iPhone Keylogger Can Snoop On Desktop Typing

An anonymous reader writes "Researchers at Georgia Tech demonstrate that a mobile phone located near a keyboard can use its accelerometers to recover text typed by a target. 'The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard).'"

Good reason...

[MrKevvy]

... to switch to Dvorak.

Re:

[Anonymous Coward]

Or put it more than 3 inches away from your keyboard. This is an interesting idea, but far from practical in any way. That won't stop it from showing up on the next CSI and making the uninformed scared, though.

Re:

[ackthpt]

... to switch to Dvorak.

Why? I can type up to 30 errors a minute!

Re:

[Sentry360]

Haha, nice joke... Guessing than it's not just me that's noticed a huge decrease in error making? I haven't noticed as huge speed improvements, but error making has drastically went down. Anyone know why that is?

Re:Good reason...

[jhoegl]

Do grammatical errors count?

Re:

[laurelraven]

Grammar nazi is fail. He was referring to typo's, I'm sure, not grammar errors.

To GP: I switched 2 years ago, and I'm mostly typing the same speed I used to on Qwerty. I agree, though, that my typo rate has gone down a lot, and at times, my speed spikes way over what I used to be able to do. Also, same on the RSI thing...

Re:

[utkonos]

That's going to stop someone else from hiding their phone on your desk?

Re:

[Sentry360]

Would hiding two phones allow for better triangulation of the password?

Re:

[kelemvor4]

It's dictionary based. If you're not using an ultra lame password, you'll likely be OK.

Re:

[Baloroth]

Sort of. This sounds like a pretty difficult attack vector, so if someone is using this kind of attack against you, you can bet creating profiles for Dvorak won't be an issue for them. Not to say there aren't good reasons to switch to Dvorak anyways, just that this isn't one of them.

Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack. Unless you use a password that can be broken by a dictionary attack, in which case you shouldn't be working on anything a

Re:

[TangoMargarine]

Qwerty is designed to make many common words have letters on alternating sides of the keyboard. This makes it more difficult to infer which word was actually typed, even if you can always tell which side of the keyboard a key press occurred on.

FTFY. Qwerty [wikipedia.org]

Re:

[laurelraven]

From the linked wiki:

Alternating hands while typing is a desirable trait in a keyboard design, since while one hand is typing a letter, the other hand can get in position to type the next letter. Thus, a typist may fall into a steady rhythm and type quickly. However, when a string of letters is done with the same hand, the chances of stuttering are increased and a rhythm can be broken, thus decreasing speed and increasing errors and fatigue. In the QWERTY layout many more words can be spelled using only the left hand than the right hand. In fact, thousands of English words can be spelled using only the left hand, while only a couple of hundred words can be typed using only the right hand. In addition, most typing strokes are done with the left hand in the QWERTY layout. This is helpful for left-handed people but to the disadvantage of right-handed people.

While that is a desirable trait, it is one that Qwerty has a problem with. Dvorak is a lot better at this.

Re:

[spyder-implee]

Also from tfa, keeping the phone > 3 inches from the keyboard also prevents it, and I assume different desk surfaces, types of wood/steel, keyboard material, type of keyboard (laptop keyboards?), keyboard trays, paper lying on a users desk and other sources of vibration interference also defeats this attack. It's almost laughable they bother suggesting setting extra permissions for the accelerometer's sample rate, when so many things need to fall into place for this to have a chance of revealing anything

Re:Good reason...

[LordLucless]

Unless you're using a Model M, in which case 3 miles is the maximum viable distance.

Re:

[Kozz]

Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack.

Judging by the typos and spelling errors to be found in the average slashdot post, most of these folks will be immune to dictionary attacks. Unless they build up a dictionary of misspellings, too... dagnabbit!

Re:

[metageek]

> Oh, and keeping your phone in your pocket also circumvents it.

but gives you cancer...

Re:

[Anubis IV]

Darn right! If they're using an English dictionary to crack our passwords, using French words will fool them! They'll never get around that!

Exclamation points!!

Re:

[JasterBobaMereel]

..or just use Commonwealth English spelling instead of US American English Spelling ...

Re:

[Russ1642]

Switch? I've been using it for a decade. I still love it when I'm showing somebody something on my computer and they watch me type. They look all confused. Wait a second, you didn't hit Ctrl-F!

Re:

[Anonymous Coward]

You don't even need to read the headline to know that apple sucks.

One Word!

[Archangel Michael]

SWYPE

And for bonus: I type much faster with swype than trying to hunt/peck on my keyboard.

Re:One Word!

[TheInternetGuy]

I ttryuiiiiiiiiiiiiiiiiiiiiiuytredf swsvbbbbbbyuiopoijnnbgg okmjn mjuy PLOKJHBGVC kjhygtrertyuuuuuuuuuuuuuhbjioooooiujhytrfdsaasd Translates into: I tried Swyping on my PC keyboard It didn't work to well, now did it? And would probably be just as detectable by an accelerometer.

