Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Keylogger Can Snoop On Desktop Typing

Posted by Soulskill on from the technology-is-awesome-and-creepy dept.

An anonymous reader writes "Researchers at Georgia Tech demonstrate that a mobile phone located near a keyboard can use its accelerometers to recover text typed by a target. 'The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard).'"

62 of 103 comments (clear)

  1. Re:If you use an iPhone... by mattventura · · Score: 1

    I don't think you even RTFS

  2. Re:If you use an iPhone... by mattventura · · Score: 1

    Specifically, the summary says nothing about it being iphone specific, only that it requires accelerometers which are in a lot of phones and even many laptops.

  3. Good reason... by MrKevvy · · Score: 5, Funny

    ... to switch to Dvorak.

    --
    -- Insert witty one-liner here. --
    1. Re:Good reason... by ackthpt · · Score: 1

      ... to switch to Dvorak.

      Why? I can type up to 30 errors a minute!

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Good reason... by Anonymous Coward · · Score: 1

      Or put it more than 3 inches away from your keyboard. This is an interesting idea, but far from practical in any way. That won't stop it from showing up on the next CSI and making the uninformed scared, though.

    3. Re:Good reason... by utkonos · · Score: 1

      That's going to stop someone else from hiding their phone on your desk?

    4. Re:Good reason... by Baloroth · · Score: 1

      Sort of. This sounds like a pretty difficult attack vector, so if someone is using this kind of attack against you, you can bet creating profiles for Dvorak won't be an issue for them. Not to say there aren't good reasons to switch to Dvorak anyways, just that this isn't one of them.

      Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack. Unless you use a password that can be broken by a dictionary attack, in which case you shouldn't be working on anything anyone would want to steal. Oh, and keeping your phone in your pocket also circumvents it.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    5. Re:Good reason... by Sentry360 · · Score: 2

      Haha, nice joke... Guessing than it's not just me that's noticed a huge decrease in error making? I haven't noticed as huge speed improvements, but error making has drastically went down. Anyone know why that is?

    6. Re:Good reason... by jhoegl · · Score: 3, Funny

      Do grammatical errors count?

    7. Re:Good reason... by Sentry360 · · Score: 1

      Would hiding two phones allow for better triangulation of the password?

    8. Re:Good reason... by spyder-implee · · Score: 2

      Also from tfa, keeping the phone > 3 inches from the keyboard also prevents it, and I assume different desk surfaces, types of wood/steel, keyboard material, type of keyboard (laptop keyboards?), keyboard trays, paper lying on a users desk and other sources of vibration interference also defeats this attack. It's almost laughable they bother suggesting setting extra permissions for the accelerometer's sample rate, when so many things need to fall into place for this to have a chance of revealing anything of value in the first place.

      --
      Take what ye can. Give nothing back!
    9. Re:Good reason... by kelemvor4 · · Score: 1

      It's dictionary based. If you're not using an ultra lame password, you'll likely be OK.

    10. Re:Good reason... by LordLucless · · Score: 3, Funny

      Unless you're using a Model M, in which case 3 miles is the maximum viable distance.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    11. Re:Good reason... by Anubis+IV · · Score: 1

      Darn right! If they're using an English dictionary to crack our passwords, using French words will fool them! They'll never get around that!

      Exclamation points!!

    12. Re:Good reason... by Kozz · · Score: 1

      Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack.

      Judging by the typos and spelling errors to be found in the average slashdot post, most of these folks will be immune to dictionary attacks. Unless they build up a dictionary of misspellings, too... dagnabbit!

      --
      I only post comments when someone on the internet is wrong.
    13. Re:Good reason... by metageek · · Score: 1

      > Oh, and keeping your phone in your pocket also circumvents it.

      but gives you cancer...

      --
      metageek
    14. Re:Good reason... by JasterBobaMereel · · Score: 1

      ..or just use Commonwealth English spelling instead of US American English Spelling ...

      --
      Puteulanus fenestra mortis
    15. Re:Good reason... by Russ1642 · · Score: 1

      Switch? I've been using it for a decade. I still love it when I'm showing somebody something on my computer and they watch me type. They look all confused. Wait a second, you didn't hit Ctrl-F!

    16. Re:Good reason... by TangoMargarine · · Score: 1

      Qwerty is designed to make many common words have letters on alternating sides of the keyboard. This makes it more difficult to infer which word was actually typed, even if you can always tell which side of the keyboard a key press occurred on.

      FTFY. Qwerty

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    17. Re:Good reason... by laurelraven · · Score: 1

      Grammar nazi is fail. He was referring to typo's, I'm sure, not grammar errors.

      To GP: I switched 2 years ago, and I'm mostly typing the same speed I used to on Qwerty. I agree, though, that my typo rate has gone down a lot, and at times, my speed spikes way over what I used to be able to do. Also, same on the RSI thing...

