Georgia Tech researchers have discovered how to use a mobile phone to track what is being typed on a nearby computer keyboard. They used a smartphone accelerometer — the internal device that detects when and how the phone is tilted — to sense keyboard vibrations and decipher complete sentences with up to 80 percent accuracy. The research team believes that most spartphones made in the past two years are sophisticated enough to launch this attack.
“The way we see this attack working is that you, the phone’s owner, would request or be asked to download an innocuous-looking application, which doesn’t ask you for the use of any suspicious phone sensors,” said Henry Carter, a Ph.D. student in computer science. “Then the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening.”
Previously, researchers have accomplished similar results using microphones, but a microphone is a much more sensitive instrument than an accelerometer. A typical smartphone’s microphone samples vibration roughly 44,000 times per second, while even newer phones’ accelerometers sample just 100 times per second. Manufacturers have also installed security around a phone’s microphone - the phone’s operating system is programmed to ask users whether to give new applications access to most built-in sensors, including the microphone. Accelerometers typically are not protected in this way.
The technique works through probability and by detecting pairs of keystrokes, rather than individual keys, which still is too difficult to accomplish reliably, according to Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements. The technique only works reliably on words of three or more letters. Working with dictionaries comprising about 58,000 words, the system reached word-recovery rates as high as 80 percent.
“The likelihood of someone falling victim to an attack like this right now is pretty low,” said Traynor. “This was really hard to do. But could people do it if they really wanted to? We think yes.”