Georgia Tech researchers recently unveiled a proof-of-concept in which a mobile device placed near a keyboard could...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
be used to detect specific keyboard vibrations to identify words being typed by a user with nearly 80% accuracy. Mobile malware that detects and transmits vibration data from keyboards seems like an unlikely attack, but it could be very effective as a targeted attack. Are we at the point where I need to advise my executives not to place their mobile phones on their desks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The recent accelerometer research by Georgia Tech security researchers on using the accelerometer built into many of today's new smartphones to record keystrokes has expanded on previous attacks, turning smartphones into recording devices. Malware could even turn on the microphone, if given permission by the user (something savvy attackers can trick users into doing), in order to record conversations for remote eavesdropping.
An effective defense against this attack is to ensure users keep their smartphones at least three inches away from their keyboards, but the researchers suggest additional security should be implemented in the accelerometer of the mobile device to require permission to use the accelerometer at high sampling rates. While a targeted attack of this sort could potentially capture keystrokes and keyboard vibration, aggressors would need to be able to identify a password or sensitive data that was typed in, a goal that isn't entirely far-fetched. Attacks like this could even be used, in some scenarios, to gain access to systems inside of Faraday cages if the contaminated mobile phone leaves the Faraday cage at some point, so the malware may phone home the stolen data.
Regardless of security requirements, only the highest risk and most paranoid security organizations would need to advise executives not to place their mobile phones on their desks, because as of today this is proof-of-concept research, not representative of an exploit technique being used in the wild. While most enterprises probably do not need to implement new security controls to protect against either of these attacks, awareness that it is possible will influence future product developments as suggested by the Georgia Tech researchers. Finally, for organizations with ultra high security requirements, there are other similar potential attack methods that they may need to be aware of, most notably data leakage by LED status indicators.
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.