Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Used Sonar Signal From a Smartphone Speaker To Steal Unlock Passwords (vice.com)

Posted by BeauHD on from the first-of-its-kind dept.

An anonymous reader quotes a report from Motherboard: On Thursday, a group of researchers from Lancaster University posted a paper to arXiv that demonstrates how they used a smartphone's microphone and speaker system to steal the device's unlock pattern. Although the average person doesn't have to worry about getting hacked this way any time soon, the researchers are the first to demonstrate that this kind of attack is even possible. According to the researchers, their "SonarSnoop" attack decreases the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they're being hacked. The attack begins when a user unwittingly installs a malicious application on their phone. When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing. This sound signal is reflected by every object around the phone, creating an echo. This echo is then recorded by the phone's microphone. By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving -- this is known as sonar.

The researchers were able to leverage this phenomenon to track the movement of someone's finger across a smartphone screen by analyzing the echoes recorded through the device's microphone. There are nearly 400,000 possible unlock patterns on the 3x3 swipe grid on Android phones, but prior research has demonstrated that 20 percent of people use one of 12 common patterns. While testing SonarSnoop, the researchers only focused on these dozen unlock combinations. Ten volunteers were recruited for the study and were asked to draw each of the 12 patterns five different times on a custom app. The researchers then tried a variety of sonar analysis techniques to reconstruct the password based on the acoustic signatures emitted by the phone. The best analysis technique resulted in the algorithm only having to try 3.6 out of the 12 possible patterns on average before it correctly determined the pattern.

45 comments

  1. Solution is simple by Anonymous Coward · · Score: 1

    Banana Republic! Then no one cares about anything.

  2. Just To Prevent Buttdialing by Anonymous Coward · · Score: 0

    The unlock pattern on my phone is just there to prevent buttdialing. I am no so concieted as to think anybody wants access to my phone. I don't use my phone for anything that matters enough. It's not the center of my life.

    1. Re: Just To Prevent Buttdialing by Anonymous Coward · · Score: 0

      What if I targeted you, stole your phone, sent some underaged sexts, informed some officers of that, and landed you right in prison? You have nothing to hide, lol.... sure. Keep telling yourself that.

  3. Cool research! by gweihir · · Score: 4, Interesting

    While probably not a real security problem at this time, it nicely demonstrates what powerful hardware and software can to even with simple sensors.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Cool research! by Anonymous Coward · · Score: 1

      It's interesting they didn't even mention sonar's ability to see through clothing.

  4. Joke's on them by Anonymous Coward · · Score: 0

    My unlock pattern is drawing creimer's face; it absorbs ultrasound! (And anything else even remotely edible)

  5. Rube Goldberg by edi_guy · · Score: 4, Insightful
    If you can convince a user to download a malicious app, isn't that the end of the story as far as hacking their phone? Unless you are Dr. Evil from Austin Powers the addition of sonar tracking on top of the initial trojan is overkill.

    I get that the sonar bit is clever, by why is it necessary to link that part with stealing passwords, other than to make it a little more press worthy.

    1. Re: Rube Goldberg by Anonymous Coward · · Score: 0

      Heck if it's running 24/7 in the background then it can just do nasty stuff when you unlock it yourself.

    2. Re:Rube Goldberg by Anonymous Coward · · Score: 0

      Except that unlike most computers, Android (and to a lesser degree iOS) use a permission based access model and accessing the user's unlock pattern/password requires root access (which are not available at all unless the person has rooted there phone, and even if it is then there is a separate prompt which will almost certainly be denied and will likely draw attention to said app over at XDA) or at a minimum access to accessibility features which also requires specifically giving an app access to said features rather than simply tapping "accept".

      The whole point of this is that it bypasses the need for rooting or even dangerous permissions and thus the malicious app can be disguised as something harmless that doesn't require any permissions beyond internet access.

