Beta

# Slashdot: News for Nerds

×

### Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

# How Your Smartphone Can Spy On What You Type

#### samzenpus posted about 10 months ago | from the what-do-you-feel? dept.

77

mikejuk writes "We all do it — place our phones down on the desk next to the keyboard. This might not be such a good idea if you want to keep your work to yourself. A team of researchers from MIT and the Georgia Institute of Technology have provided proof of concept for logging keystrokes using nothing but the sensors inside a smartphone — an iPhone 4 to be precise, as the iPhone 3GS wasn't up to it. A pair of neural networks were trained to recognize which keys were being pressed just based on the vibration — and it was remarkably good at it for such a small device. There have been systems that read the keys by listening but this is the first system that can hide in mobile phone malware."

cancel ×

### Wonder the accuracy rate (-1)

#### Trip6 (1184883) | about 10 months ago | (#44988241)

Seems like an obscure sensing mechanismI wonder how accurate it is...

### Re:Wonder the accuracy rate (4, Funny)

#### Anonymous Coward | about 10 months ago | (#44988273)

Seems like an obvious question, I wonder if you can read.

### Re: Wonder the accuracy rate (-1)

#### Anonymous Coward | about 10 months ago | (#44988487)

Considering TFA was typed rather than "interpreted via smart phone vibration sensors" I can guarantee that it isn't very accurate. If it was they would have made a big deal about it.

Another "technology" that is useless and a waste of time & money. Someone should research how often researchers "discover" something as important as what I "discover" when I scoop the litter box.

### Re:Wonder the accuracy rate (4, Informative)

#### Nyder (754090) | about 10 months ago | (#44988317)

Seems like an obscure sensing mechanismI wonder how accurate it is...

Just detecting raw keypresses didn't produce a very accurate result, but switching to picking up pairs of keywords and then using a word dictionary did produce useful data extraction. Accuracies of around 80% were achieved, but the accuracy reduced with the number of keypresses. Word recognition only achieved a 46% accuracy, but this increased to 73% if second choice words were included. Clearly semantic analysis could push the accuracy up.

### Re:Wonder the accuracy rate (0)

#### icebike (68054) | about 10 months ago | (#44988451)

Until you read a little closer and find out this couldn't possibly work in real life. The whole thing is a joke.

### Re:Wonder the accuracy rate (0)

#### Anonymous Coward | about 10 months ago | (#44989647)

You don't need all that. Apple is an integral part of the Prism program. Period.

### Re:Wonder the accuracy rate (0)

#### Anonymous Coward | about 10 months ago | (#44988329)

Accuracies of around 80% were achieved, but the accuracy reduced with the number of keypresses. Word recognition only achieved a 46% accuracy, but this increased to 73% if second choice words were included.

### Re:Wonder the accuracy rate (1)

#### gl4ss (559668) | about 10 months ago | (#44988361)

dunno, doesn't sound much more obscure than using the microphone to detect where the device was touched on(some years back some articles on this).

### Re:Wonder the accuracy rate (5, Informative)

#### icebike (68054) | about 10 months ago | (#44988429)

Its not accurate at all unless you have the luxury of training the neural networks with the phone sitting in EXACTLY the same place in EXACTLY the same orientation every time, in a totally vibration damped laboratory.

You have to locate your phone two inches from the keyboard every time.
Not on a piece of paper, a book or a mouse pad, but directly on the desk.
Oh, and you have to install software on your iphone,
AND feed the data into a a couple of Neural networks external to the phone.
And nothing else can be vibrating on that desk. No radio. No mouse movements, and your computer has to be off the desk.
No air conditioning air flow, not tapping fingers, typical floor bounce from walking people.
And no typing fast.

When you start reading all of the things that will screw up this test that the authors wrote in their own study you have
to wonder how it is they even managed to keep from laughing their own study out the door.
They just proved it can't be done in the real world, yet they went ahead and put out the study anyway as if
they had discovered a real and present attack vector.

So then the recommend you keep your phone outside the room. Who does that? Why do that, when
their own study demonstrates it is totally impossible to do this?

### Re:Wonder the accuracy rate (1)

#### Austrian Anarchy (3010653) | about 10 months ago | (#44988455)

I'm just glad I have a 3G, which apparently can't detect anything but the presence local WiFi networks now.

