There's Proof That Hackers Could 'Hear' the Passwords You Enter on Your Phone
There are a number of ways to compromise a password. If a service provider doesn't store it correctly, hackers can steal it. They can also trick users into giving away their login data, and because people's password creation habits are so horribly predictable, the crooks can often guess the credentials that are supposed to protect some pretty sensitive data. University researchers have now found another, more unusual way of stealing a password – through soundwaves.
The team of experts consists of Ilia Shumailov, Laurent Simon, and Ross Anderson from the University of Cambridge in England as well as Jeff Yan from Linköping University in Sweden. They devised and pulled off what they call an "acoustic side-channel" attack which uses the microphones of a smartphone or a tablet computer in order to "hear" what the victim is entering on the device's touchscreen.
How does the acoustic side-channel attack work?
Many of you might already be a bit skeptical about the whole idea. After all, one of the good things about typing on touchscreen devices is that doing it emits no noise at all. While the sound of fingers tapping on a glass screen might be inaudible to the human ear, however, this is not strictly the case when it comes to modern smartphones' microphones.
The experiment was targeted at Android devices, which often vibrate when users tap keys on virtual keyboards and PIN pads. Initially, the researchers wanted to use this to their advantage, but they soon figured out that many banking applications deliberately disable this functionality. That's why they decided to go down a different route.
Mobile phones have at least two microphones – one near the top of the device, and one near the bottom. Depending on the region of the screen that you tap on, the sound will reach one of the microphones a tiny bit sooner than the other one. The researchers thought that by taking this difference into account, they could have an educated guess as to where the user is tapping. As it turns out, they were right.
The results were just as surprising as they were worrying
Using machine learning technology, the experts developed a special application and gave it to 45 participants who were told to enter some PIN codes and passwords. To make the scenario as realistic as possible, the experiments were conducted in several places with different levels of background noise.
After recording the soundwaves made by the participants' fingers, the experts used their software to figure out what the passwords and PIN codes might be. A staggering 73% of the four-digit PIN codes were cracked with 10 attempts or fewer. Predictably, the success rate with passwords was lower, but it was still not insignificant.
About 30% of the passwords were exposed with fewer than 20 guesses. Bear in mind that we're talking about passwords that are between 7 and 13 characters long and consist of letters and numbers. Cracking those in a traditional brute-force scenario would have been much harder.
It all sounds very grim, but before you panic, you should bear in mind that for the time being at least, the acoustic side-channel attack the researchers developed is unlikely to put you in any immediate danger.
When are cybercriminals going to start using your device's microphones to guess your password?
As we mentioned already, the attack was devised by academic researchers who used cutting edge technology to achieve what is undoubtedly a very impressive result. The paper they published does explain in more details how it all works, but if hackers are going to use this method, they'll need to develop their own software which listens to and deciphers the taps on your phone's screen. This will not be easy.
In other words, the first hacking groups who will use this attack in the real world will be extremely sophisticated, probably state-sponsored, and will most likely be after high profile targets. In order to pull the attack off, they'll also need to persuade the victims to install a malicious app and give it permissions to access the device's microphone.
Even if they achieve this, they need to bear in mind that, as the researchers discovered, background noise can make the task of guessing passwords much more difficult. When the target puts their hands over the microphone, which, according to the research paper, happens often, it becomes practically impossible.
So, for now, the acoustic side-channel attack is more of a theory than a real-world threat. Nevertheless, as the experts pointed out in the paper, software and hardware vendors should probably consider implementing a visual indicator which shows whether or not the microphone is in use. When it comes to users, the advice hasn't really changed. They need to be careful with the applications they install and the permissions they grant.