Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Keylogger Can Snoop On Desktop Typing

Posted by Soulskill on from the technology-is-awesome-and-creepy dept.

An anonymous reader writes "Researchers at Georgia Tech demonstrate that a mobile phone located near a keyboard can use its accelerometers to recover text typed by a target. 'The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard).'"

103 comments

  1. Re:If you use an iPhone... by mattventura · · Score: 1

    I don't think you even RTFS

  2. Re:If you use an iPhone... by mattventura · · Score: 1

    Specifically, the summary says nothing about it being iphone specific, only that it requires accelerometers which are in a lot of phones and even many laptops.

  3. Good reason... by MrKevvy · · Score: 5, Funny

    ... to switch to Dvorak.

    --
    -- Insert witty one-liner here. --
    1. Re:Good reason... by Anonymous Coward · · Score: 0, Flamebait

      Sure, if you're into having sex with men.

    2. Re:Good reason... by Anonymous Coward · · Score: 0

      or put your keyboard on a thin strip of rubber, would that help?

    3. Re:Good reason... by ackthpt · · Score: 1

      ... to switch to Dvorak.

      Why? I can type up to 30 errors a minute!

      --

      A feeling of having made the same mistake before: Deja Foobar
    4. Re:Good reason... by Anonymous Coward · · Score: 0

      If you bang the keyboard with your fist, no.

    5. Re:Good reason... by Anonymous Coward · · Score: 0

      Or to get a simpler phone.

    6. Re:Good reason... by Anonymous Coward · · Score: 1

      Or put it more than 3 inches away from your keyboard. This is an interesting idea, but far from practical in any way. That won't stop it from showing up on the next CSI and making the uninformed scared, though.

    7. Re:Good reason... by utkonos · · Score: 1

      That's going to stop someone else from hiding their phone on your desk?

    8. Re:Good reason... by Baloroth · · Score: 1

      Sort of. This sounds like a pretty difficult attack vector, so if someone is using this kind of attack against you, you can bet creating profiles for Dvorak won't be an issue for them. Not to say there aren't good reasons to switch to Dvorak anyways, just that this isn't one of them.

      Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack. Unless you use a password that can be broken by a dictionary attack, in which case you shouldn't be working on anything anyone would want to steal. Oh, and keeping your phone in your pocket also circumvents it.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    9. Re:Good reason... by Sentry360 · · Score: 2

      Haha, nice joke... Guessing than it's not just me that's noticed a huge decrease in error making? I haven't noticed as huge speed improvements, but error making has drastically went down. Anyone know why that is?

    10. Re:Good reason... by jhoegl · · Score: 3, Funny

      Do grammatical errors count?

    11. Re:Good reason... by Sentry360 · · Score: 1

      Would hiding two phones allow for better triangulation of the password?

    12. Re:Good reason... by Anonymous Coward · · Score: 0

      Sort of. This sounds like a pretty difficult attack vector, so if someone is using this kind of attack against you, you can bet creating profiles for Dvorak won't be an issue for them. Not to say there aren't good reasons to switch to Dvorak anyways, just that this isn't one of them.

      Dvorak is designed to make many common words have letters on alternating sides of the keyboard. This makes it more difficult to infer which word was actually typed, even if you can always tell which side of the keyboard a key press occurred on.

    13. Re:Good reason... by spyder-implee · · Score: 2

      Also from tfa, keeping the phone > 3 inches from the keyboard also prevents it, and I assume different desk surfaces, types of wood/steel, keyboard material, type of keyboard (laptop keyboards?), keyboard trays, paper lying on a users desk and other sources of vibration interference also defeats this attack. It's almost laughable they bother suggesting setting extra permissions for the accelerometer's sample rate, when so many things need to fall into place for this to have a chance of revealing anything of value in the first place.

      --
      Take what ye can. Give nothing back!
    14. Re:Good reason... by kelemvor4 · · Score: 1

      It's dictionary based. If you're not using an ultra lame password, you'll likely be OK.