      --
      RTFA is Known to the State of California to cause cancer.
    18. Re:Good reason... by laurelraven · · Score: 1
      From the linked wiki:

      Alternating hands while typing is a desirable trait in a keyboard design, since while one hand is typing a letter, the other hand can get in position to type the next letter. Thus, a typist may fall into a steady rhythm and type quickly. However, when a string of letters is done with the same hand, the chances of stuttering are increased and a rhythm can be broken, thus decreasing speed and increasing errors and fatigue. In the QWERTY layout many more words can be spelled using only the left hand than the right hand. In fact, thousands of English words can be spelled using only the left hand, while only a couple of hundred words can be typed using only the right hand. In addition, most typing strokes are done with the left hand in the QWERTY layout. This is helpful for left-handed people but to the disadvantage of right-handed people.

      While that is a desirable trait, it is one that Qwerty has a problem with. Dvorak is a lot better at this.

      --
      RTFA is Known to the State of California to cause cancer.
  4. Another reason by no4 · · Score: 1

    to select passwords that cannot be found in a dictionary.

  5. Re:One Word! by TheInternetGuy · · Score: 4, Funny

    I ttryuiiiiiiiiiiiiiiiiiiiiiuytredf swsvbbbbbbyuiopoijnnbgg okmjn mjuy PLOKJHBGVC kjhygtrertyuuuuuuuuuuuuuhbjioooooiujhytrfdsaasd Translates into: I tried Swyping on my PC keyboard It didn't work to well, now did it? And would probably be just as detectable by an accelerometer.

    --
    If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
  6. Shift Key by ben_kelley · · Score: 1

    "Why do you keep pressing the shift keys randomly?"
    "Just bEing CArefUl of keyLogGers."

    1. Re:Shift Key by Threni · · Score: 1

      Why use the keyboard at all, vs clicking on things with a mouse. This works better somewhere you're not being watched, such as at home. Then again at home it's unlikely there's a hostile smartphone spying on you, other than via malware.

  7. Ideal distance is just too close by Zakabog · · Score: 1

    The ideal distance is too close to my keyboard. Usually if I'm leaving my phone on my desk I put it to the right of my designated "mouse area" which is generally a foot or more from the keyboard. I'm a computer technician so I don't just sit at one computer all day too. Plus most of our customers seem to follow the same policy. They kind of put their phone on the corner of their desk so they don't bump it as their hands move around the keyboard and mouse. If my phone is that close to my keyboard I'm likely not at my computer and I just threw it their with my keys and wallet.

  8. Re:iphone? by MobileTatsu-NJG · · Score: 1

    Take a look at this comment, it may answer your question:

    http://mobile.slashdot.org/comments.pl?sid=2482736&cid=37757330

    ^^ As long as this happens, there'll be lotsa iPhone stories.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  9. Re:If you use an iPhone... by DJRumpy · · Score: 2

    TFA does mention that the test was done on the article, probably due to the popularity of the phone, but it pretty much states flat out that any modern smartphone from the last 2 years would suffice if it has the required hardware.

    “We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

  10. ADD SOUND! by bussdriver · · Score: 2

    Sound can almost give away keys pressed. the sound on the desk is likely to work better than pickup from the air since solids conduct sound. Add vibration and you've got plenty of data to extract from! I somehow doubt the acceleration is precise enough to come close to a microphone; I wonder if an image from the camera (if in focus) could in some cases indicate more vibration than the accelerometer...
    SOUND ALONE could do it much better. use the microphone.

    --
    Democracy Now! - uncensored, anti-establishment news
  11. Re:misleading headline... by Anonymous Coward · · Score: 1

    You don't even need to read the headline to know that apple sucks.

  12. Teslameter by vaene · · Score: 1

    Newer iPhones also come with a Teslameter, I wonder if the can detect em spikes when the keys make contact with their pads. Depending on the distance, again, and using the same or similar logic you could determine keystrokes that way as well I would think. I'll try it once I get my new iPhone, the old 3g doesn't have teslameter in it.

  13. Re:If you use an iPhone... by MagusSlurpy · · Score: 1

    The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

    Personally, I'd like to see someone make this work with a Wiimote next.

    --
    My sister opened a computer store in Hawaii. She sells C shells by the seashore.
  14. Re:iphone? by exomondo · · Score: 1

    Or maybe it's because the iphone was the subject of the study and since the iphone4 is the most common smartphone (im pretty sure that's correct? if not i retract the statement) it would be the ideal choice as you would likely need the same chassis and hardware to get consistent results, so choosing the most common phone would be the logical thing to do. Given the methodology it looks like it could be equally applied to just about any smartphone though.

  15. passphrases by Yojimbo-San · · Score: 3, Interesting

    So with this technique, a password of "correct horse battery staple" would be detected, but "Tr0ub4dor" would not (http://xkcd.com/936/)...

