e-Why, What & How · 2019-04-03

Study shows digital devices might be vulnerable to “microphone keylogging” – e-Why, What & How

Keylogging has long been a lucrative method for cybercriminals to obtain passwords & PINs from unsuspecting computer users. However, with the advent of smartphones & Tablets, the job of these malicious spymasters has become more difficult, since ‘soft keyboards’ do not have physical keys, & all touch usage occurs on the same surface. Nevertheless, when a user taps on screen the action triggers a sound wave, which travels through the air & through the device—this ‘vibration’ offers an opportunity for spyware to capture user input via the device’s microphone.

Not much research has been done on how effectively a microphone picks up computer input keys & interprets it, but a recent study conducted by Ross Anderson, Jeff Yan, Laurent Simon & Ilia Shumailov, & published on Arxiv.org  reveals alarming results on just how useful this method of keylogging could be for determined cybercriminals.

Basically, the study team built an Android app to seek answers on the effectiveness of “microphone keyloggers”. It employed the assistance of 45 users in a real-world study using both an Android smartphone & Tablet. The team developed an app to detect user input by ‘training’ their system using AI learning patterns, offline.

On a Tablet the team recovered 61% of 200 PINs entered into the device in 20 attempts, while on a smartphone using words of between 7-13 letters, the recovery rate was 9 words in 50 attempts. The system built by the team used 2 microphones on the devices tested, so as to better capture the sounds & vibrations emitted by finger-taps on screen. The team concluded that ordinary anti-virus or anti-spy software products, such as TrustZone, would be incapable of detecting, & therefore combating this nature of spyware.

The disturbing point is that malicious criminals could be using this type of spyware already, & they could be receiving feedback without the limits imposed by anti-spying apps — which the user may have installed to protect themselves — these products would be utterly useless against this sophisticated method of Keylogging. In order to combat this problem, the team offered several countermeasures for protection, which target both the device’s software & hardware stack.

  1. Although a radical suggestion, removing the microphone altogether might be an option.
  2. A physical switch to disable the microphone at will.
  3. Lower the microphone’s sampling frequency so that it’s unable to detect key inputs.
  4. Additional glass layer to absorb finger-tap vibration.
  5. Prohibit recording during data entry.
  6. A sophisticated PIN entry system that would introduce ‘noise’, which would be all other apps might ‘hear’, when in use. This system could also be extended to other possibly invasive device features, such as the camera, gyro and accelerometer.
  7. A ‘secure entry text’ facility for apps to gather passwords & other sensitive data.
  8. Time-jitter or decoy sounds sent to the microphone during text entry.

However, most of these suggestions would result in lowering the quality of the user’s experience, which is the last thing phone manufactures want, since they rely on enhancing these types of features to sell phones. Nevertheless, with the results of the study clearly showing that acoustic attacks on devices can accurately decipher passwords & PINs, manufactures & users have been warned that something must be done to avert disaster.


 

Click here to opt-out of Google Analytics