### Re:Wonder the accuracy rate (2)

#### Art Challenor (2621733) | about 10 months ago | (#44988613)

I think that marketing it as a "vulnerability" is a neat trick - how else would you make it onto Slashdot?

That said, it's a neat proof-of-concept that may, eventually, find some (voluntary) applications. Need to diagnose a vibration in a car, washing machine, etc.? Something in the house making an odd noise and you can't figure it out? Water/gas line leak while you're asleep. There's potential, and, as they inadvertantly point out, (4>3GS) the sensor technology is improving.

### Re:Wonder the accuracy rate (0)

#### Anonymous Coward | about 10 months ago | (#44988697)

Nonsense. The phase delays and intensity of the impacts are critical, and a vaguely similar physical placement will give you similar results after the signal has gone through through the ADC circuitry, bandpass filtering, and gain control.

### Re:Wonder the accuracy rate (3, Insightful)

#### Anonymous Coward | about 10 months ago | (#44988703)

Isn't this just a proof of concept though - like most technologies start?

Their study can be used as a reference, and over time, the underlying technology and techniques can be perfected so that it can work as an additional attack vector. Do you think Acoustic Keyloggers worked right off the bat from conception to implementation? And your premise relies on the postulation that sensors in mobile phones won't improve over time as well - or that multiple technologies will just cease to improve, for that matter.

### Re:Wonder the accuracy rate (1)

#### TheRaven64 (641858) | about 10 months ago | (#44990181)

The study was published a year or two ago, so I'm not sure why it's appearing on Slashdot now - normally I'd blame the 'editors' for this kind of late submission, but apparently they found a 'news' site with a slow news day that decided that old research papers now count as news. It's a pretty neat concept though and more recent work has improved the accuracy a lot by feeding other sensors into the mix.

### Re:Wonder the accuracy rate (1)

#### TheSkepticalOptimist (898384) | about 10 months ago | (#44991433)

It's because tin-foil hat wearing reactions to potential privacy issues are trending high on Slashdot these days.

### Re:Wonder the accuracy rate (0)

#### Anonymous Coward | about 10 months ago | (#44988779)

Well, it is just a proof of concept, after all.

### Re:Wonder the accuracy rate (1)

#### TheSkepticalOptimist (898384) | about 10 months ago | (#44991421)

Please don't confuse the idiot masses with facts, all they care about now is that your phone can track your keyboard presses and will cry outrage about privacy rights and link it to NSA conspiracies while they never for once think about turning off their phone, or just getting rid of the phone, or changing anything that might affect their behavior or basic common sense.

### Re:Wonder the accuracy rate (1)

#### chakan2 (1106731) | about 10 months ago | (#44995883)

This is the hypothetical if I had any talent and a lot of free time and money. (I assume the NSA does).

You have to locate your phone two inches from the keyboard every time.

That's pretty easy to normalize using your favorite audio application...so that's an easy one to solve. If I’m just researching to see if this is possible, I would probably skip that problem.

Not on a piece of paper, a book or a mouse pad, but directly on the desk.

Using a neural network, it might be able to learn how 'soft sounds' work...not sure...harder but not insurmountable. If you break the 0 threshold of the accelerometer (the point where you’re in the realm of error correction and just can’t get a useable signal any more), you’re broke. But, if you can get anything useful out of the accelerometer, I’m betting the normalization algorithm is going to work like the audio one above.

Oh, and you have to install software on your iPhone,

Probably not ideal...I'd install software to just send the audio / accelerometer data to a central location if you want to make this a real 'attack'.

AND feed the data into a couple of Neural networks external to the phone.

See the previous...installing the neural network on the phone isn't ideal...if you can get the data back to a central server that has some real horse power, this is a non-issue.

And nothing else can be vibrating on that desk. No radio. No mouse movements, and your computer has to be off the desk.

I think you could isolate keyboard clicks and sync them with the accelerometer events. Not too bad to overcome. We have beat matching softwareI’m pretty sure someone can whip this up fairly quickly.

No air conditioning air flow, not tapping fingers, typical floor bounce from walking people.

Again, just isolate the events you want...it'll take time and heavy processing to do so, but not too bad from an audio editing perspective.

And no typing fast.

Solved by doing your processing on a real machine instead of the phone...

