing that barrier outwards... which they then do, because this end, in and of itself, is viewed as beneficial to society. And indeed it is, but it is not without its cost.
The time is rapidly approaching when we will be forced to confront the long-unaddressed social problems of our society. All security problems in IT eventually reduce to the trust relationship between two people.