Forgot your password?
typodupeerror
Security Cellphones Handhelds Privacy

How Your Smartphone Can Spy On What You Type 77

Posted by samzenpus
from the what-do-you-feel? dept.
mikejuk writes "We all do it — place our phones down on the desk next to the keyboard. This might not be such a good idea if you want to keep your work to yourself. A team of researchers from MIT and the Georgia Institute of Technology have provided proof of concept for logging keystrokes using nothing but the sensors inside a smartphone — an iPhone 4 to be precise, as the iPhone 3GS wasn't up to it. A pair of neural networks were trained to recognize which keys were being pressed just based on the vibration — and it was remarkably good at it for such a small device. There have been systems that read the keys by listening but this is the first system that can hide in mobile phone malware."
This discussion has been archived. No new comments can be posted.

How Your Smartphone Can Spy On What You Type

Comments Filter:
  • by Anonymous Coward

    This whole "electricity" thing has gotten way out of hand. Look how it's being used these days!

  • by 140Mandak262Jamuna (970587) on Sunday September 29, 2013 @07:54PM (#44988269) Journal
    First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."
    • Re: (Score:3, Insightful)

      First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."

      You know, the same smartass attitude was held by our government officials regarding the "hollywood" possibility of hackers gaining control over power grids, missile launch systems, water distribution systems, etc. And then Stuxnet showed up, and took out a key element of a country's nuclear weapons program. It is exceptionally arrogant to say because you can't see a problem, one doesn't exist.

      This is a proof of concept; It demonstrates that such an attack is now possible. Everything Stuxnet achieved, it did

      • First you need to download and install a neural network program in your smartphone, train it with loads and loads of data.

        You know, the same smartass attitude was held by our government officials regarding the "hollywood" possibility of hackers gaining control over power grids, missile launch systems, water distribution systems, etc. And then Stuxnet showed up,

        Not the same, Stuxnet and even .bat files are run by default on a MicroSoft OS. To this day I have to disable auto-run, the largest
        most over looked backdoor into a system.
        Auto-run being on by default is most likely because people would be inconvenienced or not having a clue what to do next.

        This is a proof of concept; It demonstrates that such an attack is now possible.

        Proof of concept of something I've known since the early 90's that a computer system gives off electromagnetic energy
        and you can read that energy through a wall (apartment). They just made it smaller and moved it closer.

    • by tlhIngan (30335)

      First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."

      It's easily done if you give someone the right motivation.

      Remember the jailbreak worm that relied on people leaving the

    • by Anonymous Coward

      Ahem. The proverbial unix virus [wikipedia.org] existed, and didn't depend on any kind of honor system. Honestly, you'd think Slashdotters should know a tiny bit of history.

  • by dindi (78034) on Sunday September 29, 2013 @08:00PM (#44988293) Homepage

    I wonder what this little app would do with the keyboard I am typing on. First of all, it is a mechanical keyboard with cherry MX browns. Second, I have the "buzzer" function on that simulates "clicky"-ness, since it is not a real clicking switch (though tactile) like e.g. the blue one or the real buckled ones.

    I am not saying it would work better or worse, just curious if it would work on a Kinesis and how much the "clicker" and the totally odd shape of the keyboards would disrupt the functionality.

    Anyway.... my phone is usually on airplane mode when I enter the house and is redirected to a landline that has an Asterisk box on it... then the Asterisk box' FXO is carefully disconnected, so no calls in, no calls out:). That's the way I like to handle phones and phone calls.

    • ... or you could just, you know, turn it off and let your voicemail field the calls.
      • by dcw3 (649211)

        Unless you remove the battery, is your phone really ever off?

        • No, but what does that have to do with it? The GP is already stating that he leaves it in airplane mode, so he isn't concerned about it being on.
    • my phone is usually on airplane mode when I enter the house and is redirected to a landline that has an Asterisk box on it... then the Asterisk box' FXO is carefully disconnected, so no calls in, no calls out:). That's the way I like to handle phones and phone calls.

      I prefer this approach: my family/friends get my personal number but know to text rather than call (auditory processing disorder makes it a bitch to understand them), and everyone else gets my Google Voice number so I can get the transcribed messages via email. This way, I don't need to deal with being pestered via phone, but can have full access to all of its useful apps & functions.

