A recent study has found a new way for hackers to gain access to people’s phones. Researchers from University of Cambridge, England and Linköping University in Sweden have figured out how a phone’s microphone can be used to guess what a user is typing on their screen.
The research team utilized the fact that pressing on different parts of a phone’s screen produces slightly different sounds. With this in mind, the team used a phone’s built-in microphone to guess what a user was typing.
To demonstrate how a mobile device can be hacked through its microphone, the researchers gave 45 participants Android smartphones and tablets that were set to record the sounds of their typing. After this, the researchers plugged the recordings into a machine-learning algorithm. This algorithm tried to match the recorded sounds and vibrations to specific points on the phone’s screen to be able to learn where the users were typing. This is possible because each touch on a phone’s screen creates a different sound based on where the user pressed. The algorithm used machine-learning to figure out the sounds that corresponded to specific portions of a devices’ screen.
In testing, the algorithm the researchers developed guessed 31 out of 50 four-digit login pins over the course of 10 attempts. In the same number of attempts, it also figured out 19 out of 27 words typed on the tablets, and only seven on the smaller phone handsets. The main factor that seemed to limit the algorithm was the quality of the microphones it had to use. The current microphone technology in these devices isn’t precise enough to extract the kind of data needed to make the algorithm more accurate.
Other hurdles to this hack being used in the real world would be interference from other sound sources. Loud background noises can complicate the process of listening to the sounds made by someone typing on his phone.
“Right now it’s really hard to imagine anybody deploying these attacks,” stated lead author Ilia Shumailov, of the University of Cambridge.
That said, at the rate that technology advances, it’s not hard to imagine that the microphones in these devices will become accurate enough for the algorithm to be a threat.
“In the near future they’re definitely going to be there,” cautioned Shumailov.
This study joins another study showing how sound can be used to hack mobile devices. In 2012, researchers from the University of Pennsylvania demonstrated how a similar acoustic attack can be done, this time by taking advantage of a device’s accelerometer. This is a device built into most mobile devices that is ordinarily used to measure things like the number of steps a user takes for fitness trackers. In this case, the study showed that hackers can use it to also find out where on a screen a person was typing. Once inside, hackers can then use the same accelerometer to continue to gather more information about their victims.
This 2012 study demonstrated that algorithms can decipher Android phone pins 43 percent of the time and swipe-to-unlock patterns 73 percent of the time. All within five attempts, thanks to the help of machine-learning.
Before any hackers can use these methods to get into people’s devices, they’ll need to put the software that listens to the sounds into the device first. The usual vector for these attacks is through hackers getting potential victims to download malware-infected apps or open links to malware-infected websites on their devices.
With this in mind, the simplest way to avoid getting hacked is to be wary of questionable apps and websites. Additionally, microphone-based hacks have one more hurdle to get through – apps must ask for permission to access a device’s microphone before they can do so.
The bigger problem arises when these apps come installed in the devices by default. It’s not far-fetched to think that companies and even the government can have this kind of malware already installed in mobile devices out of the box. Hacking by Big Tech companies is becoming a very real threat in this day and age, and the only defense against this is to avoid devices from companies known to do this, either on their own, or in collaboration with the government.