Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iPhone Keylogger Can Snoop On Desktop Typing

Soulskill posted about 3 years ago | from the technology-is-awesome-and-creepy dept.

Cellphones 103

An anonymous reader writes "Researchers at Georgia Tech demonstrate that a mobile phone located near a keyboard can use its accelerometers to recover text typed by a target. 'The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard).'"

Sorry! There are no comments related to the filter you selected.

If you use an iPhone... (-1)

Anonymous Coward | about 3 years ago | (#37757330)

Then you deserve whatever happens to you.

Re:If you use an iPhone... (1)

mattventura (1408229) | about 3 years ago | (#37757348)

I don't think you even RTFS

Re:If you use an iPhone... (1)

mattventura (1408229) | about 3 years ago | (#37757364)

Specifically, the summary says nothing about it being iphone specific, only that it requires accelerometers which are in a lot of phones and even many laptops.

Re:If you use an iPhone... (2)

DJRumpy (1345787) | about 3 years ago | (#37757674)

TFA does mention that the test was done on the article, probably due to the popularity of the phone, but it pretty much states flat out that any modern smartphone from the last 2 years would suffice if it has the required hardware.

“We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

Re:If you use an iPhone... (1)

MagusSlurpy (592575) | about 3 years ago | (#37758098)

The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

Personally, I'd like to see someone make this work with a Wiimote next.

Re:If you use an iPhone... (2)

RoFLKOPTr (1294290) | about 3 years ago | (#37758232)

The article says that the software requires a gyroscope in addition to the accelerometer to clear the data up enough for decoding, which laptops don't have. Additionally, I don't think the accelerometers built in to laptops are sensitive enough, they're meant for freefall detection as opposed to playing games.

Personally, I'd like to see someone make this work with a Wiimote next.

Anyway, who would go through the trouble of making a keylogger that worked by reading a laptop's accelerometer when you can make a keylogger that worked by reading a laptop's keyboard.

Re:If you use an iPhone... (1)

errandum (2014454) | about 3 years ago | (#37760180)

My old logitech keyboard allows encryption of the information sent.

And this could be useful when you don't have access to the system - A pair of sensors left under a monitor, or behind it, could be enough to gather information from a classified and locked down computer.

Re:If you use an iPhone... (1)

monkeyhybrid (1677192) | about 3 years ago | (#37760368)

Maybe because you'd need physical (or network exploitable) access to the target laptop in order to install a keylogger? Reading accelerometer data from your own laptop that you could have pre-configured and casually put down on victim's desk requires no direct access to victim's PC.

Re:If you use an iPhone... (1)

Gerzel (240421) | about 3 years ago | (#37758456)

Indeed. It isn't even the phone that is vulnerable. It is the keyboard.

Re:If you use an iPhone... (0)

Anonymous Coward | about 3 years ago | (#37758092)

I don't think you even RTFS

I don't think you even read the headline.

Re:If you use an iPhone... (1)

MichaelKristopeit403 (1978294) | about 3 years ago | (#37757366)

if you typed that next to a person with an iphone then they didn't have to wait for you to submit it to know you're an ignorant hypocrite.

Re:If you use an iPhone... (0)

hardburlyboogerman (161244) | about 3 years ago | (#37758198)

Now you know why I won't buy one ever.For as little as I use a cellphone (Rural SE KY,NO cellphone will work here at my home)The iPhone is a waste of money

Re:If you use an iPhone... (1)

Nethead (1563) | about 3 years ago | (#37758750)

T-Mobile with UMA (aka WiFi Calling) will do you well. I live on a small Indian fishing village in NW Washington State. Crap cell coverage here too.

Re:If you use an iPhone... (1)

Anonymus (2267354) | about 3 years ago | (#37759318)

Of all the reasons not to buy an iphone, this is by far the stupidest most non-existant one.

Re:If you use an iPhone... (1)

hardburlyboogerman (161244) | about 3 years ago | (#37759896)

Sorry if you think so,but I'm disabled and on a fixed income.The cost is not worth it.

