1000words - Fotolia
Someone told me that a smartphone's gyroscope can help hackers eavesdrop on conversations. How is the gyroscope exploited and how can I prevent it from becoming an eavesdropping tool? Is it vulnerable only when the device is being used or at any time?
While convenient, smartphones with microphones are a great source of covert eavesdropping capabilities thanks to their ubiquitous use and always-on connected nature.
The most obvious feature to use for eavesdropping is the microphone or video camera, but other parts of the smartphone can be used to monitor communications.
Researchers Yan Michalevsky, Dan Boneh and Gabi Nakibly discovered a way to use a smartphone gyroscope to listen in on conversations in certain scenarios. While their proof-of-concept exploit had limited accuracy when focused on an individual in an empty room, accuracy could be improved with the right speech-recognition software.
One reason why smartphones are vulnerable to eavesdropping attacks when powered on is because most users keep the default setting that allows the Web browser to access the gyroscope to display webpages in the correct orientation. However, that doesn't mean other apps, especially malicious ones, couldn't make use of the gyroscope in certain scenarios.
To completely prevent the smartphone gyroscope from being used as an eavesdropping tool, users would need to power the device off or carry it in a soundproof container. Disconnecting the device from a network would not prevent the device from listening, but would prevent the device from sending the recorded data.
In its blog post, security vendor Symantec Corp. noted that Firefox is the most vulnerable of the major Web applications because it uses the default settings to listen for audio from the gyroscope. Chrome and Safari, on the other hand, limit how the smartphone gyroscope can be used to listen for audio.
Down the line, smartphone makers could change the gyroscope access default settings, making them lower so it doesn't have the sensitivity to listen for audio. For now, the risk is minimal, and as noted can be further reduced by using certain devices or configurations, but organizations at high risk for advanced, targeted attacks should at least be aware of this issue.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Learn more about detecting and preventing mobile device eavesdropping.
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading