Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Used Sonar Signal From a Smartphone Speaker To Steal Unlock Passwords (vice.com)

Posted by BeauHD on from the first-of-its-kind dept.

An anonymous reader quotes a report from Motherboard: On Thursday, a group of researchers from Lancaster University posted a paper to arXiv that demonstrates how they used a smartphone's microphone and speaker system to steal the device's unlock pattern. Although the average person doesn't have to worry about getting hacked this way any time soon, the researchers are the first to demonstrate that this kind of attack is even possible. According to the researchers, their "SonarSnoop" attack decreases the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they're being hacked. The attack begins when a user unwittingly installs a malicious application on their phone. When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing. This sound signal is reflected by every object around the phone, creating an echo. This echo is then recorded by the phone's microphone. By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving -- this is known as sonar.

The researchers were able to leverage this phenomenon to track the movement of someone's finger across a smartphone screen by analyzing the echoes recorded through the device's microphone. There are nearly 400,000 possible unlock patterns on the 3x3 swipe grid on Android phones, but prior research has demonstrated that 20 percent of people use one of 12 common patterns. While testing SonarSnoop, the researchers only focused on these dozen unlock combinations. Ten volunteers were recruited for the study and were asked to draw each of the 12 patterns five different times on a custom app. The researchers then tried a variety of sonar analysis techniques to reconstruct the password based on the acoustic signatures emitted by the phone. The best analysis technique resulted in the algorithm only having to try 3.6 out of the 12 possible patterns on average before it correctly determined the pattern.

23 of 45 comments (clear)

  1. Solution is simple by Anonymous Coward · · Score: 1

    Banana Republic! Then no one cares about anything.

  2. Cool research! by gweihir · · Score: 4, Interesting

    While probably not a real security problem at this time, it nicely demonstrates what powerful hardware and software can to even with simple sensors.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Cool research! by Anonymous Coward · · Score: 1

      It's interesting they didn't even mention sonar's ability to see through clothing.

  3. Rube Goldberg by edi_guy · · Score: 4, Insightful
    If you can convince a user to download a malicious app, isn't that the end of the story as far as hacking their phone? Unless you are Dr. Evil from Austin Powers the addition of sonar tracking on top of the initial trojan is overkill.

    I get that the sonar bit is clever, by why is it necessary to link that part with stealing passwords, other than to make it a little more press worthy.

    1. Re: Rube Goldberg by phantomfive · · Score: 1

      On the other hand, if you download the app and they find your passcode, they then have no way to correlate that passcode to a specific phone, unless they are doing some kind of serious targetted attack, in which case they could also just film the person unlocking their phone.

      --
      "First they came for the slanderers and i said nothing."
    2. Re: Rube Goldberg by omnichad · · Score: 1

      Background microphone doesn't require any permissions? Maybe we need to solve that one first. Would be great for getting rid of those advertising ping listeners too.

    3. Re:Rube Goldberg by yes-but-no · · Score: 1

      And for homework assignment, track the user's eyeball movement with front camera and using the same AI/ML learning find the pattern (yeah ok to reduce search space from thousands into 12).

    4. Re:Rube Goldberg by Anubis+IV · · Score: 1

      It's about escalating privileges.

      It's been quite awhile since the default behavior was to give apps unfettered access to the system, specifically because of malicious apps doing malicious things. These days, there are permissions that need to be requested for all sorts of actions, and if you try to request low level access, people tend to sit up, take notice, and start asking questions about what your app is doing and why it's doing it.

      On the other hand, having permission to play sound and listen via the mic doesn't get you much, and as a result generally hasn't been worthy of significant scrutiny during app review or otherwise, at least so far as security goes (though mic access is obviously a privacy concern). But if you can leverage those simple permissions to unlock unrestricted access to the device? Now, that's something.

  4. Hollywood is real? by Anonymous Coward · · Score: 1

    Didn't they cover this in "The Dark Knight"?

    https://www.scienceabc.com/humans/movies/how-scientifically-accurate-is-batmans-sonar-machine-in-the-dark-knight.html

  5. Re:So if you have already owned the phone by omnichad · · Score: 1

    More importantly, why would you even need the passcode at that point?

  6. Non-story by Anonymous Coward · · Score: 1

    Sorry, but they weren't guessing out of the blue. They were guessing from a subset of only 12 combinations. 12. The real security issue here is that people only generally use 1 of 12 different combinations.

  7. Way to bury the lead! by n3r0.m4dski11z · · Score: 1

    So what are the 12 patterns? Cursory searches do not reveal this interesting piece of info. Could be fun at parties.

    --
    -
  8. 70% or 40% reduction? by Piete · · Score: 1

    All good stuff, but is " decreases the number of unlock patterns an attacker must try by 70 percent" right?
    If there are 12 options and I guessed randomly, I'd expect to have to try 6 before I got it.
    They reduced this to 3.6, which I make a 40% reduction - have I missed something?

    1. Re:70% or 40% reduction? by Wulf2k · · Score: 1

      It's like a USB port. You've gotta try some of possibilities multiple times before they'll work.

  9. The 12 common patterns by hankwang · · Score: 1

    Figure 1 in the paper: https://arxiv.org/pdf/1808.102...

    Mostly variants (rotations and flips) of L, Z, and 1.

    --
    Avantslash: low-bandwidth mobile slashdot.
  10. Re:So if you have already owned the phone by Crashmarik · · Score: 1

    More importantly, why would you even need the passcode at that point?

    People do insecure things like reuse passwords or minor variants.

  11. Re:So if you have already owned the phone by omnichad · · Score: 1

    This is about a pattern unlock. How often do those get reused?

  12. Re:So if you have already owned the phone by Crashmarik · · Score: 1

    why would you even need the passcode at that point?

    You tell me why you asked the question

  13. Re:Cool research! -- Night vision by fish_in_the_c · · Score: 1

    I'm now waiting for the first sonar based night vision app to come out :) Maybe something that enhances the low light camera?
    I wonder how good it is with distance? Can you map a room with it?

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
  14. Re:Cool research! -- Night vision by gnick · · Score: 1

    I wonder how good it is with distance? Can you map a room with it?

    It's not remotely like The Dark Knight, but a little bit.

    --
    He's getting rather old, but he's a good mouse.
  15. Re: Fucking Bullshit Fuck You Slashdot by gnick · · Score: 1

    Yes! They're comparing the number of attempts to the total number of possibilities. "Reduces by 70%" is accurate only if you declare that entering the patterns at random "reduces by 50%".

    --
    He's getting rather old, but he's a good mouse.
  16. Re:So if you have already owned the phone by omnichad · · Score: 1

    Because you used the word "password" when the whole article is about unlock patterns. Just because I used words more similar to you doesn't mean I forgot what we were actually talking about.

  17. Re:So if you have already owned the phone by Crashmarik · · Score: 1

    Yeah good luck with that chief.