    --
    Quick wafting zephyrs vex bold Jim
    1. Re:passphrases by qxcv · · Score: 2

      It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims when you're facing a moderately sophisticated adversary.

      If you wanted to make a "correct horse battery staple" password more secure against this kind of attack, you could just capitalise some of the letters, or mash your unbound mod keys when entering passwords (i.e. ctl, alt, mod4, etc).

      --
      "The most dangerous enemy of a better solution is an existing codebase that is just good enough." -- Eric S. Raymond
    2. Re:passphrases by zippthorne · · Score: 2

      No, the XKCD analysis isn't based on the presumed strength of the letters in that passphrase, but instead on the *words*. He's estimating 11 bits of entropy per word, which means that the dictionary he's using has a mere 2048 words in it. If using every word in the /usr/dict/words (/usr/share/dict/words on a mac), that would be anywhere from 15 to 17 bits of per word:

      zippthorne ~$ wc -l /usr/share/dict/words
        235886 /usr/share/dict/words

      The default dictionary for Ubuntu was circa 100k words the last time I counted.

      2048 is a very restricted dictionary, but it was *already* accounted for in the password strength comparison. "Correct horse battery staple," without any punctuation or capitalization really is a stronger password than "Tr0ub4dor." Or, at least, it WAS, until it was published. Now they're both presumably in all the password cracking dictionaries out there....

      --
      Can you be Even More Awesome?!
    3. Re:passphrases by TangoMargarine · · Score: 1

      After reading that comment, I don't know why the heck "correct horse battery staple" is somehow supposed to be easier to remember. I use a consistent "leetification" algorithm on my passwords, which is easier for me to remember that four completely random words (initially). Because remembering a horse saying "that's a battery staple" (which in and of itself makes no sense) and some other random person shouting "Correct!" makes so much sense...?

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    4. Re:passphrases by John+Hasler · · Score: 1

      Unfortunately many people lack sufficient imagination to come up with a hard to guess string of words.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    5. Re:passphrases by TangoMargarine · · Score: 1

      Well, I tack a few symbols on, too, but those aren't particularly easy to remember other than through repetition, which kind of blows my argument wide open.

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    6. Re:passphrases by thoromyr · · Score: 1

      You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic. http://en.wikipedia.org/wiki/Entropy_(information_theory)

    7. Re:passphrases by Anonymous Coward · · Score: 1

      You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic.

      I have an accurate understanding of the entropy of one random choice out of 4096. It is 11 bits. You are probably thinking about the entropy per word of English text. He's not suggesting you choose a sentence. He's suggesting you choose four random words.

    8. Re:passphrases by Yojimbo-San · · Score: 1

      It's supposed to be easier to remember because you remember the composite image, and not the words themselves. You can choose images that are easy to remember (something based on goatse perhaps) and construct a phrase from there -- at the same time you meet the suggestion of a password that is so foul you would never tell another person what it is, thus preventing that whole password sharing problem. Double win. Except you have to remember goatse every time you log in. http://questionablecontent.net/view.php?comic=1829

      --
      Quick wafting zephyrs vex bold Jim
    9. Re:passphrases by neminem · · Score: 1

      Brilliant! Next time I have to create a password on some throwaway site I don't care about, I'm totally using "I just lost the game". I'll never forget -that- (downside, every time I log in, or think about the site, I'll lose the game.)

  16. Re:If you use an iPhone... by RoFLKOPTr · · Score: 2

    The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

    Personally, I'd like to see someone make this work with a Wiimote next.

    Anyway, who would go through the trouble of making a keylogger that worked by reading a laptop's accelerometer when you can make a keylogger that worked by reading a laptop's keyboard.

  17. Re:One Word! by Sancho · · Score: 2

    Where can I download SWYPE for my desktop?

    Did you even read the summary? Or the headline?

  18. Re:If you use an iPhone... by Gerzel · · Score: 1

    Indeed. It isn't even the phone that is vulnerable. It is the keyboard.

  19. Similar thing from 6 years ago by Anonymous Coward · · Score: 2, Interesting

    Similar idea from 6 years ago, but using acoustics rather than vibrations
    https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

  20. Re:If you use an iPhone... by Nethead · · Score: 1

    T-Mobile with UMA (aka WiFi Calling) will do you well. I live on a small Indian fishing village in NW Washington State. Crap cell coverage here too.

    --
    -- I have a private email server in my basement.
  21. Re:Fucking dumbass by xQx · · Score: 1

    lol!!

    You sir, made my day.

    I bet the GP poster is fat and ugly and stinks like shit. He probably has delusions of adequacy though.