Re:If you use an iPhone... (1)

laurelraven (1539557) | about 3 years ago | (#37769156)

I suspect he was referring not to your remote status so much as the article...and I agree, not buying an iPhone because of this would be pretty stupid (if nothing else, most decent Android phones would be just as vulnerable). Based on everything my phone does, however, with a wifi connection, I would probably get one even if I didn't have reception at my house. But, we each chose for ourselves.

Good reason... (5, Funny)

MrKevvy (85565) | about 3 years ago | (#37757372)

... to switch to Dvorak.

Re:Good reason... (0, Flamebait)

Anonymous Coward | about 3 years ago | (#37757392)

Sure, if you're into having sex with men.

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37757394)

or put your keyboard on a thin strip of rubber, would that help?

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37757414)

If you bang the keyboard with your fist, no.

Re:Good reason... (1)

Anonymous Coward | about 3 years ago | (#37757486)

Or put it more than 3 inches away from your keyboard. This is an interesting idea, but far from practical in any way. That won't stop it from showing up on the next CSI and making the uninformed scared, though.

Re:Good reason... (1)

ackthpt (218170) | about 3 years ago | (#37757398)

... to switch to Dvorak.

Why? I can type up to 30 errors a minute!

Re:Good reason... (2)

Sentry360 (1694728) | about 3 years ago | (#37757610)

Haha, nice joke... Guessing than it's not just me that's noticed a huge decrease in error making? I haven't noticed as huge speed improvements, but error making has drastically went down. Anyone know why that is?

Re:Good reason... (3, Funny)

jhoegl (638955) | about 3 years ago | (#37757624)

Do grammatical errors count?

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37760472)

It's because you've consciously learned to type instead of picking it up as you went along. Nothing to do with the layout, everything to do with proper training.

Don't get me wrong, though! Whatever the cause, it is clear that many people do see great benefits from switching to Dvorak that they would never gain if they stuck with QWERTY.

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37761590)

No, but switching to Dvorak has greatly helped my RSI, without a change of keyboard. And I actually have noticed a speed increase, myself. I was only ever 40-50 WPM in QWERTY, but am 60+ on Dvorak. :)

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37763982)

You've already made many errors in your post.

So either:
a) you made "drastically" a lot more errors before. More than one in every sentence?
b) your ability to detect your errors has deteriorated.

Re:Good reason... (1)

laurelraven (1539557) | about 3 years ago | (#37769196)

Grammar nazi is fail. He was referring to typo's, I'm sure, not grammar errors.

To GP: I switched 2 years ago, and I'm mostly typing the same speed I used to on Qwerty. I agree, though, that my typo rate has gone down a lot, and at times, my speed spikes way over what I used to be able to do. Also, same on the RSI thing...

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37757450)

Or to get a simpler phone.

Re:Good reason... (1)

utkonos (2104836) | about 3 years ago | (#37757490)

That's going to stop someone else from hiding their phone on your desk?

Re:Good reason... (1)

Sentry360 (1694728) | about 3 years ago | (#37757628)

Would hiding two phones allow for better triangulation of the password?

Re:Good reason... (1)

kelemvor4 (1980226) | about 3 years ago | (#37757728)

It's dictionary based. If you're not using an ultra lame password, you'll likely be OK.

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37758052)

they still get the contents of your email you are writing though...

Re:Good reason... (1)

Baloroth (2370816) | about 3 years ago | (#37757526)

Sort of. This sounds like a pretty difficult attack vector, so if someone is using this kind of attack against you, you can bet creating profiles for Dvorak won't be an issue for them. Not to say there aren't good reasons to switch to Dvorak anyways, just that this isn't one of them.

Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack. Unless you use a password that can be broken by a dictionary attack, in which case you shouldn't be working on anything anyone would want to steal. Oh, and keeping your phone in your pocket also circumvents it.