What would be really interesting is if the researchers could build a small box with a better mic and accelerometers to see how far they can get from a target to make this work. Imagine something the size of a 6 sided die that you could glue to the bottom of a desk
Dunno Maybe it’s science fiction, but that’s where all the great ideas started.

### Something less obscure, perhaps? (1)

#### justthinkit (954982) | about 10 months ago | (#44988449)

Something less obscure, perhaps? How about your clipboard and many popular web sites. You go to paste that "cheap office coffee" work query and oops you had "my new pin is 12Z45 !" in your clipboard. Well, all of that has already been sent before you even press enter -- to Google, IMDB, even my local library. This is beyond "petty annoyance" and firmly into "none of your #*\$% business" category for me.

### THROE UHWAY YUR FONES !! (0)

#### Anonymous Coward | about 10 months ago | (#44988253)

And fee safe again !!

### Damn you, Ben Franklin! (1)

#### Anonymous Coward | about 10 months ago | (#44988255)

This whole "electricity" thing has gotten way out of hand. Look how it's being used these days!

### Wow! What a vulnerability!! (5, Funny)

#### 140Mandak262Jamuna (970587) | about 10 months ago | (#44988269)

First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."

### Re:Wow! What a vulnerability!! (0)

#### Anonymous Coward | about 10 months ago | (#44988603)

Or you know, maybe the developer of the malware could train it before distribution?

### Re:Wow! What a vulnerability!! (1)

#### Anonymous Coward | about 10 months ago | (#44988621)

Or you know, maybe the developer of the malware could train it before distribution?

Sure, I'll just send them my phone, keyboard, and desk so they can build the training set. Then when they send it back, they can use it to monitor my keystrokes. Wake me up, when this is a serious attack instead of a parlor trick.

### Re:Wow! What a vulnerability!! (0)

#### Anonymous Coward | about 10 months ago | (#44988721)

Actually, first you should check to see if there's not an "app for that" already;
iPhone Keylogger Can Snoop On Desktop Typing (October 18, 2011) [slashdot.org]

### Re:Wow! What a vulnerability!! (3, Insightful)

#### girlintraining (1395911) | about 10 months ago | (#44988735)

First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."

You know, the same smartass attitude was held by our government officials regarding the "hollywood" possibility of hackers gaining control over power grids, missile launch systems, water distribution systems, etc. And then Stuxnet showed up, and took out a key element of a country's nuclear weapons program. It is exceptionally arrogant to say because you can't see a problem, one doesn't exist.

This is a proof of concept; It demonstrates that such an attack is now possible. Everything Stuxnet achieved, it did based on proof of concept code, which was then studied, refined, and weaponized. It's just a matter of time now. As mobile devices are loaded with more sensors, and yet retain their closed-source, integrated black box SoCs, etc., attacks of this sort will not only be practical, but one day trivial.

### Re:Wow! What a vulnerability!! (1)

#### Trax3001BBS (2368736) | about 10 months ago | (#44989117)

You know, the same smartass attitude was held by our government officials regarding the "hollywood" possibility of hackers gaining control over power grids, missile launch systems, water distribution systems, etc. And then Stuxnet showed up,

Not the same, Stuxnet and even .bat files are run by default on a MicroSoft OS. To this day I have to disable auto-run, the largest
most over looked backdoor into a system.
Auto-run being on by default is most likely because people would be inconvenienced or not having a clue what to do next.

This is a proof of concept; It demonstrates that such an attack is now possible.

Proof of concept of something I've known since the early 90's that a computer system gives off electromagnetic energy
and you can read that energy through a wall (apartment). They just made it smaller and moved it closer.

### Re:Wow! What a vulnerability!! (0)

#### girlintraining (1395911) | about 10 months ago | (#44989499)

Not the same, Stuxnet and even .bat files are run by default on a MicroSoft OS.

Okay, this is completely irrelevant to the topic at hand. I'm discussing how improvements in this technology will one day make it possible to achieve what it does now with fewer requirements. You're off babbling about autorun on windows and how people don't care much for security. These are very different problems.

Proof of concept of something I've known since the early 90's that a computer system gives off electromagnetic energy and you can read that energy through a wall (apartment). They just made it smaller and moved it closer.

First, it's been known that electronic devices give off EM since the 19th century, not the early 90s. The first radio was created in 1906, by which time it was well-established that any alternating current source will give off EMR. But decades before that, Nikola Tesla was busy showing off technology to wirelessly transmit electricity in New York.

Secondly, none of that has exactly dick to do with what's being discussed -- which is the use of motion sensors to capture vibration, which is then via a complex software application, recreates the keystrokes entered from a nearby keyboard.

So you not only went on babbling off topic, but your off topic wasn't even remotely accurate. Your entire post was a waste of time, and I now feel slightly stupider for having taken the time to point this out, and my only consolation is that at least there's the chance that someone who reads it will click on my reply and come away with a better appreciation of both the subject material, and just how wrong someone can be while sounding perfectly reasonable if you don't know the subject material.

### Re:Wow! What a vulnerability!! (1)

#### Trax3001BBS (2368736) | about 10 months ago | (#44989899)

Secondly, none of that has exactly dick to do with what's being discussed -- which is the use of motion sensors to capture vibration, which is then via a complex software application, recreates the keystrokes entered from a nearby keyboard.

Yep - I read the summery, replied to your reply, then read the article and thought damn ----------- missed it by that much.

### Re:Wow! What a vulnerability!! (1)

#### tlhIngan (30335) | about 10 months ago | (#44989531)

First you need to download and install a neural network program in your smartphone, train it with loads and loads of data. Then turn it on and leave it running. Then it can become a keystroke logger. At this point it worse than the proverbial unix virus, "You got a unix virus. It works on honor system. Please forward this mail to all addresses in your .mailrc and sudo \rm -rf / Thank you."

It's easily done if you give someone the right motivation.

Remember the jailbreak worm that relied on people leaving the default password unchanged? Same deal - you managed to get someone to blindly install openssh and leave it running so they can get something.

Face it, Dancing Pigs [wikipedia.org] makes the Honor System Virus possible these days.

Heck, all you'd need is a bugged program that calls out for "free international texting!". There's your loads and loads of text right there.

### Re:Wow! What a vulnerability!! (1)

#### Anonymous Coward | about 10 months ago | (#44989907)

Ahem. The proverbial unix virus [wikipedia.org] existed, and didn't depend on any kind of honor system. Honestly, you'd think Slashdotters should know a tiny bit of history.

### Industrial espianage potential here... (0)

#### Anonymous Coward | about 10 months ago | (#44988271)

Perhaps one of the many reasons that phones are not allowed in rooms with SIPRNET.

But for some reason, I am not convinced that antyone is all that interested in what I do on the computer, and I suspect they would find other easier mothodes.

On the other hand, there might be industrial espianage potential here...

### Kinesis Advantage with buzzer (2)

#### dindi (78034) | about 10 months ago | (#44988293)

I wonder what this little app would do with the keyboard I am typing on. First of all, it is a mechanical keyboard with cherry MX browns. Second, I have the "buzzer" function on that simulates "clicky"-ness, since it is not a real clicking switch (though tactile) like e.g. the blue one or the real buckled ones.

I am not saying it would work better or worse, just curious if it would work on a Kinesis and how much the "clicker" and the totally odd shape of the keyboards would disrupt the functionality.

Anyway.... my phone is usually on airplane mode when I enter the house and is redirected to a landline that has an Asterisk box on it... then the Asterisk box' FXO is carefully disconnected, so no calls in, no calls out:). That's the way I like to handle phones and phone calls.

### Re:Kinesis Advantage with buzzer (2)

#### Zero__Kelvin (151819) | about 10 months ago | (#44988323)

... or you could just, you know, turn it off and let your voicemail field the calls.

### Re:Kinesis Advantage with buzzer (1)

#### dcw3 (649211) | about 10 months ago | (#44990991)

Unless you remove the battery, is your phone really ever off?

### Re:Kinesis Advantage with buzzer (1)

#### Zero__Kelvin (151819) | about 10 months ago | (#44991331)

No, but what does that have to do with it? The GP is already stating that he leaves it in airplane mode, so he isn't concerned about it being on.

### Re:Kinesis Advantage with buzzer (1)

#### TheSeatOfMyPants (2645007) | about 10 months ago | (#44989701)

my phone is usually on airplane mode when I enter the house and is redirected to a landline that has an Asterisk box on it... then the Asterisk box' FXO is carefully disconnected, so no calls in, no calls out:). That's the way I like to handle phones and phone calls.

I prefer this approach: my family/friends get my personal number but know to text rather than call (auditory processing disorder makes it a bitch to understand them), and everyone else gets my Google Voice number so I can get the transcribed messages via email. This way, I don't need to deal with being pestered via phone, but can have full access to all of its useful apps & functions.

### Re:Kinesis Advantage with buzzer (0)

#### Anonymous Coward | about 10 months ago | (#44995839)

Is there some way I can get better transcribed texts from GV? I find it's never accurate and always loses the meaning of 50% or more of my messages... should I just tell people who call to articulate very clearly for the NSA... I mean Google to understand them?

### I've heard of this before (0)

#### Anonymous Coward | about 10 months ago | (#44988319)

I've heard of using cheap accelerometers (like those in phones) to do this before. Apparently is works pretty well.

You phone (obviously) can also listen to what you say, spy on your wifi traffic, spy on your blue tooth devices (keyboard?) watch you, and monitor what you do on it. Phones also broadcast a tracking signal so towards can locate you, even if you have a solid local wifi connection.

You really need control over your phone (bios + software at least) if you want any semblance of security.

I'd really like a phone that could open a connection to my carrier over the internet via its wifi (And maybe Tor, or a trusted proxy) so I could get texts, and notifications of incoming calls without the whole tracking system and extra battery drain. Let the user of the phone decide if they want to disclose their location and open (a perhaps lower latency?) connection over the cell network connection or not for a given call.

Now, combine that with a carrier agnostic ephemeral ID setup like I wrote up here [craigm.info] and you might have some decent privacy.

### Over-generalisation? (5, Insightful)

#### GumphMaster (772693) | about 10 months ago | (#44988351)

We all do it — place our phones down on the desk next to the keyboard.

I love a good over-generalisation.

### Re:Over-generalisation? (1)

#### 93 Escort Wagon (326346) | about 10 months ago | (#44988601)

My phone is generally in my pocket. Maybe people who are constantly on the phone do this? I don't like those people anyway - let them get their data stolen; I don't care.

### Re:Over-generalisation? (1)

#### TheSeatOfMyPants (2645007) | about 10 months ago | (#44989765)

I think most people do it simply because smartphones have so many uses. I only talk to mine if I have no other choice, but it sits in a businesscard holder when I'm at my desk just so I can glance at it to check the time, my to-do list, and so forth.

we all do

### Even worse... (3, Insightful)

#### Nanoda (591299) | about 10 months ago | (#44988367)

it can spy on what you say!!!

Seriously, if my phone is compromised, everything else is pretty much moot.

### Re:Even worse... (1)

#### grantspassalan (2531078) | about 10 months ago | (#44988745)

If two criminals want to communicate securely with each other by cell phones, they can do so if they keep their conversations short and by using prepaid phones such as trac phones bought with cash. Their CIA, NSA, KGB or whoever can listen in on their conversations, but they don't know who is talking.

### Re:Even worse... (0)

#### Anonymous Coward | about 10 months ago | (#44988835)

What *are* you talking about? The voices can typically be identified out of a broad range of monitored conversations, which is why they get such general warrants to monitor "anything related" to the call they want to track.

### Re:Even worse... (0)

#### Anonymous Coward | about 10 months ago | (#44991327)

All phones have GPS in them thanks to E911. No doubt they can just get a warrant for "all phones in this area" to include burner phones.

### Re:Even worse... (0)

#### Anonymous Coward | about 10 months ago | (#44988785)

No, no, they don't know what you're typing _at_the_time.

But give them the need to know, and they've got it in the archive. Like everything else.
Decryption of all those noise and vibration records will be like anything else -- time will tell.

And once they know enough to figure they have us backed up, they can delete the working copies and reload whenever they're ready to play again.

### Re:Even worse... (0)

#### Anonymous Coward | about 10 months ago | (#45009765)

Seriously, if my phone is compromised, everything else is pretty much moot.

Seriously, if my phone is compromised, everything else is pretty much root.

### Reminds me... (1)

#### djupedal (584558) | about 10 months ago | (#44988415)

. . . of the little scheme someone I knew cooked up to read data transmissions from watching the lights flash on a Hayes modem - from a distance, of course :) Not that I would ever do anything spurious like that, tho.