    15. Re:Good reason... by Anonymous Coward · · Score: 0

      And would it work on someone like me that can mix french, english, spanish, japanese and chinese in the same mail with different combinations depending of what languages my friends speak?

    16. Re:Good reason... by LordLucless · · Score: 3, Funny

      Unless you're using a Model M, in which case 3 miles is the maximum viable distance.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    17. Re:Good reason... by Anonymous Coward · · Score: 0

      No, but there's only one of you and you're irrelevant.

    18. Re:Good reason... by Anonymous Coward · · Score: 0

      they still get the contents of your email you are writing though...

    19. Re:Good reason... by Anubis+IV · · Score: 1

      Darn right! If they're using an English dictionary to crack our passwords, using French words will fool them! They'll never get around that!

      Exclamation points!!

    20. Re:Good reason... by Kozz · · Score: 1

      Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack.

      Judging by the typos and spelling errors to be found in the average slashdot post, most of these folks will be immune to dictionary attacks. Unless they build up a dictionary of misspellings, too... dagnabbit!

      --
      I only post comments when someone on the internet is wrong.
    21. Re:Good reason... by Anonymous Coward · · Score: 0

      Or just leave the phone on the bed while you're having sex. That will really fuck with them. "It's very odd... He was apparently transcribing War and Peace, but his spelling is atrocious!"

    22. Re:Good reason... by metageek · · Score: 1

      > Oh, and keeping your phone in your pocket also circumvents it.

      but gives you cancer...

      --
      metageek
    23. Re:Good reason... by JasterBobaMereel · · Score: 1

      ..or just use Commonwealth English spelling instead of US American English Spelling ...

      --
      Puteulanus fenestra mortis
    24. Re:Good reason... by Anonymous Coward · · Score: 0

      It's because you've consciously learned to type instead of picking it up as you went along. Nothing to do with the layout, everything to do with proper training.

      Don't get me wrong, though! Whatever the cause, it is clear that many people do see great benefits from switching to Dvorak that they would never gain if they stuck with QWERTY.

    25. Re:Good reason... by Anonymous Coward · · Score: 0

      No, but switching to Dvorak has greatly helped my RSI, without a change of keyboard. And I actually have noticed a speed increase, myself. I was only ever 40-50 WPM in QWERTY, but am 60+ on Dvorak. :)

    26. Re:Good reason... by Russ1642 · · Score: 1

      Switch? I've been using it for a decade. I still love it when I'm showing somebody something on my computer and they watch me type. They look all confused. Wait a second, you didn't hit Ctrl-F!

    27. Re:Good reason... by TangoMargarine · · Score: 1

      Qwerty is designed to make many common words have letters on alternating sides of the keyboard. This makes it more difficult to infer which word was actually typed, even if you can always tell which side of the keyboard a key press occurred on.

      FTFY. Qwerty

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    28. Re:Good reason... by Anonymous Coward · · Score: 0

      You've already made many errors in your post.

      So either:
      a) you made "drastically" a lot more errors before. More than one in every sentence?
      b) your ability to detect your errors has deteriorated.

    29. Re:Good reason... by laurelraven · · Score: 1

      Grammar nazi is fail. He was referring to typo's, I'm sure, not grammar errors.

      To GP: I switched 2 years ago, and I'm mostly typing the same speed I used to on Qwerty. I agree, though, that my typo rate has gone down a lot, and at times, my speed spikes way over what I used to be able to do. Also, same on the RSI thing...

      --
      RTFA is Known to the State of California to cause cancer.
    30. Re:Good reason... by laurelraven · · Score: 1
      From the linked wiki:

      Alternating hands while typing is a desirable trait in a keyboard design, since while one hand is typing a letter, the other hand can get in position to type the next letter. Thus, a typist may fall into a steady rhythm and type quickly. However, when a string of letters is done with the same hand, the chances of stuttering are increased and a rhythm can be broken, thus decreasing speed and increasing errors and fatigue. In the QWERTY layout many more words can be spelled using only the left hand than the right hand. In fact, thousands of English words can be spelled using only the left hand, while only a couple of hundred words can be typed using only the right hand. In addition, most typing strokes are done with the left hand in the QWERTY layout. This is helpful for left-handed people but to the disadvantage of right-handed people.

