Malicious actors can decode what a person is typing by using a spying app that can access the smartphone’s microphone, according to the study, which was first reported by the Wall Street Journal. “We showed that the attack can successfully recover PIN codes, individual letters and whole words,” the researchers wrote.
A passive, sound-based attack could be executed if a person installs an app infected with such malware. “Many apps ask for this permission and most of us blindly accept the list of demanded permissions anyway,” the researchers wrote. Attackers could also provide their target with a smartphone on which the malicious app was pre-installed.
The researchers designed a machine-learning algorithm that could decode vibrations for specific keystrokes. Among a test group of 45 people across several tests, the researchers could correctly replicate passwords on smartphones seven times out of 27, within 10 attempts. On tablets, the researchers achieved better results, nailing the password 19 times out of 27 within 10 attempts.
“We found the device’s microphone(s) can recover this wave and ‘hear’ the finger’s touch, and the wave’s distortions are characteristic of the tap’s location on the screen,” the researchers wrote. “Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device.”
The experiment ran on an Android application that allowed participants to enter letters and words on two LG Nexus 5 phones and a Nexus 9 tablet, according to the paper. As the participants tapped in the passwords, the app recorded audio through the devices’ built-in microphones. To simulate a real-world environment, the researchers had participants enter passwords at three locations at a university, with different levels of background noise: a common room where a coffee machine was used, a reading room with computers, and a library.
The study has not yet been peer-reviewed, according to the report, or been published, but it is available online through a website maintained by Cornell University for academic research.
To guard against such attacks, the researchers suggested, smartphone makers might consider installing a switch that would allow users to shut off the microphone. Another option, they said, is to simply make it more obvious when the microphone is on, by flashing a light or an icon on the screen.
The research fits into a broader study of security vulnerabilities that exploit a device’s built-in sensors — like cameras and accelerometers — to extract personal information from users without their knowledge.