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37757694)

Sort of. This sounds like a pretty difficult attack vector, so if someone is using this kind of attack against you, you can bet creating profiles for Dvorak won't be an issue for them. Not to say there aren't good reasons to switch to Dvorak anyways, just that this isn't one of them.

Dvorak is designed to make many common words have letters on alternating sides of the keyboard. This makes it more difficult to infer which word was actually typed, even if you can always tell which side of the keyboard a key press occurred on.

Re:Good reason... (1)

TangoMargarine (1617195) | about 3 years ago | (#37762062)

Qwerty is designed to make many common words have letters on alternating sides of the keyboard. This makes it more difficult to infer which word was actually typed, even if you can always tell which side of the keyboard a key press occurred on.

FTFY. Qwerty [wikipedia.org]

Re:Good reason... (1)

laurelraven (1539557) | about 3 years ago | (#37769260)

From the linked wiki:

Alternating hands while typing is a desirable trait in a keyboard design, since while one hand is typing a letter, the other hand can get in position to type the next letter. Thus, a typist may fall into a steady rhythm and type quickly. However, when a string of letters is done with the same hand, the chances of stuttering are increased and a rhythm can be broken, thus decreasing speed and increasing errors and fatigue. In the QWERTY layout many more words can be spelled using only the left hand than the right hand. In fact, thousands of English words can be spelled using only the left hand, while only a couple of hundred words can be typed using only the right hand. In addition, most typing strokes are done with the left hand in the QWERTY layout. This is helpful for left-handed people but to the disadvantage of right-handed people.

While that is a desirable trait, it is one that Qwerty has a problem with. Dvorak is a lot better at this.

Re:Good reason... (2)

spyder-implee (864295) | about 3 years ago | (#37757696)

Also from tfa, keeping the phone > 3 inches from the keyboard also prevents it, and I assume different desk surfaces, types of wood/steel, keyboard material, type of keyboard (laptop keyboards?), keyboard trays, paper lying on a users desk and other sources of vibration interference also defeats this attack. It's almost laughable they bother suggesting setting extra permissions for the accelerometer's sample rate, when so many things need to fall into place for this to have a chance of revealing anything of value in the first place.

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37757944)

And would it work on someone like me that can mix french, english, spanish, japanese and chinese in the same mail with different combinations depending of what languages my friends speak?

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37758016)

No, but there's only one of you and you're irrelevant.

Re:Good reason... (3, Funny)

LordLucless (582312) | about 3 years ago | (#37757984)

Unless you're using a Model M, in which case 3 miles is the maximum viable distance.

Re:Good reason... (1)

Kozz (7764) | about 3 years ago | (#37758284)

Note that this technique can't be used to recover passwords, since it is essentially a dictionary attack.

Judging by the typos and spelling errors to be found in the average slashdot post, most of these folks will be immune to dictionary attacks. Unless they build up a dictionary of misspellings, too... dagnabbit!

Re:Good reason... (1)

metageek (466836) | about 3 years ago | (#37759210)

> Oh, and keeping your phone in your pocket also circumvents it.

but gives you cancer...

Re:Good reason... (1)

Anubis IV (1279820) | about 3 years ago | (#37758132)

Darn right! If they're using an English dictionary to crack our passwords, using French words will fool them! They'll never get around that!

Exclamation points!!

Re:Good reason... (1)

JasterBobaMereel (1102861) | about 3 years ago | (#37759478)

..or just use Commonwealth English spelling instead of US American English Spelling ...

Re:Good reason... (0)

Anonymous Coward | about 3 years ago | (#37758342)

Or just leave the phone on the bed while you're having sex. That will really fuck with them. "It's very odd... He was apparently transcribing War and Peace, but his spelling is atrocious!"

Re:Good reason... (1)

Russ1642 (1087959) | about 3 years ago | (#37761782)

Switch? I've been using it for a decade. I still love it when I'm showing somebody something on my computer and they watch me type. They look all confused. Wait a second, you didn't hit Ctrl-F!