      While that is a desirable trait, it is one that Qwerty has a problem with. Dvorak is a lot better at this.

      --
      RTFA is Known to the State of California to cause cancer.
  4. Great achievement by Anonymous Coward · · Score: 0

    Given that one still needs physical access (sort of) to the keyboard to be sniffed, I don't see any real world application for a dictionary dependent keylogger. Especially since someone else's $martphone is not something that stays perfectly aligned to your keyboard forever. Anyway, nice job.

  5. misleading headline... by Anonymous Coward · · Score: 0

    scumbag slashdotter - only reads headline, proclaims apple sucks.

    1. Re:misleading headline... by Anonymous Coward · · Score: 1

      You don't even need to read the headline to know that apple sucks.

  6. One Word! by Archangel+Michael · · Score: 0

    SWYPE

    And for bonus: I type much faster with swype than trying to hunt/peck on my keyboard.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:One Word! by TheInternetGuy · · Score: 4, Funny

      I ttryuiiiiiiiiiiiiiiiiiiiiiuytredf swsvbbbbbbyuiopoijnnbgg okmjn mjuy PLOKJHBGVC kjhygtrertyuuuuuuuuuuuuuhbjioooooiujhytrfdsaasd Translates into: I tried Swyping on my PC keyboard It didn't work to well, now did it? And would probably be just as detectable by an accelerometer.

      --
      If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
    2. Re:One Word! by Sancho · · Score: 2

      Where can I download SWYPE for my desktop?

      Did you even read the summary? Or the headline?

    3. Re:One Word! by Anonymous Coward · · Score: 0

      one more word...
       
      ASS-

      SWYPE

    4. Re:One Word! by footitch · · Score: 1

      word up.

    5. Re:One Word! by Archangel+Michael · · Score: 1

      yes. and yes. My point remains, just because you don't get it doesn't diminish it at all.

      Swype doesn't have sudden jolts to which one tie to keystroke taps on a virtual keyboard. It is fluid motion and is, in itself "guessing" by the complete pattern which word you're attempting to type. Good luck pairing two key taps together using SWYPE. How does software that depends on sudden jolts work with fluid motion?

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    6. Re:One Word! by Sancho · · Score: 1

      The researchers place a phone with custom software near a desktop keyboard. The custom software records vibrations from the desktop keyboard using the phone's accelerometers. Using statistical analysis, they can decode the vibrations to figure out what was typed on the desktop keyboard. They wouldn't have to use a phone--it's just a cheap, convenient source of commodity accelerometers. They could just as easily put custom hardware (with accelerometers) on the desktop and sniff in exactly the same manner.

      They aren't sniffing what you type on the phone. They're using the phone to sniff what you type on your desktop keyboard. The type of keyboard you use on the phone is completely irrelevant.

    7. Re:One Word! by Anonymous Coward · · Score: 0

      If they can put custom hardware on your desk then why wouldn't they just use an old fashioned hardware keylogger? I think the importance of it being on the phone is that the phone could potentially compromised remotely, or maybe just some time when the target is outside of the office then they'll take their phone back and put it on their desk.

  7. Where's the app?? by Anonymous Coward · · Score: 0

    Seriously, I want to check this out... To see if it really works, and to see how I can change my typing slightly to prevent it from working. App Store or it didn't happen!

  8. iphone? by Anonymous Coward · · Score: 0

    So they put "iPhone" in the heading just to attract attention, as opposed to a generic term like "smartphone"?

    1. Re:iphone? by MobileTatsu-NJG · · Score: 1

      Take a look at this comment, it may answer your question:

      http://mobile.slashdot.org/comments.pl?sid=2482736&cid=37757330

      ^^ As long as this happens, there'll be lotsa iPhone stories.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    2. Re:iphone? by Anonymous Coward · · Score: 0

      This is /. What else would you expect?

