Wednesday, October 19, 2011

iPhone keylogger can snoop on desktop typing

Get into the office, sit down at the computer and lay your cellphone on the desk ? a ritual that millions play out every morning, but one that could reveal more than you expect. Security researchers have discovered they can detect the vibrations caused by using a computer keyboard and read off what is being typed simply by placing a smartphone with a keylogging app on the desk nearby.

Patrick Traynor and colleagues at the Georgia Institute of Technology in Atlanta were able to use the motion sensors inside an iPhone to read keystrokes from a keyboard 5?centimetres away with up to 80 per cent accuracy.

The sensors don't recognise the vibrations of particular individual keys, but for consecutive pairs of keystrokes they can tell whether the keys are on the left or right of the keyboard and how close together they are. This information is then matched to a dictionary to recreate the typed word. For example, the word "canoe" breaks down into four pairs: "CA", "AN", "NO" and "OE". The first pair is classified as left-left-near, the second is left-right-far, and so on.

The resulting patterns aren't unique to a particular word, but they are good enough to reconstruct a message when you already know something about its contents. The team tested their algorithm on a dictionary of 799 words such as "mayor" and "ballot" gathered from news articles about an election in Chicago. The algorithm provided its best guesses for matching patterns to words, identifying the correct word as a first guess 40 per cent of the time and as one of the top five guesses 80 per cent of the time. "Context can help us figure out what was really typed when mistakes are made," says Traynor ? and a human attacker could fill in the blanks by making their own guesses.

Easy hacking

This kind of eavesdropping was already possible by monitoring the sound of typing, but apps are not normally allowed to access a handset's microphone without the user's permission. Motion sensors are less well protected, in part because it was assumed they couldn't be used maliciously. That would make it easy for an attacker to hide a monitoring system inside an innocent-looking app. "The sampling rate of the accelerometers is so low that, before this work, it was not clear that they could be used to capture this kind of valuable data," says Traynor.

It's possible that manufacturers should revise their assessment, as motion sensors can also reveal what is being typed on the phone's own keyboard. Until that happens, what can you do to protect yourself from snooping?

Traynor says it's unlikely that this kind of attack will become common in mobile malware, but there is an easy fix if you're worried: "One of the simplest protections is to move your phone over 2?feet [60 centimetres] from the keyboard," he says, as the attack's accuracy quickly drops off with distance. Another option would be to invest in a stone-topped desk, which would prevent vibrations from travelling.

Markus Kuhn, a computer scientist at the University of Cambridge, says the attack is an interesting idea but the need for a specifically tailored dictionary limits its usefulness. "It puts the attack very much at the James Bond end of the spectrum," he says. "This will require an expert spending an enormous amount of time tweaking things in order to get a result out."

If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.

Have your say

Only subscribers may leave comments on this article. Please log in.

Only personal subscribers may leave comments on this article

Subscribe now to comment.

All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.

If you are having a technical problem posting a comment, please contact technical support.

Source: http://feeds.newscientist.com/c/749/f/10897/s/195ffb53/l/0L0Snewscientist0N0Carticle0Cdn210A590Eiphone0Ekeylogger0Ecan0Esnoop0Eon0Edesktop0Etyping0Bhtml0DDCMP0FOTC0Erss0Gnsref0Fonline0Enews/story01.htm

rangers nlcs nlcs josh beckett 999 plan the village detroit weather

No comments:

Post a Comment