Great achievement (0)

Anonymous Coward | about 3 years ago | (#37757402)

Given that one still needs physical access (sort of) to the keyboard to be sniffed, I don't see any real world application for a dictionary dependent keylogger. Especially since someone else's $martphone is not something that stays perfectly aligned to your keyboard forever. Anyway, nice job.

misleading headline... (0)

Anonymous Coward | about 3 years ago | (#37757418)

scumbag slashdotter - only reads headline, proclaims apple sucks.

Re:misleading headline... (1)

Anonymous Coward | about 3 years ago | (#37757838)

You don't even need to read the headline to know that apple sucks.

Re:misleading headline... (1)

intheshelter (906917) | about 3 years ago | (#37761390)

Nope, you just need to follow the hater Herd!

One Word! (0)

Archangel Michael (180766) | about 3 years ago | (#37757522)

SWYPE

And for bonus: I type much faster with swype than trying to hunt/peck on my keyboard.

Re:One Word! (4, Funny)

TheInternetGuy (2006682) | about 3 years ago | (#37757588)

I ttryuiiiiiiiiiiiiiiiiiiiiiuytredf swsvbbbbbbyuiopoijnnbgg okmjn mjuy PLOKJHBGVC kjhygtrertyuuuuuuuuuuuuuhbjioooooiujhytrfdsaasd Translates into: I tried Swyping on my PC keyboard It didn't work to well, now did it? And would probably be just as detectable by an accelerometer.

Re:One Word! (2)

Sancho (17056) | about 3 years ago | (#37758338)

Where can I download SWYPE for my desktop?

Did you even read the summary? Or the headline?

Re:One Word! (1)

Archangel Michael (180766) | about 3 years ago | (#37763354)

yes. and yes. My point remains, just because you don't get it doesn't diminish it at all.

Swype doesn't have sudden jolts to which one tie to keystroke taps on a virtual keyboard. It is fluid motion and is, in itself "guessing" by the complete pattern which word you're attempting to type. Good luck pairing two key taps together using SWYPE. How does software that depends on sudden jolts work with fluid motion?

Re:One Word! (1)

Sancho (17056) | about 3 years ago | (#37763444)

The researchers place a phone with custom software near a desktop keyboard. The custom software records vibrations from the desktop keyboard using the phone's accelerometers. Using statistical analysis, they can decode the vibrations to figure out what was typed on the desktop keyboard. They wouldn't have to use a phone--it's just a cheap, convenient source of commodity accelerometers. They could just as easily put custom hardware (with accelerometers) on the desktop and sniff in exactly the same manner.

They aren't sniffing what you type on the phone. They're using the phone to sniff what you type on your desktop keyboard. The type of keyboard you use on the phone is completely irrelevant.

Fucking dumbass (0)

Anonymous Coward | about 3 years ago | (#37758478)

People like you are why this site is shit these days.

Re:Fucking dumbass (1)

xQx (5744) | about 3 years ago | (#37758780)

lol!!

You sir, made my day.

I bet the GP poster is fat and ugly and stinks like shit. He probably has delusions of adequacy though.

Re:One Word! (0)

Anonymous Coward | about 3 years ago | (#37761008)

one more word...
 
ASS-

SWYPE

Re:One Word! (1)

footitch (1528443) | about 3 years ago | (#37761096)

word up.

Where's the app?? (0)

Anonymous Coward | about 3 years ago | (#37757546)

Seriously, I want to check this out... To see if it really works, and to see how I can change my typing slightly to prevent it from working. App Store or it didn't happen!

iphone? (0)

Anonymous Coward | about 3 years ago | (#37757556)

So they put "iPhone" in the heading just to attract attention, as opposed to a generic term like "smartphone"?

Re:iphone? (1)

MobileTatsu-NJG (946591) | about 3 years ago | (#37757664)

Take a look at this comment, it may answer your question:

http://mobile.slashdot.org/comments.pl?sid=2482736&cid=37757330 [slashdot.org]

^^ As long as this happens, there'll be lotsa iPhone stories.

