Georgia Tech researchers recently unveiled a proof-of-concept in which a mobile device placed near a keyboard could...
be used to detect specific keyboard vibrations to identify words being typed by a user with nearly 80% accuracy. Mobile malware that detects and transmits vibration data from keyboards seems like an unlikely attack, but it could be very effective as a targeted attack. Are we at the point where I need to advise my executives not to place their mobile phones on their desks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The recent accelerometer research by Georgia Tech security researchers on using the accelerometer built into many of today's new smartphones to record keystrokes has expanded on previous attacks, turning smartphones into recording devices. Malware could even turn on the microphone, if given permission by the user (something savvy attackers can trick users into doing), in order to record conversations for remote eavesdropping.
An effective defense against this attack is to ensure users keep their smartphones at least three inches away from their keyboards, but the researchers suggest additional security should be implemented in the accelerometer of the mobile device to require permission to use the accelerometer at high sampling rates. While a targeted attack of this sort could potentially capture keystrokes and keyboard vibration, aggressors would need to be able to identify a password or sensitive data that was typed in, a goal that isn't entirely far-fetched. Attacks like this could even be used, in some scenarios, to gain access to systems inside of Faraday cages if the contaminated mobile phone leaves the Faraday cage at some point, so the malware may phone home the stolen data.
Regardless of security requirements, only the highest risk and most paranoid security organizations would need to advise executives not to place their mobile phones on their desks, because as of today this is proof-of-concept research, not representative of an exploit technique being used in the wild. While most enterprises probably do not need to implement new security controls to protect against either of these attacks, awareness that it is possible will influence future product developments as suggested by the Georgia Tech researchers. Finally, for organizations with ultra high security requirements, there are other similar potential attack methods that they may need to be aware of, most notably data leakage by LED status indicators.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.