Researchers Used Sonar Signal From a Smartphone Speaker To Steal Unlock Passwords

An anonymous reader quotes a report from Motherboard: On Thursday, a group of researchers from Lancaster University posted a paper to arXiv that demonstrates how they used a smartphone's microphone and speaker system to steal the device's unlock pattern. Although the average person doesn't have to worry about getting hacked this way any time soon, the researchers are the first to demonstrate that this kind of attack is even possible. According to the researchers, their "SonarSnoop" attack decreases the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they're being hacked. The attack begins when a user unwittingly installs a malicious application on their phone. When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing. This sound signal is reflected by every object around the phone, creating an echo. This echo is then recorded by the phone's microphone. By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving -- this is known as sonar.

The researchers were able to leverage this phenomenon to track the movement of someone's finger across a smartphone screen by analyzing the echoes recorded through the device's microphone. There are nearly 400,000 possible unlock patterns on the 3x3 swipe grid on Android phones, but prior research has demonstrated that 20 percent of people use one of 12 common patterns. While testing SonarSnoop, the researchers only focused on these dozen unlock combinations. Ten volunteers were recruited for the study and were asked to draw each of the 12 patterns five different times on a custom app. The researchers then tried a variety of sonar analysis techniques to reconstruct the password based on the acoustic signatures emitted by the phone. The best analysis technique resulted in the algorithm only having to try 3.6 out of the 12 possible patterns on average before it correctly determined the pattern.

Solution is simple

[Anonymous Coward]

Banana Republic! Then no one cares about anything.

Re:

[omnichad]

More importantly, why would you even need the passcode at that point?

Re:

[Crashmarik]

More importantly, why would you even need the passcode at that point?

People do insecure things like reuse passwords or minor variants.

Re:

[omnichad]

This is about a pattern unlock. How often do those get reused?

Re:

[Crashmarik]

why would you even need the passcode at that point?

You tell me why you asked the question

Re:

[omnichad]

Because you used the word "password" when the whole article is about unlock patterns. Just because I used words more similar to you doesn't mean I forgot what we were actually talking about.

Re:

[Crashmarik]

Yeah good luck with that chief.

Cool research!

[gweihir]

While probably not a real security problem at this time, it nicely demonstrates what powerful hardware and software can to even with simple sensors.

Re:

[Anonymous Coward]

It's interesting they didn't even mention sonar's ability to see through clothing.

Re:Cool research! -- Night vision

[fish_in_the_c]

I'm now waiting for the first sonar based night vision app to come out :) Maybe something that enhances the low light camera?
I wonder how good it is with distance? Can you map a room with it?

Re:

[gnick]

I wonder how good it is with distance? Can you map a room with it?

It's not remotely like The Dark Knight, but a little bit [slate.com].

Re:

[gnick]

Yes! They're comparing the number of attempts to the total number of possibilities. "Reduces by 70%" is accurate only if you declare that entering the patterns at random "reduces by 50%".

Rube Goldberg

[edi_guy]

If you can convince a user to download a malicious app, isn't that the end of the story as far as hacking their phone? Unless you are Dr. Evil from Austin Powers the addition of sonar tracking on top of the initial trojan is overkill.

I get that the sonar bit is clever, by why is it necessary to link that part with stealing passwords, other than to make it a little more press worthy.

Re:

[phantomfive]

On the other hand, if you download the app and they find your passcode, they then have no way to correlate that passcode to a specific phone, unless they are doing some kind of serious targetted attack, in which case they could also just film the person unlocking their phone.

Re:

[omnichad]

Background microphone doesn't require any permissions? Maybe we need to solve that one first. Would be great for getting rid of those advertising ping listeners too.

Re:

[yes-but-no]

And for homework assignment, track the user's eyeball movement with front camera and using the same AI/ML learning find the pattern (yeah ok to reduce search space from thousands into 12).

Re:

[Anubis IV]

It's about escalating privileges.

It's been quite awhile since the default behavior was to give apps unfettered access to the system, specifically because of malicious apps doing malicious things. These days, there are permissions that need to be requested for all sorts of actions, and if you try to request low level access, people tend to sit up, take notice, and start asking questions about what your app is doing and why it's doing it.

On the other hand, having permission to play sound and listen via the mi

Hollywood is real?

[Anonymous Coward]

Didn't they cover this in "The Dark Knight"?

https://www.scienceabc.com/humans/movies/how-scientifically-accurate-is-batmans-sonar-machine-in-the-dark-knight.html

Non-story

[Anonymous Coward]

Sorry, but they weren't guessing out of the blue. They were guessing from a subset of only 12 combinations. 12. The real security issue here is that people only generally use 1 of 12 different combinations.

Way to bury the lead!

[n3r0.m4dski11z]

So what are the 12 patterns? Cursory searches do not reveal this interesting piece of info. Could be fun at parties.

The 12 common patterns

[hankwang]

Figure 1 in the paper: https://arxiv.org/pdf/1808.102... [arxiv.org]

Mostly variants (rotations and flips) of L, Z, and 1.

70% or 40% reduction?

[Piete]

All good stuff, but is " decreases the number of unlock patterns an attacker must try by 70 percent" right?
If there are 12 options and I guessed randomly, I'd expect to have to try 6 before I got it.
They reduced this to 3.6, which I make a 40% reduction - have I missed something?

Re:

[Wulf2k]

It's like a USB port. You've gotta try some of possibilities multiple times before they'll work.