### Re:Reminds me... (3, Interesting)

#### moteyalpha (1228680) | about 10 months ago | (#44988571)

. . . of the little scheme someone I knew cooked up to read data transmissions from watching the lights flash on a Hayes modem - from a distance, of course :) Not that I would ever do anything spurious like that, tho.

The vibration trick seems a bit of a stretch to be useful, but it does fall into a class of things like you said. There are so many holes in the technology created by accident or on purpose that it is a wonder that anything is secure. I was at a COMDEX once a long time ago and was chatting with an engineer ( a friend ) that worked for a modem company about my companies dial up customer service sytem and complaining that it hung up on customers some times. He asked me for my dial up number and I provided it. I assumed he was going to see if it hung up on him. He proceeded to enter a long string of characters and took control of our modem, went into configuration and changed a parameter that set a hang up delay on inactivity. It fixed the problem, but that was creepy. Obviously that was long ago before the internet, but I have never trusted any system since then unless it was open source and open hardware, and even then I am not sure because I have seen spooks at the chip fab and I am sure they weren't there to get coffee.
I watched some videos from DEFCON and became even more certain that we live in a silicon dioxide house and it is subject to fracture on impact, so it would be advisable to avoid conflict with projectiles.

### Re:Reminds me... (1, Insightful)

#### girlintraining (1395911) | about 10 months ago | (#44989551)

Obviously that was long ago before the internet, but I have never trusted any system since then unless it was open source and open hardware, and even then I am not sure because I have seen spooks at the chip fab and I am sure they weren't there to get coffee.

Having the source, or the blueprints, does you little good if you do not know how to read and use them, and if you stopped to go through these things for every item you own, you would turn grey and cold long before completing this epic assignment. Technology is advancing at a breakneck pace and it simply isn't possible for any one person, or even a small group of people, to retain adequate working knowledge of all the technologies we come in contact with on a daily basis enough to provide viable protection from the multitude of potential attack vectors. This is something only large governments or organizations employing tens to hundreds of thousands of people can manage, and at that, still only manage to vet a fraction of the potential workload.

The simple truth here is that our technology has become an extension of a long-existant problem in human cultures; How can you trust someone you haven't met? There are billions of humans now on this planet, and yet we have meaningful relationships with perhaps 150-200 at any point in time -- this being the maximal amount, with the median being far, far lower. Think of the many tens of thousands of people that were responsible for the design of your car, your house, the power grid, the computer you're reading this on, your toaster... when you consider all the people that are abstractly involved in your life, it quickly becomes clear that trust is explicitly needed for society to work.

For the most part, it does. People are inherently social creatures. We don't harm one another, even abstractly, as a general rule. And this alone is what has allowed society to develop, indeed, allowed humans to become the dominant species on the planet. But our technology is continuously integrating itself, merging, reforming, reconnecting, in new and unexpected ways, and with ever-increasing complexity mirroring that of life itself, it is inevitable that vulnerabilities will become so prolific that anyone who chooses to will be able to find at least a few that haven't been discovered by others and use them to his/her advantage.

This is the essence of the hacker mindset. Stripped of everything else, it is "Knowledge is power", and hackers intuitively understand that the system being hacked is not the computer, but the people using it. It is the trust placed in the system that it will do as they expect it to, but without a deeper understanding of why it works as expected. Hackers know that sufficient time and effort put into understanding something will eventually take them to a place beyond the currently-accepted boundaries of human possibility. That is to say, they will have reached the edge of what is known, and may now contribute to pushing that barrier outwards... which they then do, because this end, in and of itself, is viewed as beneficial to society. And indeed it is, but it is not without its cost.

The time is rapidly approaching when we will be forced to confront the long-unaddressed social problems of our society. All security problems in IT eventually reduce to the trust relationship between two people.

### Re:Reminds me... (1)

#### moteyalpha (1228680) | about 10 months ago | (#44989781)

Couldn't have said it better. That was an interesting novella.

### Countermeasures (1)

#### Anonymous Coward | about 10 months ago | (#44988563)

Obviously the only safe way to compute is to listen to Black Sabbath while doing so. Constantly fake drumming by slamming the desk should be enough to throw off the sensors.

