Georgia Tech researchers recently unveiled a proof-of-concept in which a mobile device placed near a keyboard could be used to detect specific keyboard vibrations to identify words being typed by a user with nearly 80% accuracy. Mobile malware that detects and transmits vibration data from keyboards seems like an unlikely attack, but it could be very effective as a targeted attack. Are we at the point where I need to advise my executives not to place their mobile phones on their desks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The recent accelerometer research by Georgia Tech security researchers on using the accelerometer built into many of today's new smartphones to record keystrokes has expanded on previous attacks, turning smartphones into recording devices. Malware could even turn on the microphone, if given permission by the user (something savvy attackers can trick users into doing), in order to record conversations for remote eavesdropping.
An effective defense against this attack is to ensure users keep their smartphones at least three inches away from their keyboards, but the researchers suggest additional security should be implemented in the accelerometer of the mobile device to require permission to use the accelerometer at high sampling rates. While a targeted attack of this sort could potentially capture keystrokes and keyboard vibration, aggressors would need to be able to identify a password or sensitive data that was typed in, a goal that isn't entirely far-fetched. Attacks like this could even be used, in some scenarios, to gain access to systems inside of Faraday cages if the contaminated mobile phone leaves the Faraday cage at some point, so the malware may phone home the stolen data.
Regardless of security requirements, only the highest risk and most paranoid security organizations would need to advise executives not to place their mobile phones on their desks, because as of today this is proof-of-concept research, not representative of an exploit technique being used in the wild. While most enterprises probably do not need to implement new security controls to protect against either of these attacks, awareness that it is possible will influence future product developments as suggested by the Georgia Tech researchers. Finally, for organizations with ultra high security requirements, there are other similar potential attack methods that they may need to be aware of, most notably data leakage by LED status indicators.
This was first published in May 2012