Re:

[Sancho]

Where can I download SWYPE for my desktop?

Did you even read the summary? Or the headline?

Re:

[Archangel Michael]

yes. and yes. My point remains, just because you don't get it doesn't diminish it at all.

Swype doesn't have sudden jolts to which one tie to keystroke taps on a virtual keyboard. It is fluid motion and is, in itself "guessing" by the complete pattern which word you're attempting to type. Good luck pairing two key taps together using SWYPE. How does software that depends on sudden jolts work with fluid motion?

Re:

[Sancho]

The researchers place a phone with custom software near a desktop keyboard. The custom software records vibrations from the desktop keyboard using the phone's accelerometers. Using statistical analysis, they can decode the vibrations to figure out what was typed on the desktop keyboard. They wouldn't have to use a phone--it's just a cheap, convenient source of commodity accelerometers. They could just as easily put custom hardware (with accelerometers) on the desktop and sniff in exactly the same manner.

The

Re:

[xQx]

lol!!

You sir, made my day.

I bet the GP poster is fat and ugly and stinks like shit. He probably has delusions of adequacy though.

Re:

[footitch]

word up.

Re:

[MobileTatsu-NJG]

Take a look at this comment, it may answer your question:

http://mobile.slashdot.org/comments.pl?sid=2482736&cid=37757330 [slashdot.org]

^^ As long as this happens, there'll be lotsa iPhone stories.

Re:

[exomondo]

Or maybe it's because the iphone was the subject of the study and since the iphone4 is the most common smartphone (im pretty sure that's correct? if not i retract the statement) it would be the ideal choice as you would likely need the same chassis and hardware to get consistent results, so choosing the most common phone would be the logical thing to do. Given the methodology it looks like it could be equally applied to just about any smartphone though.

Another reason

[no4]

to select passwords that cannot be found in a dictionary.

Shift Key

[ben_kelley]

"Why do you keep pressing the shift keys randomly?"
"Just bEing CArefUl of keyLogGers."

Re:

[Threni]

Why use the keyboard at all, vs clicking on things with a mouse. This works better somewhere you're not being watched, such as at home. Then again at home it's unlikely there's a hostile smartphone spying on you, other than via malware.

Ideal distance is just too close

[Zakabog]

The ideal distance is too close to my keyboard. Usually if I'm leaving my phone on my desk I put it to the right of my designated "mouse area" which is generally a foot or more from the keyboard. I'm a computer technician so I don't just sit at one computer all day too. Plus most of our customers seem to follow the same policy. They kind of put their phone on the corner of their desk so they don't bump it as their hands move around the keyboard and mouse. If my phone is that close to my keyboard I'm likely

ADD SOUND!

[bussdriver]

Sound can almost give away keys pressed. the sound on the desk is likely to work better than pickup from the air since solids conduct sound. Add vibration and you've got plenty of data to extract from! I somehow doubt the acceleration is precise enough to come close to a microphone; I wonder if an image from the camera (if in focus) could in some cases indicate more vibration than the accelerometer...
SOUND ALONE could do it much better. use the microphone.

Teslameter

[vaene]

Newer iPhones also come with a Teslameter, I wonder if the can detect em spikes when the keys make contact with their pads. Depending on the distance, again, and using the same or similar logic you could determine keystrokes that way as well I would think. I'll try it once I get my new iPhone, the old 3g doesn't have teslameter in it.

passphrases

[Yojimbo-San]

So with this technique, a password of "correct horse battery staple" would be detected, but "Tr0ub4dor" would not (http://xkcd.com/936/)...

Re:

[qxcv]

It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims when you're facing a moderately sophisticated adversary.

If you wanted to make a "correct horse battery staple" password more secure against this kind of attack, you could just capitalise some of the letters, or mash your unbound mod keys when entering passwords (i.e. ctl, alt, mod4, etc).

Re:

[zippthorne]

No, the XKCD analysis isn't based on the presumed strength of the letters in that passphrase, but instead on the *words*. He's estimating 11 bits of entropy per word, which means that the dictionary he's using has a mere 2048 words in it. If using every word in the /usr/dict/words (/usr/share/dict/words on a mac), that would be anywhere from 15 to 17 bits of per word:

zippthorne ~$ wc -l /usr/share/dict/words
235886 /usr/share/dict/words

The default dictionary for Ubuntu was circa 100k words the la

Re:

[John Hasler]

Unfortunately many people lack sufficient imagination to come up with a hard to guess string of words.

Imagination is not randomness.

[zippthorne]

You don't come up with it using your imagination. No password you pull out of "head entropy" is random. Nor likely to be particularly secure.

You use a pair of dice and a scrabble dictionary, or dice and a printout of 2k (or some other number of selected words so you can use an integer number of dice rolls per word).

Or you take your 2k words, and chomp off 11 bits at a time from /dev/random to pick, for however long you want your password to be.

