Hackers could parse passwords by listening to typing on a phone
What if scammers could learn your password not from a massive cyberattack or taking control of your device, but from listening in as you type?
That’s the startling premise of a recent study by researchers at Cambridge University and Sweden’s Linköping University who were able to glean passwords by deciphering the sound waves generated by fingers tapping on smartphone touch screens.
Malicious actors can decode what a person is typing by using a spying app that can access the smartphone’s microphone, according to the study, which was first reported by The Wall Street Journal. “We showed that the attack can successfully recover PIN codes, individual letters and whole words,” the researchers wrote.
A passive, sound-based attack could be executed if a person installs an app infected with such malware. “Many apps ask for this permission and most of us blindly accept the list of demanded permissions anyway,” the researchers wrote. Attackers also could also provide their target with a smartphone on which the malicious app was preinstalled.
The researchers designed a machinelearning algorithm that could decode vibrations for specific keystrokes. Among a test group of 45 people across several tests, the researchers could correctly replicate passpasswords, words on smartphones seven times out of 27, within 10 attempts. On tablets, the researchers achieved better results, nailing the password 19 times out of 27 within 10 attempts.
“We found the device’s microphone(s) can recover this wave and ‘hear’ the finger’s touch, and the wave’s distortions are characteristic of the tap’s location on the screen,” the researchers wrote. “Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it.”
The experiment ran on an Android application that allowed participants to enter letters and words on two LG Nexus 5 phones and a Nexus 9 tablet, according the paper. As the participants tapped in the the app recorded audio through the devices’ built-in microphones. To simulate a real-world environment, the researchers had participants enter passwords at three locations at a university, with different levels of background noise: a common room where a coffee machine was used; a reading room with computers, and a library.
The study has not yet been peer reviewed, the report said, or published, but it is available online through a website maintained by Cornell University for research.
To guard against such attacks, the researchers suggested, smartphone makers might consider installing a switch that would allow users to shut off the microphone.