Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords

Posted by Soulskill on from the for-when-normal-keylogging-is-just-too-precise dept.

judgecorp writes "TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses information from the phone's motion sensor to deduce what keys the user has tapped (PDF), thus revealing otherwise-hidden information such as passwords and PINs."

8 of 105 comments (clear)

  1. yikes! by noh8rz3 · · Score: 5, Insightful

    We talk often about mobile viruses and I've become somewhat inured to it (another malware embedded in rogue angry birds? yawn). But this is scary, brave new world scary.

    1. Re:yikes! by tchuladdiass · · Score: 5, Insightful

      The reason this is significant is that apps are usually installed with limited access to items it doesn't need. So normally a bad app won't be able to steal passwords, or lift your address book, unless you give it permissions. This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.

  2. I find this hard to believe by ThunderBird89 · · Score: 4, Insightful

    I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation. Also, if the phone is placed on the table to enter the passwords, most of the supposed motion is eliminated, significantly frustrating the attack.

    --
    Hyperbole: I use it liberally!
    1. Re:I find this hard to believe by SJHillman · · Score: 5, Insightful

      It's not a perfect attack, but it doesn't need to be successful against every single user on every single phone. Most modern smartphones don't require physical abuse to register motion and most smartphone users don't put the phone down, put the password in, then pick it back up every single time. How about an analogy? Let's say there's a PC virus that exploits the wheel function of a USB mouse. Not every PC will have a USB mouse with a wheel, and even among those that do, not every user will use it. However, there's still enough vulnerable PCs that this theoretical virus could be highly successful.

  3. Easy enough to fix by Baloroth · · Score: 3, Insightful

    Just don't allow programs in the background to have access to the motion sensors. Is there any actual reason a background program would need such information anyways? It sounds like they just allowed it because developers didn't realize it could give away sensitive details. Now they know, it can be restricted pretty easily, I should think.

    And if you do have a program that actually needs the motion sensor information while not in the foreground, just have it ask for special permission.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  4. Re:Franklin said it best. by Entropius · · Score: 3, Insightful

    This is just a further illustration of the basic idea that letting someone run arbitrary code on your system is a bad idea, and that access to external communications and sensors breaks sandboxing. Someone with the ability to turn on a webcam, for instance, can do all sorts of nefarious things, including seeing you type your password reflected in your glasses if it's high-enough resolution.

  5. Re:Franklin said it best. by h4rr4r · · Score: 3, Insightful

    So don't install their code. The flip side it that it is even worse if someone else gets to decide what arbitrary code is allowed to run on your system.

  6. Simple fix by PPH · · Score: 4, Insightful

    Just have the password entry widget lock the accelerometer (or whatever) resource while in focus.

    --
    Have gnu, will travel.