Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Keylogger Can Snoop On Desktop Typing

Posted by Soulskill on from the technology-is-awesome-and-creepy dept.

An anonymous reader writes "Researchers at Georgia Tech demonstrate that a mobile phone located near a keyboard can use its accelerometers to recover text typed by a target. 'The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard).'"

15 of 103 comments (clear)

  1. Good reason... by MrKevvy · · Score: 5, Funny

    ... to switch to Dvorak.

    --
    -- Insert witty one-liner here. --
    1. Re:Good reason... by Sentry360 · · Score: 2

      Haha, nice joke... Guessing than it's not just me that's noticed a huge decrease in error making? I haven't noticed as huge speed improvements, but error making has drastically went down. Anyone know why that is?

    2. Re:Good reason... by jhoegl · · Score: 3, Funny

      Do grammatical errors count?

    3. Re:Good reason... by spyder-implee · · Score: 2

      Also from tfa, keeping the phone > 3 inches from the keyboard also prevents it, and I assume different desk surfaces, types of wood/steel, keyboard material, type of keyboard (laptop keyboards?), keyboard trays, paper lying on a users desk and other sources of vibration interference also defeats this attack. It's almost laughable they bother suggesting setting extra permissions for the accelerometer's sample rate, when so many things need to fall into place for this to have a chance of revealing anything of value in the first place.

      --
      Take what ye can. Give nothing back!
    4. Re:Good reason... by LordLucless · · Score: 3, Funny

      Unless you're using a Model M, in which case 3 miles is the maximum viable distance.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  2. Re:One Word! by TheInternetGuy · · Score: 4, Funny

    I ttryuiiiiiiiiiiiiiiiiiiiiiuytredf swsvbbbbbbyuiopoijnnbgg okmjn mjuy PLOKJHBGVC kjhygtrertyuuuuuuuuuuuuuhbjioooooiujhytrfdsaasd Translates into: I tried Swyping on my PC keyboard It didn't work to well, now did it? And would probably be just as detectable by an accelerometer.

    --
    If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
  3. Re:If you use an iPhone... by DJRumpy · · Score: 2

    TFA does mention that the test was done on the article, probably due to the popularity of the phone, but it pretty much states flat out that any modern smartphone from the last 2 years would suffice if it has the required hardware.

    “We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

  4. ADD SOUND! by bussdriver · · Score: 2

    Sound can almost give away keys pressed. the sound on the desk is likely to work better than pickup from the air since solids conduct sound. Add vibration and you've got plenty of data to extract from! I somehow doubt the acceleration is precise enough to come close to a microphone; I wonder if an image from the camera (if in focus) could in some cases indicate more vibration than the accelerometer...
    SOUND ALONE could do it much better. use the microphone.

    --
    Democracy Now! - uncensored, anti-establishment news
  5. passphrases by Yojimbo-San · · Score: 3, Interesting

    So with this technique, a password of "correct horse battery staple" would be detected, but "Tr0ub4dor" would not (http://xkcd.com/936/)...

    --
    Quick wafting zephyrs vex bold Jim
    1. Re:passphrases by qxcv · · Score: 2

      It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims when you're facing a moderately sophisticated adversary.

      If you wanted to make a "correct horse battery staple" password more secure against this kind of attack, you could just capitalise some of the letters, or mash your unbound mod keys when entering passwords (i.e. ctl, alt, mod4, etc).

      --
      "The most dangerous enemy of a better solution is an existing codebase that is just good enough." -- Eric S. Raymond
    2. Re:passphrases by zippthorne · · Score: 2

      No, the XKCD analysis isn't based on the presumed strength of the letters in that passphrase, but instead on the *words*. He's estimating 11 bits of entropy per word, which means that the dictionary he's using has a mere 2048 words in it. If using every word in the /usr/dict/words (/usr/share/dict/words on a mac), that would be anywhere from 15 to 17 bits of per word:

      zippthorne ~$ wc -l /usr/share/dict/words
        235886 /usr/share/dict/words

      The default dictionary for Ubuntu was circa 100k words the last time I counted.

      2048 is a very restricted dictionary, but it was *already* accounted for in the password strength comparison. "Correct horse battery staple," without any punctuation or capitalization really is a stronger password than "Tr0ub4dor." Or, at least, it WAS, until it was published. Now they're both presumably in all the password cracking dictionaries out there....

      --
      Can you be Even More Awesome?!
  6. Re:If you use an iPhone... by RoFLKOPTr · · Score: 2

    The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

    Personally, I'd like to see someone make this work with a Wiimote next.

    Anyway, who would go through the trouble of making a keylogger that worked by reading a laptop's accelerometer when you can make a keylogger that worked by reading a laptop's keyboard.

  7. Re:One Word! by Sancho · · Score: 2

    Where can I download SWYPE for my desktop?

    Did you even read the summary? Or the headline?

  8. Similar thing from 6 years ago by Anonymous Coward · · Score: 2, Interesting

    Similar idea from 6 years ago, but using acoustics rather than vibrations
    https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

  9. Soooo..... by jasonla · · Score: 2

    Sooo... "Need to eavesdrop on someone? There's an app for that." And I make this joke as an iPhone user who got the 4S the first week it was out, so please, no "Apple hater" accusations.