    3. Re:iphone? by exomondo · · Score: 1

      Or maybe it's because the iphone was the subject of the study and since the iphone4 is the most common smartphone (im pretty sure that's correct? if not i retract the statement) it would be the ideal choice as you would likely need the same chassis and hardware to get consistent results, so choosing the most common phone would be the logical thing to do. Given the methodology it looks like it could be equally applied to just about any smartphone though.

  9. Another reason by no4 · · Score: 1

    to select passwords that cannot be found in a dictionary.

  10. Pics or... by Anonymous Coward · · Score: 0

    ...it didn't happen. What are they going to claim next, that it can determine what pr0n I'm look at by the fap noises?

  11. Shift Key by ben_kelley · · Score: 1

    "Why do you keep pressing the shift keys randomly?"
    "Just bEing CArefUl of keyLogGers."

    1. Re:Shift Key by Anonymous Coward · · Score: 0

      Drumming on null keys, tyvm.

    2. Re:Shift Key by Threni · · Score: 1

      Why use the keyboard at all, vs clicking on things with a mouse. This works better somewhere you're not being watched, such as at home. Then again at home it's unlikely there's a hostile smartphone spying on you, other than via malware.

  12. Ideal distance is just too close by Zakabog · · Score: 1

    The ideal distance is too close to my keyboard. Usually if I'm leaving my phone on my desk I put it to the right of my designated "mouse area" which is generally a foot or more from the keyboard. I'm a computer technician so I don't just sit at one computer all day too. Plus most of our customers seem to follow the same policy. They kind of put their phone on the corner of their desk so they don't bump it as their hands move around the keyboard and mouse. If my phone is that close to my keyboard I'm likely not at my computer and I just threw it their with my keys and wallet.

  13. Re:If you use an iPhone... by DJRumpy · · Score: 2

    TFA does mention that the test was done on the article, probably due to the popularity of the phone, but it pretty much states flat out that any modern smartphone from the last 2 years would suffice if it has the required hardware.

    “We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

  14. no video by Anonymous Coward · · Score: 0

    this is one of the articles I wish had a video showing its real life performance.

    I really doubt accelerometer data would be enough to determine what I typed.
    typing pretty fast may throw it off, or just having to backspace a few times.
    not saying its worthless, but I doubt it be good for much. especially if you want to catch secure passwords that are not in a dictionary.

    probably ok for easy passwords, but there may be an easier way then first compromising an iphone to have a good guess of what the password was.

  15. tripe by Anonymous Coward · · Score: 0

    Tripe.

    Way too much is required for this to be used to steal passwords. Needs to be far too close to the keyboard for one, and the article doesn't go into details regarding differences in keyboard and desk types.

  16. ADD SOUND! by bussdriver · · Score: 2

    Sound can almost give away keys pressed. the sound on the desk is likely to work better than pickup from the air since solids conduct sound. Add vibration and you've got plenty of data to extract from! I somehow doubt the acceleration is precise enough to come close to a microphone; I wonder if an image from the camera (if in focus) could in some cases indicate more vibration than the accelerometer...
    SOUND ALONE could do it much better. use the microphone.

    --
    Democracy Now! - uncensored, anti-establishment news
  17. Teslameter by vaene · · Score: 1

    Newer iPhones also come with a Teslameter, I wonder if the can detect em spikes when the keys make contact with their pads. Depending on the distance, again, and using the same or similar logic you could determine keystrokes that way as well I would think. I'll try it once I get my new iPhone, the old 3g doesn't have teslameter in it.

  18. Re:If you use an iPhone... by Anonymous Coward · · Score: 0

    I don't think you even RTFS

    I don't think you even read the headline.

  19. Re:If you use an iPhone... by MagusSlurpy · · Score: 1

    The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

    Personally, I'd like to see someone make this work with a Wiimote next.

