Hackers could parse pass­words by lis­ten­ing to typ­ing on a phone

Baltimore Sun Sunday - - FROM PAGE ONE - By Hamza Sha­ban

What if scam­mers could learn your pass­word not from a mas­sive cy­ber­at­tack or tak­ing control of your de­vice, but from lis­ten­ing in as you type?

That’s the star­tling premise of a re­cent study by re­searchers at Cam­bridge University and Swe­den’s Linköping University who were able to glean pass­words by de­ci­pher­ing the sound waves gen­er­ated by fin­gers tap­ping on smart­phone touch screens.

Ma­li­cious ac­tors can de­code what a per­son is typ­ing by us­ing a spy­ing app that can ac­cess the smart­phone’s mi­cro­phone, ac­cord­ing to the study, which was first re­ported by The Wall Street Jour­nal. “We showed that the at­tack can suc­cess­fully re­cover PIN codes, in­di­vid­ual let­ters and whole words,” the re­searchers wrote.

A pas­sive, sound-based at­tack could be ex­e­cuted if a per­son in­stalls an app in­fected with such mal­ware. “Many apps ask for this permission and most of us blindly ac­cept the list of de­manded per­mis­sions any­way,” the re­searchers wrote. At­tack­ers also could also pro­vide their tar­get with a smart­phone on which the ma­li­cious app was pre­in­stalled.

The re­searchers de­signed a ma­chine­learn­ing al­go­rithm that could de­code vi­bra­tions for spe­cific key­strokes. Among a test group of 45 peo­ple across sev­eral tests, the re­searchers could cor­rectly repli­cate pass­pass­words, words on smart­phones seven times out of 27, within 10 at­tempts. On tablets, the re­searchers achieved bet­ter re­sults, nail­ing the pass­word 19 times out of 27 within 10 at­tempts.

“We found the de­vice’s mi­cro­phone(s) can re­cover this wave and ‘hear’ the fin­ger’s touch, and the wave’s dis­tor­tions are char­ac­ter­is­tic of the tap’s lo­ca­tion on the screen,” the re­searchers wrote. “Hence, by record­ing au­dio through the built-in mi­cro­phone(s), a ma­li­cious app can in­fer text as the user enters it.”

The ex­per­i­ment ran on an An­droid ap­pli­ca­tion that al­lowed par­tic­i­pants to en­ter let­ters and words on two LG Nexus 5 phones and a Nexus 9 tablet, ac­cord­ing the pa­per. As the par­tic­i­pants tapped in the the app recorded au­dio through the de­vices’ built-in mi­cro­phones. To sim­u­late a real-world en­vi­ron­ment, the re­searchers had par­tic­i­pants en­ter pass­words at three lo­ca­tions at a university, with dif­fer­ent lev­els of back­ground noise: a com­mon room where a cof­fee ma­chine was used; a reading room with com­put­ers, and a li­brary.

The study has not yet been peer re­viewed, the re­port said, or pub­lished, but it is avail­able on­line through a web­site main­tained by Cor­nell University for re­search.

To guard against such at­tacks, the re­searchers sug­gested, smart­phone mak­ers might con­sider in­stalling a switch that would al­low users to shut off the mi­cro­phone.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.