If you hand select the 2k words, you can make sure that there

Re:

[thoromyr]

You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic. http://en.wikipedia.org/wiki/Entropy_(information_theory) [wikipedia.org]

Re:

[Anonymous Coward]

You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic.

I have an accurate understanding of the entropy of one random choice out of 4096. It is 11 bits. You are probably thinking about the entropy per word of English text. He's not suggesting you choose a sentence. H

Re:

[TangoMargarine]

After reading that comment, I don't know why the heck "correct horse battery staple" is somehow supposed to be easier to remember. I use a consistent "leetification" algorithm on my passwords, which is easier for me to remember that four completely random words (initially). Because remembering a horse saying "that's a battery staple" (which in and of itself makes no sense) and some other random person shouting "Correct!" makes so much sense...?

Re:

[TangoMargarine]

Well, I tack a few symbols on, too, but those aren't particularly easy to remember other than through repetition, which kind of blows my argument wide open.

Re:

[Yojimbo-San]

It's supposed to be easier to remember because you remember the composite image, and not the words themselves. You can choose images that are easy to remember (something based on goatse perhaps) and construct a phrase from there -- at the same time you meet the suggestion of a password that is so foul you would never tell another person what it is, thus preventing that whole password sharing problem. Double win. Except you have to remember goatse every time you log in. http://questionablecontent.net/view.ph [questionablecontent.net]

Re:

[neminem]

Brilliant! Next time I have to create a password on some throwaway site I don't care about, I'm totally using "I just lost the game". I'll never forget -that- (downside, every time I log in, or think about the site, I'll lose the game.)

Similar thing from 6 years ago

[Anonymous Coward]

Similar idea from 6 years ago, but using acoustics rather than vibrations
https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

nice try

[pbjones]

if you left your phone on a desk next to a keyboard, it'll get stolen. (but seriously, it's not much of a security risk, you would do better, IMHO, recording the sound of the keys with the phone's mic)

Re:

[DriveDog]

Ahhh, and a two-vector attack should be much more successful. Use both the mic and accelerometers and compare to a dictionary generated with data from the two combined. While we're at it, can we use the phone to somehow detect changes in the RF field due to key presses/processing by the keyboard's microcontroller? Maybe that's too much of a processing load for one phone. But beware if you spot several phones lying next to your keyboard.

Great

[SpectreBlofeld]

Two Slashdot articles today about university researchers developing snooping technology - this, and the gizmo that sees through walls. Is it just me or is 99% of all academic research funded by the 'defense department' these days?

Soooo.....

[jasonla]

Sooo... "Need to eavesdrop on someone? There's an app for that." And I make this joke as an iPhone user who got the 4S the first week it was out, so please, no "Apple hater" accusations.

Re:

[mattventura]

I don't think you even RTFS

Re:

[mattventura]

Specifically, the summary says nothing about it being iphone specific, only that it requires accelerometers which are in a lot of phones and even many laptops.

Re:

[DJRumpy]

TFA does mention that the test was done on the article, probably due to the popularity of the phone, but it pretty much states flat out that any modern smartphone from the last 2 years would suffice if it has the required hardware.

“We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. “But then we tried an iPhone 4, which has an added gyroscope to clean up the

Re:

[MagusSlurpy]

The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

Personally, I'd like to see someone make this work with a Wiimote next.

Re:

[RoFLKOPTr]

The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

Personally, I'd like to see someone make this work with a Wiimote next.

Anyway, who would go through the trouble of making a keylogger that worked by reading a laptop's accelerometer when you can make a keylogger that worked by reading a laptop's keyboard.

Re:

[errandum]

My old logitech keyboard allows encryption of the information sent.

And this could be useful when you don't have access to the system - A pair of sensors left under a monitor, or behind it, could be enough to gather information from a classified and locked down computer.

Re:

[monkeyhybrid]

Maybe because you'd need physical (or network exploitable) access to the target laptop in order to install a keylogger? Reading accelerometer data from your own laptop that you could have pre-configured and casually put down on victim's desk requires no direct access to victim's PC.

Re:

[Gerzel]

Indeed. It isn't even the phone that is vulnerable. It is the keyboard.

Re:

[Nethead]

T-Mobile with UMA (aka WiFi Calling) will do you well. I live on a small Indian fishing village in NW Washington State. Crap cell coverage here too.

Re:

[Anonymus]

Of all the reasons not to buy an iphone, this is by far the stupidest most non-existant one.

Re:

[hardburlyboogerman]

Sorry if you think so,but I'm disabled and on a fixed income.The cost is not worth it.

Re:

[laurelraven]

I suspect he was referring not to your remote status so much as the article...and I agree, not buying an iPhone because of this would be pretty stupid (if nothing else, most decent Android phones would be just as vulnerable). Based on everything my phone does, however, with a wifi connection, I would probably get one even if I didn't have reception at my house. But, we each chose for ourselves.