    --
    My sister opened a computer store in Hawaii. She sells C shells by the seashore.
  20. you gotta wonder by Anonymous Coward · · Score: 0

    if Intel agencies haven't had this for a while

  21. Re:If you use an iPhone... by hardburlyboogerman · · Score: 0

    Now you know why I won't buy one ever.For as little as I use a cellphone (Rural SE KY,NO cellphone will work here at my home)The iPhone is a waste of money

    --
    Geek Hillbilly
  22. passphrases by Yojimbo-San · · Score: 3, Interesting

    So with this technique, a password of "correct horse battery staple" would be detected, but "Tr0ub4dor" would not (http://xkcd.com/936/)...

    --
    Quick wafting zephyrs vex bold Jim
    1. Re:passphrases by qxcv · · Score: 2

      It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims when you're facing a moderately sophisticated adversary.

      If you wanted to make a "correct horse battery staple" password more secure against this kind of attack, you could just capitalise some of the letters, or mash your unbound mod keys when entering passwords (i.e. ctl, alt, mod4, etc).

      --
      "The most dangerous enemy of a better solution is an existing codebase that is just good enough." -- Eric S. Raymond
    2. Re:passphrases by Anonymous Coward · · Score: 0

      Uh, isn't the point that 4 completely random words out of a ~60000 word dictionary have more entropy than the example "Tr0ub4dor", so is safer/better, even in all-lowercase? Yes, inserting special (random) characters into the passphrase would make it even more secure, but that is not the point.

    3. Re:passphrases by Anonymous Coward · · Score: 0

      It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims...

      You have failed to understand the comic. A password's resistance to a perfect dictionary attack is represented by the number of bits of entropy it contains. "correcthorsebatterystaple" contains more entropy than "Tr0ub4dor", so it's more secure against dictionary attacks.

    4. Re:passphrases by zippthorne · · Score: 2

      No, the XKCD analysis isn't based on the presumed strength of the letters in that passphrase, but instead on the *words*. He's estimating 11 bits of entropy per word, which means that the dictionary he's using has a mere 2048 words in it. If using every word in the /usr/dict/words (/usr/share/dict/words on a mac), that would be anywhere from 15 to 17 bits of per word:

      zippthorne ~$ wc -l /usr/share/dict/words
        235886 /usr/share/dict/words

      The default dictionary for Ubuntu was circa 100k words the last time I counted.

      2048 is a very restricted dictionary, but it was *already* accounted for in the password strength comparison. "Correct horse battery staple," without any punctuation or capitalization really is a stronger password than "Tr0ub4dor." Or, at least, it WAS, until it was published. Now they're both presumably in all the password cracking dictionaries out there....

      --
      Can you be Even More Awesome?!
    5. Re:passphrases by TangoMargarine · · Score: 1

      After reading that comment, I don't know why the heck "correct horse battery staple" is somehow supposed to be easier to remember. I use a consistent "leetification" algorithm on my passwords, which is easier for me to remember that four completely random words (initially). Because remembering a horse saying "that's a battery staple" (which in and of itself makes no sense) and some other random person shouting "Correct!" makes so much sense...?

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    6. Re:passphrases by John+Hasler · · Score: 1

      Unfortunately many people lack sufficient imagination to come up with a hard to guess string of words.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    7. Re:passphrases by Anonymous Coward · · Score: 0

      leetification is built into every password cracking routine that I've heard of. I've yet to see any that attack 4-5 seperated dictionary words near the beginning of the attack. In other words, leetification is a lie.

    8. Re:passphrases by TangoMargarine · · Score: 1

      Well, I tack a few symbols on, too, but those aren't particularly easy to remember other than through repetition, which kind of blows my argument wide open.

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    9. Re:passphrases by Anonymous Coward · · Score: 0

      I use a consistent "leetification" algorithm on my passwords, which is easier

      to guess. That's why it doesn't increase the entropy very much in the comic.

    10. Re:passphrases by thoromyr · · Score: 1

      You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic. http://en.wikipedia.org/wiki/Entropy_(information_theory)

    11. Re:passphrases by Anonymous Coward · · Score: 1

      You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic.

