How Your Smartphone's Motion Gives Away Keystrokes

Using a smartphone's accelerometers, security researchers achieved a 70% accuracy rate in deducing numeric keys pressed on a virtual keyboard.
Every tap of a virtual key on a touchscreen smartphone results in the device moving. Now, researchers have found that they can infer, with a notable degree of accuracy, exactly which key was pressed based on how the device moves.

That's the surprise finding made by two security researchers at the University of California, Davis, and detailed earlier this month in a presentation at the HotSec '11 conference in San Francisco.

According to the researchers' report: "Since typing on different locations on the screen causes different vibrations, motion data can be used to infer the keys being typed. To demonstrate this attack, we developed TouchLogger, an Android application that extracts features from device orientation data to infer keystrokes." TouchLogger achieved a 70% accuracy rate at inferring which keys were pressed on a numerical keyboard.

How did the researchers come to build a motion-driven keylogger? "We looked at new functionalities on mobile devices, and we realized they all have advanced sensors," said paper co-author Hao Chen during the HotSec presentation. "Obviously, some of the sensors are privacy-sensitive, such as the microphone, camera, or GPS."

But sensors required to deduce keystroke motions aren't normally protected against inappropriate use. "There are certain sensors ... you might not think that they're that privacy-sensitive, such as the accelerometer or gyroscope. Who would care if you bump your phone?" said Chen. "Well, it turned out that you can build a powerful keylogger by monitoring these motion sensors."

Don't fear the smartphone accelerometer keylogging attack just yet. To his knowledge, Chen said that no such eavesdropping tools have been built. Furthermore, the researchers tested only a virtual numeric keyboard, found, for example, in a smartphone calculator app.

Going forward, however, "we hope to extend this work on the full keyboard, to see how much the recognition rate will be," he said. "We're also interested in extending this work to tablet devices, such as the Motorola Xoom and the Samsung Galaxy Tab."

Interestingly, TouchLogger would likely have less accuracy when used to monitor a smartphone's full alphanumeric virtual keyboard, Chen told New Scientist. The opposite, however, would likely be true of a tablet, since the larger device would move more with each key press.

While in-the-wild attacks that use these techniques remain hypothetical, there are some immediate security steps that smartphone manufacturers could take to prevent related exploits. "Our takeaway message is that we should protect the motion sensors as diligently as we protect other privacy-sensitive sensors, such as the microphone or the camera," said Chen at HotSec.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.