  22. nice try by pbjones · · Score: 1

    if you left your phone on a desk next to a keyboard, it'll get stolen. (but seriously, it's not much of a security risk, you would do better, IMHO, recording the sound of the keys with the phone's mic)

    --
    There was an unknown error in the submission.
    1. Re:nice try by DriveDog · · Score: 1

      Ahhh, and a two-vector attack should be much more successful. Use both the mic and accelerometers and compare to a dictionary generated with data from the two combined. While we're at it, can we use the phone to somehow detect changes in the RF field due to key presses/processing by the keyboard's microcontroller? Maybe that's too much of a processing load for one phone. But beware if you spot several phones lying next to your keyboard.

  23. Re:If you use an iPhone... by Anonymus · · Score: 1

    Of all the reasons not to buy an iphone, this is by far the stupidest most non-existant one.

  24. Re:If you use an iPhone... by hardburlyboogerman · · Score: 1

    Sorry if you think so,but I'm disabled and on a fixed income.The cost is not worth it.

    --
    Geek Hillbilly
  25. Re:If you use an iPhone... by errandum · · Score: 1

    My old logitech keyboard allows encryption of the information sent.

    And this could be useful when you don't have access to the system - A pair of sensors left under a monitor, or behind it, could be enough to gather information from a classified and locked down computer.

  26. Re:If you use an iPhone... by monkeyhybrid · · Score: 1

    Maybe because you'd need physical (or network exploitable) access to the target laptop in order to install a keylogger? Reading accelerometer data from your own laptop that you could have pre-configured and casually put down on victim's desk requires no direct access to victim's PC.

  27. Re:One Word! by footitch · · Score: 1

    word up.

  28. Great by SpectreBlofeld · · Score: 1

    Two Slashdot articles today about university researchers developing snooping technology - this, and the gizmo that sees through walls. Is it just me or is 99% of all academic research funded by the 'defense department' these days?

  29. Re:One Word! by Archangel+Michael · · Score: 1

    yes. and yes. My point remains, just because you don't get it doesn't diminish it at all.

    Swype doesn't have sudden jolts to which one tie to keystroke taps on a virtual keyboard. It is fluid motion and is, in itself "guessing" by the complete pattern which word you're attempting to type. Good luck pairing two key taps together using SWYPE. How does software that depends on sudden jolts work with fluid motion?

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  30. Re:One Word! by Sancho · · Score: 1

    The researchers place a phone with custom software near a desktop keyboard. The custom software records vibrations from the desktop keyboard using the phone's accelerometers. Using statistical analysis, they can decode the vibrations to figure out what was typed on the desktop keyboard. They wouldn't have to use a phone--it's just a cheap, convenient source of commodity accelerometers. They could just as easily put custom hardware (with accelerometers) on the desktop and sniff in exactly the same manner.

    They aren't sniffing what you type on the phone. They're using the phone to sniff what you type on your desktop keyboard. The type of keyboard you use on the phone is completely irrelevant.

  31. Soooo..... by jasonla · · Score: 2

    Sooo... "Need to eavesdrop on someone? There's an app for that." And I make this joke as an iPhone user who got the 4S the first week it was out, so please, no "Apple hater" accusations.

  32. Re:If you use an iPhone... by laurelraven · · Score: 1

    I suspect he was referring not to your remote status so much as the article...and I agree, not buying an iPhone because of this would be pretty stupid (if nothing else, most decent Android phones would be just as vulnerable). Based on everything my phone does, however, with a wifi connection, I would probably get one even if I didn't have reception at my house. But, we each chose for ourselves.

    --
    RTFA is Known to the State of California to cause cancer.
  33. Imagination is not randomness. by zippthorne · · Score: 1

    You don't come up with it using your imagination. No password you pull out of "head entropy" is random. Nor likely to be particularly secure.

    You use a pair of dice and a scrabble dictionary, or dice and a printout of 2k (or some other number of selected words so you can use an integer number of dice rolls per word).

    Or you take your 2k words, and chomp off 11 bits at a time from /dev/random to pick, for however long you want your password to be.

    If you hand select the 2k words, you can make sure that there aren't any corner cases in there (there are way more than 2k words with 5-8 letters...)

    There is no reason to EVER use complicated symbols, or even numbers and capitals if you don't feel like it. In almost every password generation scheme, there's a length that has whatever level of security you want. And some things are easier to remember, even if they're long.

    The hidden problem is that you shouldn't let users pick their own passwords. Passwords should be generated automatically (dice roll can be considered automatic for the purposes. It doesn't have to be a computer program) from random sources.

    Allowing users to even so much as pick something they think they'll remember easily from a list of passwords destroys confidence in your protocol by artificially limiting the number of actual possibilities to a mere subset of what you think it is.

    Better to come up with a protocol in which every possible password in the password space is not too hard to remember, and always use a password generated entirely from randomness.

    --
    Can you be Even More Awesome?!