      I have an accurate understanding of the entropy of one random choice out of 4096. It is 11 bits. You are probably thinking about the entropy per word of English text. He's not suggesting you choose a sentence. He's suggesting you choose four random words.

    12. Re:passphrases by Yojimbo-San · · Score: 1

      It's supposed to be easier to remember because you remember the composite image, and not the words themselves. You can choose images that are easy to remember (something based on goatse perhaps) and construct a phrase from there -- at the same time you meet the suggestion of a password that is so foul you would never tell another person what it is, thus preventing that whole password sharing problem. Double win. Except you have to remember goatse every time you log in. http://questionablecontent.net/view.php?comic=1829

      --
      Quick wafting zephyrs vex bold Jim
    13. Re:passphrases by Anonymous Coward · · Score: 0

      I suspect eliminating or replacing spaces, articles and conjunctions helps entropy slightly. Let's say words have 1.5 bit of entropy per letter this way. Four or five words is still a pretty good basis for a password e.g. frog spanner monkey alarmed pilgrim 31*1.5 = 46 bits. Substitute numbers and symbols uniformly in the traditional pattern and you've added another bit assuming a sufficiently large dictionary on the attacker's side. Random replacements for spaces such as stops, commas, hyphens, etc adds a bag more bits. Use words in unreasonable patterns and entropy rises further. Of course each of these hurts memorability so you have to stop somewhere. Still, doing all of the above is probably more memorable than 15 random keyboard characters at 5-6 bits per character. I drop out at around that, trading off length for number of passwords memorised.

    14. Re:passphrases by neminem · · Score: 1

      Brilliant! Next time I have to create a password on some throwaway site I don't care about, I'm totally using "I just lost the game". I'll never forget -that- (downside, every time I log in, or think about the site, I'll lose the game.)

  23. Re:If you use an iPhone... by RoFLKOPTr · · Score: 2

    The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

    Personally, I'd like to see someone make this work with a Wiimote next.

    Anyway, who would go through the trouble of making a keylogger that worked by reading a laptop's accelerometer when you can make a keylogger that worked by reading a laptop's keyboard.

  24. Re:If you use an iPhone... by Gerzel · · Score: 1

    Indeed. It isn't even the phone that is vulnerable. It is the keyboard.

  25. Fucking dumbass by Anonymous Coward · · Score: 0

    People like you are why this site is shit these days.

    1. Re:Fucking dumbass by xQx · · Score: 1

      lol!!

      You sir, made my day.

      I bet the GP poster is fat and ugly and stinks like shit. He probably has delusions of adequacy though.

  26. Similar thing from 6 years ago by Anonymous Coward · · Score: 2, Interesting

    Similar idea from 6 years ago, but using acoustics rather than vibrations
    https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

  27. Re:If you use an iPhone... by Nethead · · Score: 1

    T-Mobile with UMA (aka WiFi Calling) will do you well. I live on a small Indian fishing village in NW Washington State. Crap cell coverage here too.

    --
    -- I have a private email server in my basement.
  28. Researchers? by Anonymous Coward · · Score: 0

    Seriously? I guess this is interesting, if you are interested in things that are not practical.

  29. Clippy by Anonymous Coward · · Score: 0

    "Your phone tells me that it can't understand your typing, can I help you with that?"

  30. nice try by pbjones · · Score: 1

    if you left your phone on a desk next to a keyboard, it'll get stolen. (but seriously, it's not much of a security risk, you would do better, IMHO, recording the sound of the keys with the phone's mic)

    --
    There was an unknown error in the submission.
    1. Re:nice try by DriveDog · · Score: 1

      Ahhh, and a two-vector attack should be much more successful. Use both the mic and accelerometers and compare to a dictionary generated with data from the two combined. While we're at it, can we use the phone to somehow detect changes in the RF field due to key presses/processing by the keyboard's microcontroller? Maybe that's too much of a processing load for one phone. But beware if you spot several phones lying next to your keyboard.

