Scary new way to hack into phones
What if scammers could learn your password not from a massive cyberattack or taking control of your device, but from listening in as you type?
That’s the startling premise of a recent study by researchers at Cambridge University and Sweden’s Linköping University who were able to glean passwords by deciphering the sound waves generated by fingers tapping on smartphone touch screens.
Malicious actors can decode what a person is typing by using a spying app that can access the smartphone’s microphone, according to the study, which was first reported by The Wall Street Journal. “We showed that the attack can successfully recover PIN codes, individual letters and whole words,” the researchers wrote.
A passive, sound-based attack could be executed if a person installs an app infected with such malware. “Many apps ask for this permission and most of us blindly accept the list of demanded permissions anyway,” the researchers wrote. Attackers also could also provide their target with a smartphone on which the malicious app was pre-installed.
The researchers designed a machine-learning algorithm that could decode vibrations for specific keystrokes. Among a test group of 45 people across several tests, the researchers could correctly replicate passwords on smartphones seven times out of 27, within 10 attempts. On tablets, the researchers achieved better results, nailing the password 19 times out of 27 within 10 attempts.
“We found the device’s microphone(s) can recover this wave and ‘hear’ the finger’s touch, and the wave’s distortions are characteristic of the tap’s location on the screen,” the researchers wrote. “Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it.”