Eavesdropping of Smartphone’s keylogging using the accelerometer

imageTwo researchers from the University of California at Davis Hao Chen and Lian Cai found a way to determine, which keys have been pressed on the screen’s keypad of OC Android by measuring the shift of vibration and wobbliness of the device that were measured by the built-in accelerometer. This is important, because the data from the accelerometers were not considered as a potential vector of attack, and thus freely available to any application on any Smartphone or pad.

Eavesdropping of keylogging on a desktop or laptop computer with Windows or Mac is incredibly simple: install the appropriate program (or Trojan virus it will do for you), set up where it should be saved or sent the stolen key’s codes, and that is all! When it comes to Smartphones, however, the complex systems of access restrictions make this approach almost impossible unless the side-channels will be used. Strictly speaking, a side-channel is open source of information, which helps the attacker to crack the cryptographic system. In a broader sense, a side-channel may be a light indicator on the router that blinks during the data being transferred, or the keylogging’ sounds of a keypad. [Note: here were mention the real variety of attacks] In other words, the side-channels are characteristics of the system, which potential danger is overlooked.

In this case, the two researchers used data of the spatial orientation of the device based on Android - a set of three angles that defines the orientation of the phone in the spatia of XYZ – in order to determine, where the user clicked on the screen. Each key has a unique pattern of angle changes along the three axes, which can be identified (see below). The accuracy depends on phone model: HTC Evo 4G updates the data on the orientation of every 30 ms, and Motorola Droid updates every 110 ms. In general, the researchers were able to reach of 71.5% accuracy for 10-key keypad. The remaining of 28.5% are errors due to the close layout of the keys. TouchLogger program can correctly identify the column or row for each keystroke, but sometimes there is not enough data to identify a particular key.


Of course, the QWERTY-keypad is more difficult to detect keylogging than the 10-key digital, but in front of us is just a demonstration of the concept, and accuracy in 70% is more than enough to break the confidentiality of any data that are entered into the phone. In addition, it is noted that in the devices such as pads should be easier to control the keypad, as well as gyroscopes can be used together with the camera to increase the resolution and accuracy of TouchLogger.

Finally, it is important to note that this side-channel is not just a security hole in Android: the data of accelerometer and gyroscope are available through the API DeviceOrientation, which is implemented in Android 3.0, IOS 4.2, as well as in all modern browsers. In other words, this exploit will require the installation of TouchLogger on the Android phone, but in theory, someone could take the work of Chen and Tsai and implement it in JavaScript, and then use to steal your passwords and the credit card information, when you surf the Internet.

There is an article in the magazine New Scientist about TouchLogger [PDF]
Pirat 4 october 2011, 14:29
Vote for this post
Bring it to the Main Page


Leave a Reply

Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute