Georgia Tech researchers recently unveiled a proof-of-concept in which a mobile device placed near a keyboard could...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
be used to detect specific keyboard vibrations to identify words being typed by a user with nearly 80% accuracy. Mobile malware that detects and transmits vibration data from keyboards seems like an unlikely attack, but it could be very effective as a targeted attack. Are we at the point where I need to advise my executives not to place their mobile phones on their desks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The recent accelerometer research by Georgia Tech security researchers on using the accelerometer built into many of today's new smartphones to record keystrokes has expanded on previous attacks, turning smartphones into recording devices. Malware could even turn on the microphone, if given permission by the user (something savvy attackers can trick users into doing), in order to record conversations for remote eavesdropping.
An effective defense against this attack is to ensure users keep their smartphones at least three inches away from their keyboards, but the researchers suggest additional security should be implemented in the accelerometer of the mobile device to require permission to use the accelerometer at high sampling rates. While a targeted attack of this sort could potentially capture keystrokes and keyboard vibration, aggressors would need to be able to identify a password or sensitive data that was typed in, a goal that isn't entirely far-fetched. Attacks like this could even be used, in some scenarios, to gain access to systems inside of Faraday cages if the contaminated mobile phone leaves the Faraday cage at some point, so the malware may phone home the stolen data.
Regardless of security requirements, only the highest risk and most paranoid security organizations would need to advise executives not to place their mobile phones on their desks, because as of today this is proof-of-concept research, not representative of an exploit technique being used in the wild. While most enterprises probably do not need to implement new security controls to protect against either of these attacks, awareness that it is possible will influence future product developments as suggested by the Georgia Tech researchers. Finally, for organizations with ultra high security requirements, there are other similar potential attack methods that they may need to be aware of, most notably data leakage by LED status indicators.
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Nick Lewis
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
A new POS malware downloads a RAM scraper to avoid detection. Expert Nick Lewis explains the tricks MajikPOS uses to target retail terminals and how ...continue reading
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.