Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords

Posted by Soulskill on from the for-when-normal-keylogging-is-just-too-precise dept.

judgecorp writes "TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses information from the phone's motion sensor to deduce what keys the user has tapped (PDF), thus revealing otherwise-hidden information such as passwords and PINs."

11 of 105 comments (clear)

  1. yikes! by noh8rz3 · · Score: 5, Insightful

    We talk often about mobile viruses and I've become somewhat inured to it (another malware embedded in rogue angry birds? yawn). But this is scary, brave new world scary.

    1. Re:yikes! by tchuladdiass · · Score: 5, Insightful

      The reason this is significant is that apps are usually installed with limited access to items it doesn't need. So normally a bad app won't be able to steal passwords, or lift your address book, unless you give it permissions. This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.

  2. Swype by Pat+Attack · · Score: 5, Interesting

    I wonder if it would work on those of us who use a Swype keyboard. Then again, I do tap out my passwords. A thought: If you randomize the keyboard for password entries, that would make it harder to discern from malware like that and the over-the-shoulder attack.

    1. Re:Swype by robmv · · Score: 4, Interesting

      long term better solution is that OS fields for passwords and PIN keypads disable applications access to motion sensor data. If you are custom drawing a password field and not using the OS provided one, add an API to hide motion sensor data when you need it

  3. Well, that's pretty clever by jfengel · · Score: 5, Informative

    According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

    It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

  4. I find this hard to believe by ThunderBird89 · · Score: 4, Insightful

    I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation. Also, if the phone is placed on the table to enter the passwords, most of the supposed motion is eliminated, significantly frustrating the attack.

    --
    Hyperbole: I use it liberally!
    1. Re:I find this hard to believe by SJHillman · · Score: 5, Insightful

      It's not a perfect attack, but it doesn't need to be successful against every single user on every single phone. Most modern smartphones don't require physical abuse to register motion and most smartphone users don't put the phone down, put the password in, then pick it back up every single time. How about an analogy? Let's say there's a PC virus that exploits the wheel function of a USB mouse. Not every PC will have a USB mouse with a wheel, and even among those that do, not every user will use it. However, there's still enough vulnerable PCs that this theoretical virus could be highly successful.

  5. Franklin said it best. by Anonymous Coward · · Score: 4, Funny

    Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

  6. Re:New Wave of Virus by SJHillman · · Score: 4, Funny

    Blackberry is the OS/2 of the mobile world.

  7. Simple fix by PPH · · Score: 4, Insightful

    Just have the password entry widget lock the accelerometer (or whatever) resource while in focus.

    --
    Have gnu, will travel.
  8. Fixing This Will Damage Science by ScentCone · · Score: 4, Funny

    We use the internal motion sensors on Android phones to provide all of the inertial navigation input we need to control the external thrusters on the capsules of the hihg altitude balloons we send up for biometric testing of the subjects inside. The subjects, usually kids about five years old, play Angry Birds and type out phrases of Shakespeare until they black out. If they disable background motion sensor use, it's possible we're going to lose more like 8 out of 10 kids we send up, instead of the usual 5 or 6. I can see already that we might have to go back to using spider monkeys, or those expensive parrots. Which means re-working the whole app, again. Man, science is hard.

    --
    Don't disappoint your bird dog. Go to the range.