Your phone's motion sensors can betray you to hackers

Beware, smartphone users: your motion sensors can give you away to hackers.

 

Researchers have created a Trojan app that can read phone numbers, passwords and other data like social security IDs by using a phone's built-in motion sensors.

 

"The fundamental problem here is that sensing is unmanaged on existing smartphone platforms," Zhi Xu, a PhD candidate in the Pennsylvania State University's Department of Computer Science and Engineering and one of the app's creators, told tech site Ars Technica in an email.

 

Xu authored a paper with Kun Bai of IBM's T.J. Watson Research Center and Sencun Zhu of the University of Pennsylvania.

 

They warned the risks that arise from data leaked by integrated motion sensors won't be curbed without fundamental changes by the OS developers.

 

Dubbed "TapLogger," the proof-of-concept app masquerades as a game for phones running Google's Android operating system.

 

While the game challenges the user to identify identical icons from a collection of similar-looking images, it actually monitors readings by the phone's built-in accelerometer, gyroscope, and orientation sensors to infer phone numbers and other digits entered into the device.

 

This then surreptitiously uploads them to a computer under the control of the attackers.

 

It is partly based on a similar smartphone keylogger called TouchLogger.

 

But the researchers also noted similar permission systems that can make in Research in Motion's Blackberry OS as well as jailbroken iOS devices vulnerable.

 

"TapLogger shows that those unmanaged 'insensitive sensors' can really be used to infer very sensitive user information (e.g. passwords and PIN numbers). Inspired by TapLogger, we believe that more and more sensor-based attackers will be introduced in the near future," Xu said.

 

'Listening in' on your movements TapLogger works by using a device's motion sensors to record subtle real-time changes of orientation as a user enters numbers to release a phone's screenlock, dial a phone number, or provide a social security number during a call to a health-insurance service center.

 

By logging the precise changes along three dimensions —azimuth, pitch, and roll — the trojan makes educated guesses about the touchscreen regions that were tapped to generate the orientation changes.

 

It then maps those regions to the user interface of the screenlock or dial pad of a specific Android phone.

 

TapLogger surreptitiously collects training data as players match the icons. The more rounds a user plays, the better the trojan gets at guessing the keys that are tapped when users' are entering numbers into the screenlock or dial pad interfaces.

 

"When a user taps on the touchscreen, the display and its supporting hardware and firmware will report the coordinates of tap events to the operating system of the smartphone," Ars Technica quoted a paper titled "TapLogger: Inferring User Inputs On Smartphone Touchscreens Using On-board Motion Sensors" as saying.

 

Xu and two other researchers presented it last week to the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks.

 

"The coordinates of a tap event together with knowledge of the application view currently displayed on the touchscreen determine the corresponding user input. For example, a tap event with coordinates within the boundary of a button displayed on the touchscreen stands for a tap action on this button," the researchers said.

 

Vibrations and variables

 

Even after TapLogger has been trained to deduce the taps of a given user on a specific smartphone model, background vibrations and other variables prevent TapLogger from determining the exact sequence of numbers entered into a device.

 

Despite this limitation, the trojan can still greatly reduce the number of guesses required to recover a user's PIN, social security number, or other numerical string entered into the phone.

 

Ars Technica cited an example where trying every possible combination to crack a four-digit PIN would require a maximum of 10,000 combinations.

 

Using the information returned by TapLogger, an attacker can narrow the number of tries to just 81 with an average of a 100-percent chance of success.

 

TapLogger data can help deduce a six-digit PIN via 729 likely combinations with an average success rate of 80 percent.

 

By contrast, it would require a maximum of one million possible combinations to crack the same PIN using brute-force methods.

 

The research is the latest to show the vulnerability of smartphones to techniques that could allow adversaries to gain unauthorized access to sensitive data stored on the devices. — TJD, GMA News