As you logged in to write a comment this morning, think about where your smartphone was sitting. Was it next to your keyboard, where you could ensure you didn’t miss any notifications? If so, your phone could track everything you wrote. It could use the accelerometer to detect keyboard vibrations, deciphering every word of your insightful anonymous commentary. A hacker could conceivably use it to find out everything you write, with up to 80 percent accuracy, researchers say.
Here’s how it would work: An accelerometer samples a phone’s vibration about 100 times per second, so it would be able to detect pairs of keystrokes, according to a Georgia Tech news release about this research. It would model “keyboard events” and determine where the pairs of keys are located on the keyboard, and how far apart they are. Then it would compare the results against a dictionary the researchers developed for this demonstration. The dictionary defines words based on their locations on a typical QWERTY keyboard, like left/right or near/far. So in Georgia Tech’s example, the word “canoe” would translate to c-a, a-n, n-o, o-e possibilities. That works out to left-left-near, and so on. The location code is checked against the dictionary, and it turns up “canoe” as the most likely word.
Using a dictionary of about 58,000 words, the researchers were able to decipher typing with about 80 percent accuracy.
Researchers have studied smartphone as spy-phone before, using the phones’ microphones to sample vibrations and decipher keystrokes. But they are very sensitive and so a much more obvious security risk — many smartphones now will ask users to give a new app permission to access sensors like microphones. Not accelerometers, however. So how would an app with this capability get onto your smartphone? The authors of this study say it would probably be included as malware on an innocent-seeming app. Then when the phone is placed next to a keyboard, the malware turns on and starts listening, sending data to a hacker who wants to know what you have to say.
Granted, this all works only if your phone is pretty proximate to your keyboard, admits Patrick Traynor, an assistant professor in Georgia Tech’s School of Computer Science who was involved in the study. So just keep it elsewhere on your desk or in your bag. Plus it’s unlikely that anyone has to worry about this right now, he added.
“This was really hard to do. But could people do it if they really wanted to? We think yes.”
The work is being presented Thursday at the ACM Conference on Computer and Communications Security in Chicago.