Q

Does accelerometer research portend keyboard-vibration attacks?

Expert Nick Lewis examines smartphone accelerometer research that may lead to keyboard-vibration attacks via a smartphone on a nearby computer.

Georgia Tech researchers recently unveiled a proof-of-concept in which a mobile device placed near a keyboard could

be used to detect specific keyboard vibrations to identify words being typed by a user with nearly 80% accuracy. Mobile malware that detects and transmits vibration data from keyboards seems like an unlikely attack, but it could be very effective as a targeted attack. Are we at the point where I need to advise my executives not to place their mobile phones on their desks?

Ask the expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

The recent accelerometer research by Georgia Tech security researchers on using the accelerometer built into many of today's new smartphones to record keystrokes has expanded on previous attacks, turning smartphones into recording devices. Malware could even turn on the microphone, if given permission by the user (something savvy attackers can trick users into doing), in order to record conversations for remote eavesdropping.

An effective defense against this attack is to ensure users keep their smartphones at least three inches away from their keyboards, but the researchers suggest additional security should be implemented in the accelerometer of the mobile device to require permission to use the accelerometer at high sampling rates. While a targeted attack of this sort could potentially capture keystrokes and keyboard vibration, aggressors would need to be able to identify a password or sensitive data that was typed in, a goal that isn't entirely far-fetched. Attacks like this could even be used, in some scenarios, to gain access to systems inside of Faraday cages if the contaminated mobile phone leaves the Faraday cage at some point, so the malware may phone home the stolen data.

Regardless of security requirements, only the highest risk and most paranoid security organizations would need to advise executives not to place their mobile phones on their desks, because as of today this is proof-of-concept research, not representative of an exploit technique being used in the wild. While most enterprises probably do not need to implement new security controls to protect against either of these attacks, awareness that it is possible will influence future product developments as suggested by the Georgia Tech researchers. Finally, for organizations with ultra high security requirements, there are other similar potential attack methods that they may need to be aware of, most notably data leakage by LED status indicators.

This was first published in May 2012

Dig deeper on Handheld and Mobile Device Security Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close