  • by GumphMaster (772693) on Sunday September 29, 2013 @08:10PM (#44988351)

    We all do it — place our phones down on the desk next to the keyboard.

    I love a good over-generalisation.

    • My phone is generally in my pocket. Maybe people who are constantly on the phone do this? I don't like those people anyway - let them get their data stolen; I don't care.

      • I think most people do it simply because smartphones have so many uses. I only talk to mine if I have no other choice, but it sits in a businesscard holder when I'm at my desk just so I can glance at it to check the time, my to-do list, and so forth.

    • by Anonymous Coward

      we all do

  • Even worse... (Score:4, Insightful)

    by Nanoda (591299) on Sunday September 29, 2013 @08:13PM (#44988367)

    it can spy on what you say!!!

    Seriously, if my phone is compromised, everything else is pretty much moot.

    • If two criminals want to communicate securely with each other by cell phones, they can do so if they keep their conversations short and by using prepaid phones such as trac phones bought with cash. Their CIA, NSA, KGB or whoever can listen in on their conversations, but they don't know who is talking.

  • . . . of the little scheme someone I knew cooked up to read data transmissions from watching the lights flash on a Hayes modem - from a distance, of course :) Not that I would ever do anything spurious like that, tho.
    • Re:Reminds me... (Score:4, Interesting)

      by moteyalpha (1228680) on Sunday September 29, 2013 @09:02PM (#44988571) Homepage Journal

      . . . of the little scheme someone I knew cooked up to read data transmissions from watching the lights flash on a Hayes modem - from a distance, of course :) Not that I would ever do anything spurious like that, tho.

      The vibration trick seems a bit of a stretch to be useful, but it does fall into a class of things like you said. There are so many holes in the technology created by accident or on purpose that it is a wonder that anything is secure. I was at a COMDEX once a long time ago and was chatting with an engineer ( a friend ) that worked for a modem company about my companies dial up customer service sytem and complaining that it hung up on customers some times. He asked me for my dial up number and I provided it. I assumed he was going to see if it hung up on him. He proceeded to enter a long string of characters and took control of our modem, went into configuration and changed a parameter that set a hang up delay on inactivity. It fixed the problem, but that was creepy. Obviously that was long ago before the internet, but I have never trusted any system since then unless it was open source and open hardware, and even then I am not sure because I have seen spooks at the chip fab and I am sure they weren't there to get coffee.
      I watched some videos from DEFCON and became even more certain that we live in a silicon dioxide house and it is subject to fracture on impact, so it would be advisable to avoid conflict with projectiles.

      • Re: (Score:1, Insightful)

        Obviously that was long ago before the internet, but I have never trusted any system since then unless it was open source and open hardware, and even then I am not sure because I have seen spooks at the chip fab and I am sure they weren't there to get coffee.

        Having the source, or the blueprints, does you little good if you do not know how to read and use them, and if you stopped to go through these things for every item you own, you would turn grey and cold long before completing this epic assignment. Technology is advancing at a breakneck pace and it simply isn't possible for any one person, or even a small group of people, to retain adequate working knowledge of all the technologies we come in contact with on a daily basis enough to provide viable protection

  • by Anonymous Coward
    Obviously the only safe way to compute is to listen to Black Sabbath while doing so. Constantly fake drumming by slamming the desk should be enough to throw off the sensors.
  • It seems to me the real story is that someone else can place their cellphone on your desk and perhaps log your keystrokes. Loan Applications and Job interviews come to mind.
    • by dcw3 (649211)

      Um, no they can't. Not without having done so previously, and trained for your keyboard.

  • by Anonymous Coward

    This is ridiculous. For the phone to run through the learning phase, the user has to type in the exact words with the phone in about the same position to calibrate the neural network. Even if you use frequency analysis to determine it, there has to be along enough time to get enough samples. So let's see it in action.

  • On your phone, you have bigger problems than someone listening to the sound of your keystrokes on a keyboard. Everything I have read, is that iPhones are particularly resistant to getting malware on them.