    3. Re: Rube Goldberg by Anonymous Coward · · Score: 0

      Only if it has been granted the necessary permissions to do so. This technique requires no permissions besides run in the background and internet access which are extremely common and not considered dangerous.

    4. Re: Rube Goldberg by phantomfive · · Score: 1

      On the other hand, if you download the app and they find your passcode, they then have no way to correlate that passcode to a specific phone, unless they are doing some kind of serious targetted attack, in which case they could also just film the person unlocking their phone.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Rube Goldberg by Anonymous Coward · · Score: 0

      The whole point of this is that it bypasses the need for rooting or even dangerous permissions and thus the malicious app can be disguised as something harmless that doesn't require any permissions beyond internet access.

      ... and permissions for speaker and microphone access.

    6. Re: Rube Goldberg by omnichad · · Score: 1

      Background microphone doesn't require any permissions? Maybe we need to solve that one first. Would be great for getting rid of those advertising ping listeners too.

    7. Re: Rube Goldberg by Anonymous Coward · · Score: 0

      If this app can report the passcode somewhere, it surely can report the phone's identity as well. Reporting the google account narrows it down to that person's devices, reporting the phone number identifies the device. Some tablets don't have a phone number though, but they can still report the model. How many samsung tablets do you have?

    8. Re:Rube Goldberg by yes-but-no · · Score: 1

      And for homework assignment, track the user's eyeball movement with front camera and using the same AI/ML learning find the pattern (yeah ok to reduce search space from thousands into 12).

    9. Re: Rube Goldberg by Anonymous Coward · · Score: 0

      Who the hell is allowing background microphone recording from some lame app though? Maybe have a legit reason like "fart detector" / "burp detector". Bonus points if it actually works as that, and does sonar at the same time.

    10. Re:Rube Goldberg by Anubis+IV · · Score: 1

      It's about escalating privileges.

      It's been quite awhile since the default behavior was to give apps unfettered access to the system, specifically because of malicious apps doing malicious things. These days, there are permissions that need to be requested for all sorts of actions, and if you try to request low level access, people tend to sit up, take notice, and start asking questions about what your app is doing and why it's doing it.

      On the other hand, having permission to play sound and listen via the mic doesn't get you much, and as a result generally hasn't been worthy of significant scrutiny during app review or otherwise, at least so far as security goes (though mic access is obviously a privacy concern). But if you can leverage those simple permissions to unlock unrestricted access to the device? Now, that's something.

    11. Re: Rube Goldberg by Anonymous Coward · · Score: 0

      It has become pretty standard nowadays as well thanks to all the advertising SDKs that use it for cross device tracking.

  6. Re: Fucking Bullshit Fuck You Slashdot by Anonymous Coward · · Score: 0

    I also find the bit about it being just outside hearing range to be suspicious as well. In my experience what that really means is people like me will experience an insanely annoying high pitched sound barrage.

  7. Hollywood is real? by Anonymous Coward · · Score: 1

    Didn't they cover this in "The Dark Knight"?

    https://www.scienceabc.com/humans/movies/how-scientifically-accurate-is-batmans-sonar-machine-in-the-dark-knight.html

  8. Re:Fucking Bullshit Fuck You Slashdot by Anonymous Coward · · Score: 0

    If there are 12 common patterns, just try all 12. It'd be faster than this Rube Goldberg setup.

  9. Perfect by Anonymous Coward · · Score: 0

    This is perfect for all those air-gapped smartphones that can still download malicious apps off the internet.

  10. A lesson in probability by Anonymous Coward · · Score: 0

    If it takes on average 3.6 tries to guess which of 12 patterns a person uses, that's not a 70% reduction!
    Random guesses pick which of 12 patterns a person uses within 6.5 tries on average. The correct percentage reduction isn't 8.4/12, it's 2.9/6.5, or 45%.

  11. Re: Fucking Bullshit Fuck You Slashdot by Anonymous Coward · · Score: 0

    And when they say "reduces ... by 70%", that's really not true.

