A research team at Georgia Tech claims that it has discovered how to use a users smartphone to track what the person is typing on the keyboard.
The smartphone accelerometer, an internal device that detects when and how the phone is tilted, senses keyboard vibrations and deciphers complete sentences with up to 80 percent accuracy.
“We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science, said.
“But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack,” he said.
The technique works through probability and by detecting pairs of keystrokes, rather than individual keys.
It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart.
After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements, i.e., are the letters left/right, near/far on a standard QWERTY keyboard.
The technique works reliably only on words of three or more letters.
“The way we see this attack working is that you, the phone’s owner, would request or be asked to download an innocuous-looking application, which doesn’t ask you for the use of any suspicious phone sensors,” Henry Carter, one of the study’s co-authors, said.
“Then the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening,” carter said.