Re:iphone? (1)

exomondo (1725132) | about 3 years ago | (#37758162)

Or maybe it's because the iphone was the subject of the study and since the iphone4 is the most common smartphone (im pretty sure that's correct? if not i retract the statement) it would be the ideal choice as you would likely need the same chassis and hardware to get consistent results, so choosing the most common phone would be the logical thing to do. Given the methodology it looks like it could be equally applied to just about any smartphone though.

Re:iphone? (0)

Anonymous Coward | about 3 years ago | (#37757906)

This is /. What else would you expect?

Another reason (1)

no4 (2036188) | about 3 years ago | (#37757566)

to select passwords that cannot be found in a dictionary.

Pics or... (0)

Anonymous Coward | about 3 years ago | (#37757600)

...it didn't happen. What are they going to claim next, that it can determine what pr0n I'm look at by the fap noises?

Shift Key (1)

ben_kelley (234423) | about 3 years ago | (#37757652)

"Why do you keep pressing the shift keys randomly?"
"Just bEing CArefUl of keyLogGers."

Re:Shift Key (0)

Anonymous Coward | about 3 years ago | (#37758602)

Drumming on null keys, tyvm.

Re:Shift Key (1)

Threni (635302) | about 3 years ago | (#37759550)

Why use the keyboard at all, vs clicking on things with a mouse. This works better somewhere you're not being watched, such as at home. Then again at home it's unlikely there's a hostile smartphone spying on you, other than via malware.

Ideal distance is just too close (1)

Zakabog (603757) | about 3 years ago | (#37757660)

The ideal distance is too close to my keyboard. Usually if I'm leaving my phone on my desk I put it to the right of my designated "mouse area" which is generally a foot or more from the keyboard. I'm a computer technician so I don't just sit at one computer all day too. Plus most of our customers seem to follow the same policy. They kind of put their phone on the corner of their desk so they don't bump it as their hands move around the keyboard and mouse. If my phone is that close to my keyboard I'm likely not at my computer and I just threw it their with my keys and wallet.

ADD SOUND! (2)

bussdriver (620565) | about 3 years ago | (#37757780)

Sound can almost give away keys pressed. the sound on the desk is likely to work better than pickup from the air since solids conduct sound. Add vibration and you've got plenty of data to extract from! I somehow doubt the acceleration is precise enough to come close to a microphone; I wonder if an image from the camera (if in focus) could in some cases indicate more vibration than the accelerometer...
SOUND ALONE could do it much better. use the microphone.

no video (0)

Anonymous Coward | about 3 years ago | (#37757682)

this is one of the articles I wish had a video showing its real life performance.

I really doubt accelerometer data would be enough to determine what I typed.
typing pretty fast may throw it off, or just having to backspace a few times.
not saying its worthless, but I doubt it be good for much. especially if you want to catch secure passwords that are not in a dictionary.

probably ok for easy passwords, but there may be an easier way then first compromising an iphone to have a good guess of what the password was.

tripe (0)

Anonymous Coward | about 3 years ago | (#37757684)

Tripe.

Way too much is required for this to be used to steal passwords. Needs to be far too close to the keyboard for one, and the article doesn't go into details regarding differences in keyboard and desk types.

Teslameter (1)

vaene (1981644) | about 3 years ago | (#37757860)

Newer iPhones also come with a Teslameter, I wonder if the can detect em spikes when the keys make contact with their pads. Depending on the distance, again, and using the same or similar logic you could determine keystrokes that way as well I would think. I'll try it once I get my new iPhone, the old 3g doesn't have teslameter in it.

you gotta wonder (0)

Anonymous Coward | about 3 years ago | (#37758128)

if Intel agencies haven't had this for a while

passphrases (3, Interesting)

Yojimbo-San (131431) | about 3 years ago | (#37758212)

So with this technique, a password of "correct horse battery staple" would be detected, but "Tr0ub4dor" would not (http://xkcd.com/936/)...

Re:passphrases (2)

qxcv (2422318) | about 3 years ago | (#37758994)

It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims when you're facing a moderately sophisticated adversary.