### QWERTY or DVORAK (0)

#### Anonymous Coward | about 10 months ago | (#44988611)

Does this only work with QWERTY keyboard layouts? Only US English keyboard layouts?
What if someone is using a different keyboard layout? How easy does adaptation to other layouts appear to be?
Nope, I didn't RTFA.
Also, no worries for me as I don't use a 'modern' smartphone.

### s/Your/A/ (1)

#### Sally Bowls (2952007) | about 10 months ago | (#44988669)

It seems to me the real story is that someone else can place their cellphone on your desk and perhaps log your keystrokes. Loan Applications and Job interviews come to mind.

### Re:s/Your/A/ (1)

#### dcw3 (649211) | about 10 months ago | (#44992747)

Um, no they can't. Not without having done so previously, and trained for your keyboard.

### calling this bs (1)

#### Anonymous Coward | about 10 months ago | (#44988693)

This is ridiculous. For the phone to run through the learning phase, the user has to type in the exact words with the phone in about the same position to calibrate the neural network. Even if you use frequency analysis to determine it, there has to be along enough time to get enough samples. So let's see it in action.

### If you have mobile malware (1)

#### grantspassalan (2531078) | about 10 months ago | (#44988701)

On your phone, you have bigger problems than someone listening to the sound of your keystrokes on a keyboard. Everything I have read, is that iPhones are particularly resistant to getting malware on them.

### Re:If you have mobile malware (1)

#### AHuxley (892839) | about 10 months ago | (#44989255)

If your telco has a hardware/software layer and is activity decrypting for your gov all marketing talk of been resistant is a joke.
With a known conference room or free wifi cafe this method might get interesting for pure data entry by a person.

### Re:If you have mobile malware (0)

#### Anonymous Coward | about 10 months ago | (#44990521)

Yeah if you don't take into account all the previously published safari holes. Isn't it wonderful the browser runs as root?

### MI5 episode (5, Interesting)

#### Okian Warrior (537106) | about 10 months ago | (#44988781)

There was an episode of MI5 [imdb.com] (aired as "Spooks" in the UK) that had this many years ago.

They gave a foreign agent a document to type, and had an eavesdropping device in his office. By recording the keyclicks of the known document, they were able to train the system to decode keyclicks for subsequent documents.

It didn't seem farfetched at the time, it doesn't seem farfetched today.

### Re:MI5 episode (2, Interesting)

#### Anonymous Coward | about 10 months ago | (#44990147)

I think Viktor Suvorov mentions in one of his books how spies used to write with a pencil, rather than use a typewriter, because of the danger of decoding a text from listening to the typing. That was in the time when people still used typewriters. So, yes, this stuff does pre-date smartphones.

### Re:MI5 episode (1)

#### rasmusbr (2186518) | about 10 months ago | (#44991469)

I've been told most of those spying techniques relied on listening to the radio noise that CRT monitors give off. I guess if you owned a monitor of the same brand and model as the target you could train your snooping device on your monitor and then use that setting.

I have no idea if it's true or if it's hyperbole, but it's often said that the most sensitive snooping devices could pick up the signal from across the street.

Wired keyboards give off a much weaker radio signal that you can try to snoop on in case your target happens to have one of these newfangled TFT screens.

### Carrier IQ extra package (0)

#### Anonymous Coward | about 10 months ago | (#44988813)

Recall Carrier IQ? The spyware that US carriers required be installed in the phone. Among one of its features I recall was it could receive packaged add ons.
So you've just given the Carrier IQ/NSA an idea for another packaged add-on.

Carrier IQ:
http://news.yahoo.com/sprint-others-spy-android-smartphones-193400910.html

We should re-examine that software now in the light of what the NSA has been up to.

### Re:Carrier IQ extra package (1)

#### AHuxley (892839) | about 10 months ago | (#44989229)

Yes strange so few seem to want to recall that moment in US cell history.
You still see the comments about needing to get into the device, OS protections and how keystrokes are magically encrypted.
As for this, it reminds me of early TEMPEST efforts and selling the world on end to end security with a tiny gidt in every crypto machine :)
Who knows where this tech will go, but great to see people experimenting and publishing real world results :)

### Old news... (2)

#### mas939 (2193240) | about 10 months ago | (#44989193)

This is a 2011 study... and this becomes news in /. over 2 years later?

### You should see this wireless keyboard! (1)

#### russotto (537200) | about 10 months ago | (#44989249)

No power, no electronics, just a bunch of keys with springs. The microphone in the computer reads the keypresses.

