By Ron Benvenisti. Security researchers developed an Android app that logs keystrokes using the Smart Phone’s motion sensors. The app measures the locations a user taps on the touch screen. You’ve probably heard of “Key Logging” but enter “TouchLogger”. The app allowed its creators at the University of California at Davis to demonstrate Smart Phones (and tablets, BTW) have an inherent yet unforeseen design vulnerability. Most of these “touch screen” devices lack physical keyboards that we know leak user input. Nonetheless the touch devices are susceptible to monitoring through similar cyber-attacks.
Sonic and electromagnetic waves can capture input from traditional keyboards, but they can also monitor the motion of the device to the same from a touch screen. “Our insight is that motion sensors, such as accelerometers and gyroscopes, may be used to infer keystrokes,” the researchers wrote in a paper presented at the “HotSec’11” workshop held in San Francisco last week. “When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed.”
Applications which use the same techniques as “TouchLogger” can bypass built-in security of both Android and Apple’s iPhone and iPad. The app registered more than a 70% accuracy rate in obtaining the numerical user-input of the soft keyboard of the devices!
The researchers believe the effectiveness of TouchLogger, can be easily be made more efficient on any device it works on.
“The tablet has a larger screen, so hopefully we can get a higher accuracy rate on a QWERTY keyboard,” said Liang Cai, a graduate student in UC Davis’s computer science department who collaborated with his advisor Hao Chen. “We didn’t really try it on a large scale of devices.”
Aside from devices with larger touch screens, the researchers said TouchLogger could be tweaked by using the gyroscopes and accelerometers built into the devices that measure the rate of rotation in. They are in the process of extending their work into a full research project.
How to Out-Smart the SmartPhone!
While the research confirms a “Smart” device’s own sensors could expose highly valuable information, including passwords, social security numbers and credit card numbers, here’s how to beat it: Only do online banking over your “Smart Phone” while connected to secure WiFi (not a public WiFi – but a known encrypted connection such as your own or wireless router which has WEP or WPA, etc., enabled, preferably with a long key of at least 16 characters.
You can also bypass the Internet completely by doing your transaction on a 3G or 4G data connection. Remember to turn your wireless OFF before doing the transaction. This also works for Webmail, Facebook, Twitter and other personal info.