Interception of smartphone keystrokes using an accelerometer

Two researchers from the University of California at Davis (UC Davis), Hao Chen (Hao Chen) and Lian Cai (Lian Cai) found a way to determine which keys were pressed on the on-screen keyboard of the Android OS by measuring the device's offsets, wobble and vibration [Approx. trans. and gyroscope] . This is important because data from accelerometers were not considered as a potential attack vector, and thus are freely available to any application on any smartphone or tablet.

Intercepting keystrokes on a desktop or laptop under Windows or Mac is incredibly simple: install the appropriate program (or the Trojan will do it for you), set up where it should save or send the stolen key codes, and that’s it! When it comes to smartphones, however, complex access restriction systems make this approach almost impossible, unless you use so-called side channels. Strictly speaking, a side channel is an open source of information that helps an attacker break into a cryptographic system. In a broader sense, a side channel may be a light on the router, flashing in time with the transmitted data, or the keystrokes of a physical keyboard. [Approx. transl. I would be grateful to someone who will help find links. Proof , # 3.2.2, # 4.2.1] In other words, side channels are system characteristics whose potential danger is overlooked.

In this case, two researchers used data from the spatial orientation of the Android device — a set of three corners defining the orientation of the phone in XYZ space — to determine where the user clicked on the screen. In principle, each key has a unique picture of changes in angles along three axes that can be identified (see below). Accuracy depends on the phone model: HTC Evo 4G updates orientation data every 30 ms, and Motorola Droid every 110 ms. In general, the researchers managed to achieve 71.5% accuracy for a 10-button keyboard. The remaining 28.5% are errors due to the proximity of the keys. A program (by the way, called TouchLogger) can, in general, correctly define a column or row for each press, but sometimes it does not have enough data to recognize a specific key.


A full QWERTY keyboard is naturally more difficult to recognize keystrokes than a 10-button numeric keypad, but we only have a demonstration of the principle, and 70% accuracy is more than enough to violate the confidentiality of any data entered into the phone. In addition, the work further notes that on larger devices, such as tablets, it should be easier to control the keyboard; and you can also use gyroscopes with the camera to increase the resolution and accuracy of the TouchLogger.
')
Finally, it is important to note that this side channel is not just a hole in the security of Android: accelerometer and gyro data are available through the DeviceOrientation API, which is implemented in Android 3.0, IOS 4.2, as well as in all modern browsers. In other words, this exploit will require the installation of TouchLogger on an Android phone, but in theory, someone might take Chen and Tsai to work, implement it in JavaScript, and then use it to steal your passwords and credit card information when you surf the Internet.

New Scientist magazine article, TouchLogger article [ PDF ]