We have reported on sophisticated attacks via smartphones in the past (see “Your iPhone as a keylogger”). Here are two new twists – probably still theoretical, but both pointing towards new ways to spy on you by misusing your microphone…

The attack vector in both cases is the same: a local microphone to which the attacker has access. The passive attack is aimed at your desktop computer and just uses your smartphone’s microphone (or any other connected microphone to which an attacker has access). Using a Skype call, Google Hangouts, or any other streaming audio chat (even via a Google Home or Amazon Echo device), the attacker listens to the sound of your screen’s power supply. The way the screen renders the display, “sending signals to each pixel of each line with varying intensity levels for each sub-pixel” creates fluctuations in the power consumption, and hence in the “hum” of the power supply. Intercepted by the microphone, sophisticated machine learning techniques are subsequently employed to deduce from the hum what is being displayed on the screen… The first results show that researchers managed to determine which website out of the Alexa top-10 websites was displayed on the test screen with a 97% accuracy. On-screen keyboard strokes could be identified with an accuracy of 96% and 40% depending on the test set-up. Extended to full words, this can exceed 99% and 70% accuracy. And their results to capture paragraphs with more than 100 words displayed on screen look disturbingly accurate too.

The active attack is aimed at smartphones and uses both the local microphone and the local loudspeaker. Paired together, using the loudspeaker to emit acoustic signals inaudible to humans and recording them again with the microphone, they create a small basic sonar system: “The echo signal can be used to profile user interaction with the device”, i.e. the way your finger swipes over and interacts with the screen. Interestingly, they’ve shown how this sonar can be employed to help identify the swipe pattern used to unlock an Android phone – reducing the number of trials to be performed by the attacker by 70%. And that is only their proof-of-concept…

Admittedly, both attacks are still rudimentary and theoretical, but with more computing power at hand, better machine learning algorithms and more research, both also show what the sophisticated attackers, snoops and spies of this world might add to their exploitation arsenal in the future… By the way, if you are using an Android smartphone and swipe through the 3x3 pattern to unlock it, check out this paper listing the 20 most used swipe patterns. Using one of these is like using one of the top-10 most used passwords. If yours is listed, maybe it’s time to move to another, more secure pattern?

________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.