The bevy of mobile device sensors in modern smartphones and tablets make them more akin to pocket-sized laboratories and media studios than mere communication devices. Cameras, microphones, accelerometers, and gyroscopes give incredible flexibility to app developers and utility to mobile device users. But the variety of inputs also give clever hackers new methods of bypassing conventional mobile security—or even collecting sensitive information outside of the device.
Anyone who is serious about security and privacy, both for themselves and for end users, should consider how these sensors create unique vulnerabilities and can be exploited by cybercriminals.
Hackers of every hat color have been exploiting mobile device sensors for years. In 2012, researchers developed malware called PlaceRider, which used Android sensors to develop a 3D map of a user’s physical environment. In 2017, researchers used a smart algorithm to unlock a variety of Android smartphones with near complete success within three attempts, even when the phones had fairly robust security defenses.
But as updates have been released with patches for the most serious vulnerabilities, hackers in 2019 have responded by finding even more creative ways to use sensors to snag vulnerable data.
“Listening” to passwords
Researchers were able to learn computer passwords by accessing the sensors in a mobile device’s microphone. The Cambridge University and Linkoping University researchers created an artificial intelligence (AI) algorithm that analyzed typing sounds. Out of 45 people tested, their passwords were cracked seven times out of 27. The technique was even more effective on tablets, which were right 19 times out of 27, inside of 10 attempts.
“We showed that the attack can successfully recover PIN codes, individual letters, and whole words,” the researchers wrote. Consider how easily most mobile users grant permission for an app to access their device’s microphone, without considering the possibility that the sound of their tapping on the screen could be used to decipher passwords or other phrases.
While this type of attack has never happened in the wild, it’s a reminder for users to be extra cautious when allowing applications access to their mobile device’s mic—especially if there’s no clear need for the app’s functionality.
Eavesdropping without a microphone
Other analysts have discovered that hackers don’t need access to a device’s microphone in order to tap into audio. Researchers working at the University of Alabama at Birmingham and Rutgers University eavesdropped on audio played through an Android device’s speakerphone with just the accelerometer, the sensor used to detect the orientation of the device. They found that sufficiently loud audio can impact the accelerometer, leaking sensitive information about speech patterns.
The researchers dubbed this capability as “spearphone eavesdropping,” stating that threat actors could determine the gender, identity, or even some of the words spoken by the device owner using methods of speech recognition or reconstruction. Because accelerometers are always on and don’t require permissions to operate, malicious apps could record accelerometer data and playback audio through speech recognition software.
While an interesting attack vector that would be difficult to protect against—restricting access or usage of accelerometer features would severely limit the usability of smart devices—this vulnerability would require that cybercriminals develop a malicious app and persuade users to download it. Once on a user’s device, it would make much more sense to drop other forms of malware or request access to a microphone to pull easy-to-read/listen-to data.
Since modern-day users tend to pay little attention to permissions notices or EULAs, the advantage of permission-less access to the accelerometer doesn’t yet provide enough return on investment for criminals. However, we once again see how access to mobile device sensors for one functionality can be abused for other purposes.
Fingerprinting devices with sensors
In May, UK researchers announced they had developed a fingerprinting technique that can track mobile devices across the Internet by using easily obtained factory-set sensor calibration details. The attack, called SensorID, works by using calibration details from the accelerator, gyroscope, and magnetometer sensors that can track a user’s web-browsing habits. This calibration data can also be used to track users as they switch between browsers and third-party apps, hypothetically allowing someone to get a full view of what users are doing on their devices.
Apple patched the vulnerability in iOS 12.2, while Google has yet to patch the issue in Android.
Avoiding detection with the accelerometer
Earlier this year, Trend Micro uncovered two malicious apps on Google Play that drop wide-reaching banking malware. The apps appeared to be basic tools called Currency Converter and BatterySaverMobi. These apps cleverly used motion sensors to avoid being spotted as malware.
A device that generates no motion sensor information is likely an emulator or sandbox environment used by researchers to detect malware. However, a device that does generate motion sensor data tells threat actors that it’s a true, user-owned device. So the malicious code only runs when the device is in motion, helping it sneak past researchers who might try to detect the malware in virtual environments.
While the apps were taken down from Google Play, this evasive technique could easily be incorporated into other malicious apps on third-party platforms.
The mobile security challenges of the future
Mobile device sensors are especially vulnerable to abuse because no special permissions or escalations are required to access these sensors.
Most end users are capable of using strong passwords and protecting their device with anti-malware software. However, they probably don’t think twice about how their device’s gyroscope is being used.
The good news is that mobile OS developers are working to add security protections to sensors. Android Pie tightened security by limiting sensor and user input data. Apps running in the background on a device running Android Pie can’t access the microphone or camera. Additionally, sensors that use the continuous reporting mode, such as accelerometers and gyroscopes, don’t receive events.
That means that mobile security challenges of the future won’t be solved with traditional cryptographic techniques. As long as hackers are able to access sensors that detect and measure physical space, they’ll continue exploit that easy-to-access data to secure the sensitive information that they want.
As mobile devices expand their toolbox of sensors, that will create new vulnerabilities—and yet-to-be discovered challenges for security professionals.