    • by AHuxley (892839)
      If your telco has a hardware/software layer and is activity decrypting for your gov all marketing talk of been resistant is a joke.
      With a known conference room or free wifi cafe this method might get interesting for pure data entry by a person.
  • MI5 episode (Score:5, Interesting)

    by Okian Warrior (537106) on Sunday September 29, 2013 @10:15PM (#44988781) Homepage Journal

    There was an episode of MI5 [imdb.com] (aired as "Spooks" in the UK) that had this many years ago.

    They gave a foreign agent a document to type, and had an eavesdropping device in his office. By recording the keyclicks of the known document, they were able to train the system to decode keyclicks for subsequent documents.

    It didn't seem farfetched at the time, it doesn't seem farfetched today.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I think Viktor Suvorov mentions in one of his books how spies used to write with a pencil, rather than use a typewriter, because of the danger of decoding a text from listening to the typing. That was in the time when people still used typewriters. So, yes, this stuff does pre-date smartphones.

    • by rasmusbr (2186518)

      I've been told most of those spying techniques relied on listening to the radio noise that CRT monitors give off. I guess if you owned a monitor of the same brand and model as the target you could train your snooping device on your monitor and then use that setting.

      I have no idea if it's true or if it's hyperbole, but it's often said that the most sensitive snooping devices could pick up the signal from across the street.

      Wired keyboards give off a much weaker radio signal that you can try to snoop on in cas

  • This is a 2011 study... and this becomes news in /. over 2 years later?
  • No power, no electronics, just a bunch of keys with springs. The microphone in the computer reads the keypresses.

    • by Yakasha (42321)

      No power, no electronics, just a bunch of keys with springs. The microphone in the computer reads the keypresses.

      I've already replied, so I can't mod. This sounds like an awesome idea actually. No more replacing batteries in your wireless keyboard. Build it, I will buy one.

      • by DavidD_CA (750156)

        This is a fantastic id4589074VTJIL4D5QX3T9JFDCGJea.

        Sorry, my C3409TOIKJERC2RIOKFSOI GJRIOT cat just jumped on and off my desk.

        • by Yakasha (42321)

          This is a fantastic id4589074VTJIL4D5QX3T9JFDCGJea.

          Sorry, my C3409TOIKJERC2RIOKFSOI GJRIOT cat just jumped on and off my desk.

          Sounds like you need better software then.

  • On a related note, I have had to learn to watch where I leave my Iphone 4 on my desktop. If it is left covering my lenovo usb mouse cable, I have bother with the mouse jumping all over my screen. Try it! Just unlocking my Iphone causes the browser to scroll all over the place. I wonder if this could be developed to do more.
  • Nothing new (Score:5, Funny)

    by TheInternetGuy (2006682) on Monday September 30, 2013 @05:06AM (#44990241)
    I have an IBM type M keyboard, and this post was relayed to slashdot via the Global Seismographic Network
  • Many of the early posts seem to misunderstand the vulnerability issue here.

    This is not about your phone getting infected with malware that allows it to detect your PC keyboard typing.

    This is about me putting the vibration-detection app on my own phone, and then going to someone else's desk and recording them logging in.

    So, imagine me going to my local AT&T store, bank, or my boss's computer, and casually setting my phone down while they log in to check my account or whatever.

    Granted, some of those syste

    • by Yakasha (42321)

      Many of the early posts seem to misunderstand the vulnerability issue here.

      This is not about your phone getting infected with malware that allows it to detect your PC keyboard typing.

      This is about me putting the vibration-detection app on my own phone, and then going to someone else's desk and recording them logging in.

      So, imagine me going to my local AT&T store, bank, or my boss's computer, and casually setting my phone down while they log in to check my account or whatever.

      Granted, some of those systems will require more than just a password (I might need their username, or the URL to log in, or perhaps their firewall only accepts certain IPs), but it's still a considerable weakness if this application is reliable and gets out in the open.

      I can imagine keyboards that are "vibration silent" or special "vibration absorption" pads that will prevent this from happening. Either that, or customer service reps will start saying "Please remove your phone from my desk while I access your account."

      1. Place underneath ATM.
      2. Use any existing method of obtaining user's card #

      Would be slightly less obvious than putting something over the buttons themselves. For RFID equipped cards, the entire setup could be out of sight.

      Now if only the iPhone's battery could be hacked to last long enough to make this plausible...

Stupidity, like virtue, is its own reward.

Working...