Someone told me that a smartphone's gyroscope can help hackers eavesdrop on conversations. How is the gyroscope...
exploited and how can I prevent it from becoming an eavesdropping tool? Is it vulnerable only when the device is being used or at any time?
While convenient, smartphones with microphones are a great source of covert eavesdropping capabilities thanks to their ubiquitous use and always-on connected nature.
The most obvious feature to use for eavesdropping is the microphone or video camera, but other parts of the smartphone can be used to monitor communications.
Researchers Yan Michalevsky, Dan Boneh and Gabi Nakibly discovered a way to use a smartphone gyroscope to listen in on conversations in certain scenarios. While their proof-of-concept exploit had limited accuracy when focused on an individual in an empty room, accuracy could be improved with the right speech-recognition software.
One reason why smartphones are vulnerable to eavesdropping attacks when powered on is because most users keep the default setting that allows the Web browser to access the gyroscope to display webpages in the correct orientation. However, that doesn't mean other apps, especially malicious ones, couldn't make use of the gyroscope in certain scenarios.
To completely prevent the smartphone gyroscope from being used as an eavesdropping tool, users would need to power the device off or carry it in a soundproof container. Disconnecting the device from a network would not prevent the device from listening, but would prevent the device from sending the recorded data.
In its blog post, security vendor Symantec Corp. noted that Firefox is the most vulnerable of the major Web applications because it uses the default settings to listen for audio from the gyroscope. Chrome and Safari, on the other hand, limit how the smartphone gyroscope can be used to listen for audio.
Down the line, smartphone makers could change the gyroscope access default settings, making them lower so it doesn't have the sensitivity to listen for audio. For now, the risk is minimal, and as noted can be further reduced by using certain devices or configurations, but organizations at high risk for advanced, targeted attacks should at least be aware of this issue.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ...continue reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common...continue reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.