Someone told me that a smartphone's gyroscope can help hackers eavesdrop on conversations. How is the gyroscope...
exploited and how can I prevent it from becoming an eavesdropping tool? Is it vulnerable only when the device is being used or at any time?
While convenient, smartphones with microphones are a great source of covert eavesdropping capabilities thanks to their ubiquitous use and always-on connected nature.
The most obvious feature to use for eavesdropping is the microphone or video camera, but other parts of the smartphone can be used to monitor communications.
Researchers Yan Michalevsky, Dan Boneh and Gabi Nakibly discovered a way to use a smartphone gyroscope to listen in on conversations in certain scenarios. While their proof-of-concept exploit had limited accuracy when focused on an individual in an empty room, accuracy could be improved with the right speech-recognition software.
One reason why smartphones are vulnerable to eavesdropping attacks when powered on is because most users keep the default setting that allows the Web browser to access the gyroscope to display webpages in the correct orientation. However, that doesn't mean other apps, especially malicious ones, couldn't make use of the gyroscope in certain scenarios.
To completely prevent the smartphone gyroscope from being used as an eavesdropping tool, users would need to power the device off or carry it in a soundproof container. Disconnecting the device from a network would not prevent the device from listening, but would prevent the device from sending the recorded data.
In its blog post, security vendor Symantec Corp. noted that Firefox is the most vulnerable of the major Web applications because it uses the default settings to listen for audio from the gyroscope. Chrome and Safari, on the other hand, limit how the smartphone gyroscope can be used to listen for audio.
Down the line, smartphone makers could change the gyroscope access default settings, making them lower so it doesn't have the sensitivity to listen for audio. For now, the risk is minimal, and as noted can be further reduced by using certain devices or configurations, but organizations at high risk for advanced, targeted attacks should at least be aware of this issue.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.