If you wanted to make a "correct horse battery staple" password more secure against this kind of attack, you could just capitalise some of the letters, or mash your unbound mod keys when entering passwords (i.e. ctl, alt, mod4, etc).

Re:passphrases (0)

Anonymous Coward | about 3 years ago | (#37759662)

Uh, isn't the point that 4 completely random words out of a ~60000 word dictionary have more entropy than the example "Tr0ub4dor", so is safer/better, even in all-lowercase? Yes, inserting special (random) characters into the passphrase would make it even more secure, but that is not the point.

Re:passphrases (0)

Anonymous Coward | about 3 years ago | (#37760178)

It's the same with all dictionary attacks, that's why "correct horse battery staple" isn't nearly as secure a password as Mr. XKCD claims...

You have failed to understand the comic [xkcd.com] . A password's resistance to a perfect dictionary attack is represented by the number of bits of entropy it contains. "correcthorsebatterystaple" contains more entropy than "Tr0ub4dor", so it's more secure against dictionary attacks.

Re:passphrases (2)

zippthorne (748122) | about 3 years ago | (#37760866)

No, the XKCD analysis isn't based on the presumed strength of the letters in that passphrase, but instead on the *words*. He's estimating 11 bits of entropy per word, which means that the dictionary he's using has a mere 2048 words in it. If using every word in the /usr/dict/words (/usr/share/dict/words on a mac), that would be anywhere from 15 to 17 bits of per word:

zippthorne ~$ wc -l /usr/share/dict/words
  235886 /usr/share/dict/words

The default dictionary for Ubuntu was circa 100k words the last time I counted.

2048 is a very restricted dictionary, but it was *already* accounted for in the password strength comparison. "Correct horse battery staple," without any punctuation or capitalization really is a stronger password than "Tr0ub4dor." Or, at least, it WAS, until it was published. Now they're both presumably in all the password cracking dictionaries out there....

Re:passphrases (1)

John Hasler (414242) | about 3 years ago | (#37762522)

Unfortunately many people lack sufficient imagination to come up with a hard to guess string of words.

Re:passphrases (1)

thoromyr (673646) | about 3 years ago | (#37766032)

You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic. http://en.wikipedia.org/wiki/Entropy_(information_theory) [wikipedia.org]

Re:passphrases (1)

Anonymous Coward | about 3 years ago | (#37766514)

You lack an understanding of the actual entropy of english words. It is much lower than you think. But don't take my word for it, people have studied the topic seriously and even wikipedia has an entry level article. The short of it is that is 11 bits of entropy per word is hopelessly optimistic.

I have an accurate understanding of the entropy of one random choice out of 4096. It is 11 bits. You are probably thinking about the entropy per word of English text. He's not suggesting you choose a sentence. He's suggesting you choose four random words.

Re:passphrases (0)

Anonymous Coward | about 3 years ago | (#37768988)

I suspect eliminating or replacing spaces, articles and conjunctions helps entropy slightly. Let's say words have 1.5 bit of entropy per letter this way. Four or five words is still a pretty good basis for a password e.g. frog spanner monkey alarmed pilgrim 31*1.5 = 46 bits. Substitute numbers and symbols uniformly in the traditional pattern and you've added another bit assuming a sufficiently large dictionary on the attacker's side. Random replacements for spaces such as stops, commas, hyphens, etc adds a bag more bits. Use words in unreasonable patterns and entropy rises further. Of course each of these hurts memorability so you have to stop somewhere. Still, doing all of the above is probably more memorable than 15 random keyboard characters at 5-6 bits per character. I drop out at around that, trading off length for number of passwords memorised.

Re:passphrases (1)

TangoMargarine (1617195) | about 3 years ago | (#37762172)

After reading that comment, I don't know why the heck "correct horse battery staple" is somehow supposed to be easier to remember. I use a consistent "leetification" algorithm on my passwords, which is easier for me to remember that four completely random words (initially). Because remembering a horse saying "that's a battery staple" (which in and of itself makes no sense) and some other random person shouting "Correct!" makes so much sense...?