    To try all 12 patterns, on average you'll get it in 6 guesses. So they're 3.6 guesses is a very small improvement.

  12. Re:So if you have already owned the phone by omnichad · · Score: 1

    More importantly, why would you even need the passcode at that point?

  13. 5 kHz ? by Anonymous Coward · · Score: 0

    "When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing"

    so... 5 kHz?
    ( too much loud rock music)

  14. Non-story by Anonymous Coward · · Score: 1

    Sorry, but they weren't guessing out of the blue. They were guessing from a subset of only 12 combinations. 12. The real security issue here is that people only generally use 1 of 12 different combinations.

  15. Way to bury the lead! by n3r0.m4dski11z · · Score: 1

    So what are the 12 patterns? Cursory searches do not reveal this interesting piece of info. Could be fun at parties.

    --
    -
  16. 70% or 40% reduction? by Piete · · Score: 1

    All good stuff, but is " decreases the number of unlock patterns an attacker must try by 70 percent" right?
    If there are 12 options and I guessed randomly, I'd expect to have to try 6 before I got it.
    They reduced this to 3.6, which I make a 40% reduction - have I missed something?

    1. Re:70% or 40% reduction? by Wulf2k · · Score: 1

      It's like a USB port. You've gotta try some of possibilities multiple times before they'll work.

  17. Rube Permission. by Anonymous Coward · · Score: 0

    Sure? I think it does for the simple reason it can't be turned into a bug.

  18. The 12 common patterns by hankwang · · Score: 1

    Figure 1 in the paper: https://arxiv.org/pdf/1808.102...

    Mostly variants (rotations and flips) of L, Z, and 1.

    --
    Avantslash: low-bandwidth mobile slashdot.
  19. Re:So if you have already owned the phone by Crashmarik · · Score: 1

    More importantly, why would you even need the passcode at that point?

    People do insecure things like reuse passwords or minor variants.

  20. Re:So if you have already owned the phone by omnichad · · Score: 1

    This is about a pattern unlock. How often do those get reused?

  21. Re:So if you have already owned the phone by Crashmarik · · Score: 1

    why would you even need the passcode at that point?

    You tell me why you asked the question

  22. Re:Cool research! -- Night vision by fish_in_the_c · · Score: 1

    I'm now waiting for the first sonar based night vision app to come out :) Maybe something that enhances the low light camera?
    I wonder how good it is with distance? Can you map a room with it?

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
  23. Re:Cool research! -- Night vision by gnick · · Score: 1

    I wonder how good it is with distance? Can you map a room with it?

    It's not remotely like The Dark Knight, but a little bit.

    --
    He's getting rather old, but he's a good mouse.
  24. Re: Fucking Bullshit Fuck You Slashdot by gnick · · Score: 1

    Yes! They're comparing the number of attempts to the total number of possibilities. "Reduces by 70%" is accurate only if you declare that entering the patterns at random "reduces by 50%".

    --
    He's getting rather old, but he's a good mouse.
  25. So what you're say is... by Anonymous Coward · · Score: 0

    20% of the time it works 70% of the time?

    I mean that's still a decrease but this is the kind of security research that's much ado about nothing. Where's the threat to the consumer? Who's going to be using this? What would even be the reason/motive?

  26. Re:So if you have already owned the phone by omnichad · · Score: 1

    Because you used the word "password" when the whole article is about unlock patterns. Just because I used words more similar to you doesn't mean I forgot what we were actually talking about.

  27. Re:So if you have already owned the phone by Crashmarik · · Score: 1

    Yeah good luck with that chief.

  28. rofl by Anonymous Coward · · Score: 0

    so they mostly drew a straight line. Whew, wouldn't want to have to repeat that multiple times.

    Would have been quicker to just try the 12 combos.....no guarantee it scales either.
    Anyone believe it can tell a 7 from an upside-down L ?

    I am guessing it could detect 1 from L from Z. The 1's didnt help much but a Z helps alot, thus the average guess goes down.