  31. Researcher used Android by Anonymous Coward · · Score: 0

    Interestingly enough, the picture shows a dude holding up an Android phone, and having an Android emulator running on the PC screen. I how much iPhone was actually used in the development, or if it was only put in the title to generate publicity.

    Of course, nothing stops this from being done on an iPhone as well.

  32. Re:If you use an iPhone... by Anonymus · · Score: 1

    Of all the reasons not to buy an iphone, this is by far the stupidest most non-existant one.

  33. Re:If you use an iPhone... by hardburlyboogerman · · Score: 1

    Sorry if you think so,but I'm disabled and on a fixed income.The cost is not worth it.

    --
    Geek Hillbilly
  34. Re:If you use an iPhone... by errandum · · Score: 1

    My old logitech keyboard allows encryption of the information sent.

    And this could be useful when you don't have access to the system - A pair of sensors left under a monitor, or behind it, could be enough to gather information from a classified and locked down computer.

  35. Re:If you use an iPhone... by monkeyhybrid · · Score: 1

    Maybe because you'd need physical (or network exploitable) access to the target laptop in order to install a keylogger? Reading accelerometer data from your own laptop that you could have pre-configured and casually put down on victim's desk requires no direct access to victim's PC.

  36. Accelerometer Available Via JavaScript by Anonymous Coward · · Score: 0

    Apparently, the iPhone accelerometer is available via JavaScript ( http://stackoverflow.com/questions/1273964/is-there-access-to-the-iphone-accelerometer-using-javascript ), so displaying webpage on an iPhone sitting on your desk is enough to leak information. Fun times ahead!

  37. Great by SpectreBlofeld · · Score: 1

    Two Slashdot articles today about university researchers developing snooping technology - this, and the gizmo that sees through walls. Is it just me or is 99% of all academic research funded by the 'defense department' these days?

    1. Re:Great by Anonymous Coward · · Score: 0

      If no one is funding research, no one is doing research. If the only people with money is the DoD then you do research for them or you don't do research.
      Or I guess you could do self-funded research, but who has money for that?

  38. Soooo..... by jasonla · · Score: 2

    Sooo... "Need to eavesdrop on someone? There's an app for that." And I make this joke as an iPhone user who got the 4S the first week it was out, so please, no "Apple hater" accusations.

  39. Re:If you use an iPhone... by laurelraven · · Score: 1

    I suspect he was referring not to your remote status so much as the article...and I agree, not buying an iPhone because of this would be pretty stupid (if nothing else, most decent Android phones would be just as vulnerable). Based on everything my phone does, however, with a wifi connection, I would probably get one even if I didn't have reception at my house. But, we each chose for ourselves.

    --
    RTFA is Known to the State of California to cause cancer.
  40. Imagination is not randomness. by zippthorne · · Score: 1

    You don't come up with it using your imagination. No password you pull out of "head entropy" is random. Nor likely to be particularly secure.

    You use a pair of dice and a scrabble dictionary, or dice and a printout of 2k (or some other number of selected words so you can use an integer number of dice rolls per word).

    Or you take your 2k words, and chomp off 11 bits at a time from /dev/random to pick, for however long you want your password to be.

    If you hand select the 2k words, you can make sure that there aren't any corner cases in there (there are way more than 2k words with 5-8 letters...)

    There is no reason to EVER use complicated symbols, or even numbers and capitals if you don't feel like it. In almost every password generation scheme, there's a length that has whatever level of security you want. And some things are easier to remember, even if they're long.

    The hidden problem is that you shouldn't let users pick their own passwords. Passwords should be generated automatically (dice roll can be considered automatic for the purposes. It doesn't have to be a computer program) from random sources.

    Allowing users to even so much as pick something they think they'll remember easily from a list of passwords destroys confidence in your protocol by artificially limiting the number of actual possibilities to a mere subset of what you think it is.

    Better to come up with a protocol in which every possible password in the password space is not too hard to remember, and always use a password generated entirely from randomness.

    --
    Can you be Even More Awesome?!