### Re:You should see this wireless keyboard! (1)

#### Yakasha (42321) | about 10 months ago | (#44994661)

No power, no electronics, just a bunch of keys with springs. The microphone in the computer reads the keypresses.

I've already replied, so I can't mod. This sounds like an awesome idea actually. No more replacing batteries in your wireless keyboard. Build it, I will buy one.

### Re:You should see this wireless keyboard! (1)

#### DavidD_CA (750156) | about 10 months ago | (#44995067)

This is a fantastic id4589074VTJIL4D5QX3T9JFDCGJea.

Sorry, my C3409TOIKJERC2RIOKFSOI GJRIOT cat just jumped on and off my desk.

### Re:You should see this wireless keyboard! (1)

#### Yakasha (42321) | about 10 months ago | (#44997455)

This is a fantastic id4589074VTJIL4D5QX3T9JFDCGJea.

Sorry, my C3409TOIKJERC2RIOKFSOI GJRIOT cat just jumped on and off my desk.

Sounds like you need better software then.

### Related! Iphone 4 can control your computer (1)

#### mcmf (3134063) | about 10 months ago | (#44989839)

On a related note, I have had to learn to watch where I leave my Iphone 4 on my desktop. If it is left covering my lenovo usb mouse cable, I have bother with the mouse jumping all over my screen. Try it! Just unlocking my Iphone causes the browser to scroll all over the place. I wonder if this could be developed to do more.

### Again? (0)

#### Anonymous Coward | about 10 months ago | (#44990129)

How, exactly, did this make the front page? Last time I read a technical report on using the iPhone 4's accelerometer for keyboard listening was 2012, and it was old then.

### Nothing new (4, Funny)

#### TheInternetGuy (2006682) | about 10 months ago | (#44990241)

I have an IBM type M keyboard, and this post was relayed to slashdot via the Global Seismographic Network

### Re:Nothing new (0)

#### Anonymous Coward | about 10 months ago | (#44994325)

the best comment on slashdot so far! lol

### Misunderstanding of the Vulnerability (1)

#### DavidD_CA (750156) | about 10 months ago | (#44991631)

Many of the early posts seem to misunderstand the vulnerability issue here.

This is not about your phone getting infected with malware that allows it to detect your PC keyboard typing.

This is about me putting the vibration-detection app on my own phone, and then going to someone else's desk and recording them logging in.

So, imagine me going to my local AT&T store, bank, or my boss's computer, and casually setting my phone down while they log in to check my account or whatever.

Granted, some of those systems will require more than just a password (I might need their username, or the URL to log in, or perhaps their firewall only accepts certain IPs), but it's still a considerable weakness if this application is reliable and gets out in the open.

I can imagine keyboards that are "vibration silent" or special "vibration absorption" pads that will prevent this from happening. Either that, or customer service reps will start saying "Please remove your phone from my desk while I access your account."

### Re:Misunderstanding of the Vulnerability (1)

#### Yakasha (42321) | about 10 months ago | (#44994751)

Many of the early posts seem to misunderstand the vulnerability issue here.

This is not about your phone getting infected with malware that allows it to detect your PC keyboard typing.

This is about me putting the vibration-detection app on my own phone, and then going to someone else's desk and recording them logging in.

So, imagine me going to my local AT&T store, bank, or my boss's computer, and casually setting my phone down while they log in to check my account or whatever.

Granted, some of those systems will require more than just a password (I might need their username, or the URL to log in, or perhaps their firewall only accepts certain IPs), but it's still a considerable weakness if this application is reliable and gets out in the open.

I can imagine keyboards that are "vibration silent" or special "vibration absorption" pads that will prevent this from happening. Either that, or customer service reps will start saying "Please remove your phone from my desk while I access your account."

1. Place underneath ATM.
2. Use any existing method of obtaining user's card #

Would be slightly less obvious than putting something over the buttons themselves. For RFID equipped cards, the entire setup could be out of sight.

Now if only the iPhone's battery could be hacked to last long enough to make this plausible...

Slashdot Account

Need an Account?

Don't worry, we never post anything without your permission.

# Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

• b
• i
• p
• br
• a
• ol
• ul
• li
• dl
• dt
• dd
• em
• strong
• tt
• blockquote
• div
• quote
• ecode

### "ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account