Evil hackers and corporate spies have had the ability to record the loud tap-tap-tap of computer keyboards to decipher a log of keystrokes for years. The risk of losing your credentials to such a hack has been low because the attacker would have to be in the office with you and place stereo microphones on your desk. However, new research published by the journal Interactive, Mobile, Wearable and Ubiquitous Technologies shows the once theoretical danger is now potentially quite serious and real.
Mobile phones and tablets often give access to organizations’ most valuable data. Mobile management systems have been rapidly evolving to help address risk by monitoring mobile operating systems, apps and data. But a new kind of attack does not require possessing, touching, or installing anything on the mobile device, rendering mobile management systems useless as protection.
Because phones and tablets are commonly used in public places, not only does the target device become an easy-to-acquire target, but also the attacker’s device, another cell phone, is completely inconspicuous.
How does it work?
The application works using echolocation, much like a bat. It uses the sophisticated microphones and sound processing power of a modern cell phone to listen to finger taps on nearby devices. When the devices are placed on a sound-carrying surface like a wood table, the accuracy is increased to an amazing 41 percent word-accuracy rate and when password analysis tools are applied to this data, the accuracy is improved to the point to which only one sample will likely be needed to steal authentication credentials.
Because there is no digital footprint on the attacked devices and no data stream to monitor these attacks, there is virtually no way to know you have been compromised.
The risk of this kind of attack is significant in part because public places are safer and easier places for evil hackers to operate than your company premises. The theoretical risks are even worse if this kind of app technology moves from being a tool on an evil hacker’s phone to being incorporated into malware.
Hypothetically, if this technology could be placed into a Trojan phone app* then innocent people’s cell phones could be spying on other nearby devices. The evil hacker would not even need to be present to exploit credentials from mobile devices.
How can we respond to this potential exploit?
In the long term, the best way to address this threat is for the makers of mobile devices to add controls to both the mobile operating systems and hardware of mobile devices to limit the ability of such applications to function.
In the short term, people that design and implement security awareness training should make people aware of the dangers of single factor authentication and of accessing sensitive data in public places. This may be especially crucial for C-level employees or high access employees like those that work in financial institutions.
We can take some comfort in knowing that as far as we can tell this exploit has only been shown in the laboratory, but we also must realize just how swiftly such technology can “escape into the wild” and turn into widespread exploits. The rapid adoption and significant costs caused by Ransomware is a good example of this.
*A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Sources: Tyler Giallanza, Travis Siems, Elena Smith, Erik Gabrielsen, Ian Johnson, Mitchell A. Thornton, Eric C. Larson. Keyboard Snooping from Mobile Phone Arrays with Mixed Convolutional and Recurrent Neural Networks. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 2019; 3 (2): 1 DOI: 10.1145/3328916