Two researchers from UC Davis have successfully created a proof-of-concept keylogger using a smartphone’s built-in gyroscope. TouchLogger was written for Android, but there is no reason the same couldn’t be done for iPhone or any modern smartphone or tablet for that matter.
Many modern gadgets feature a three-axis gyro to gather device-orientation data for the purposes of gaming or navigation. Hao Chen and Lian Cai analyzed minute variations in pitch, yaw, and roll (X, Y, and Z axis) paths during onscreen-keyboard input to see if different keys produced distinct results. The keylogger has a 71.5%
accuracy in 10-key number pad input. That percentage is lowerered during input on a more crowded in-screen QWERTY keyboard, but I imagine accuracy could be increased with more tests, as well as contextual word analysis (i.e. auto-correct). Larger devices such as tablets also boasted a higher accuracy as there are greater margins between key presses and therefore more room for spatial variation.
While undoubtedly cool technology, the implication here is that of a privacy concern. Since gyroscope data has not previously been considered an obvious door for attack, it is readily available to developers via built-in Android and iOS APIs. At the very least, smartphone OSes should consider deploying an allow/deny mechanism for gyro data as they do for GPS location.
Read the complete UC Davis PDF Paper here.
Many modern gadgets feature a three-axis gyro to gather device-orientation data for the purposes of gaming or navigation. Hao Chen and Lian Cai analyzed minute variations in pitch, yaw, and roll (X, Y, and Z axis) paths during onscreen-keyboard input to see if different keys produced distinct results. The keylogger has a 71.5%
accuracy in 10-key number pad input. That percentage is lowerered during input on a more crowded in-screen QWERTY keyboard, but I imagine accuracy could be increased with more tests, as well as contextual word analysis (i.e. auto-correct). Larger devices such as tablets also boasted a higher accuracy as there are greater margins between key presses and therefore more room for spatial variation.
While undoubtedly cool technology, the implication here is that of a privacy concern. Since gyroscope data has not previously been considered an obvious door for attack, it is readily available to developers via built-in Android and iOS APIs. At the very least, smartphone OSes should consider deploying an allow/deny mechanism for gyro data as they do for GPS location.
Read the complete UC Davis PDF Paper here.
No comments:
Post a Comment