Re:passphrases (0)

Anonymous Coward | about 3 years ago | (#37762550)

leetification is built into every password cracking routine that I've heard of. I've yet to see any that attack 4-5 seperated dictionary words near the beginning of the attack. In other words, leetification is a lie.

Re:passphrases (1)

TangoMargarine (1617195) | about 3 years ago | (#37762612)

Well, I tack a few symbols on, too, but those aren't particularly easy to remember other than through repetition, which kind of blows my argument wide open.

Re:passphrases (0)

Anonymous Coward | about 3 years ago | (#37765168)

I use a consistent "leetification" algorithm on my passwords, which is easier

to guess. That's why it doesn't increase the entropy very much in the comic.

Re:passphrases (1)

Yojimbo-San (131431) | about 3 years ago | (#37766740)

It's supposed to be easier to remember because you remember the composite image, and not the words themselves. You can choose images that are easy to remember (something based on goatse perhaps) and construct a phrase from there -- at the same time you meet the suggestion of a password that is so foul you would never tell another person what it is, thus preventing that whole password sharing problem. Double win. Except you have to remember goatse every time you log in. http://questionablecontent.net/view.php?comic=1829 [questionablecontent.net]

Similar thing from 6 years ago (2, Interesting)

Anonymous Coward | about 3 years ago | (#37758536)

Similar idea from 6 years ago, but using acoustics rather than vibrations
https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

Researchers? (0)

Anonymous Coward | about 3 years ago | (#37758902)

Seriously? I guess this is interesting, if you are interested in things that are not practical.

Clippy (0)

Anonymous Coward | about 3 years ago | (#37758916)

"Your phone tells me that it can't understand your typing, can I help you with that?"

nice try (1)

pbjones (315127) | about 3 years ago | (#37758964)

if you left your phone on a desk next to a keyboard, it'll get stolen. (but seriously, it's not much of a security risk, you would do better, IMHO, recording the sound of the keys with the phone's mic)

Re:nice try (1)

DriveDog (822962) | about 3 years ago | (#37764818)

Ahhh, and a two-vector attack should be much more successful. Use both the mic and accelerometers and compare to a dictionary generated with data from the two combined. While we're at it, can we use the phone to somehow detect changes in the RF field due to key presses/processing by the keyboard's microcontroller? Maybe that's too much of a processing load for one phone. But beware if you spot several phones lying next to your keyboard.

Researcher used Android (0)

Anonymous Coward | about 3 years ago | (#37759176)

Interestingly enough, the picture shows a dude holding up an Android phone, and having an Android emulator running on the PC screen. I how much iPhone was actually used in the development, or if it was only put in the title to generate publicity.

Of course, nothing stops this from being done on an iPhone as well.

Accelerometer Available Via JavaScript (0)

Anonymous Coward | about 3 years ago | (#37760918)

Apparently, the iPhone accelerometer is available via JavaScript ( http://stackoverflow.com/questions/1273964/is-there-access-to-the-iphone-accelerometer-using-javascript ), so displaying webpage on an iPhone sitting on your desk is enough to leak information. Fun times ahead!

Great (1)

SpectreBlofeld (886224) | about 3 years ago | (#37761138)

Two Slashdot articles today about university researchers developing snooping technology - this, and the gizmo that sees through walls. Is it just me or is 99% of all academic research funded by the 'defense department' these days?

Re:Great (0)

Anonymous Coward | about 3 years ago | (#37762298)

If no one is funding research, no one is doing research. If the only people with money is the DoD then you do research for them or you don't do research.
Or I guess you could do self-funded research, but who has money for that?

Soooo..... (2)

jasonla (211640) | about 3 years ago | (#37766862)

Sooo... "Need to eavesdrop on someone? There's an app for that." And I make this joke as an iPhone user who got the 4S the first week it was out, so please, no "Apple hater" accusations.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?