Stealing Passcodes Over the Air
Researchers have published a paper on a new side-channel attack that essentially turns Android devices into sonar systems. It allows attackers, via acoustic signals, to track a person's finger movements on devices, something which could allow them to capture sensitive data, like passwords.
It’s a fascinating time in information security.
There are more people working on security now than ever before, whether it be on an enterprise security team, in a research organization, on an offensive team, or in an academic setting. And the variety of projects and problems that researchers are working on these days reflects the growing maturity and diversity of the community. It’s not just bug hunting anymore; the possibilities are seemingly endless.
One of the avenues of research that’s drawing more and more attention is side-channel attacks and how they can be used to bypass typical hardware and software defense mechanisms. Side-channel attacks take advantage of information that an attacker can gather from a system from the outside, without exploiting a specific bug. Researchers have been working on these attacks for a long time in various different settings. Cryptographer Paul Kocher helped pioneer a couple of important side-channel attacks, including differential power analysis attacks against cryptosystems in tamper-resistant devices such as smart cards.
Recently, researchers have been exploring these kinds of attacks against mobile devices, specifically looking for ways to capture sensitive data such as PINs or passwords. A team of researchers from Lancaster University in England and Linkoping University in Sweden has published a new paper (.PDF) that details a method for using a target smartphone’s speaker and microphone to create a covert side-channel that essentially turns the device into a sonar system. The researchers were able to infer the finger movements of a person using an Android phone and reduce the number of patterns that an attacker would need to try in order to get the right unlock pattern by 70 percent.
“In our experiment we use an off-the-shelf Android phone as an example of a computer system with a high quality acoustic system. We re-purpose the acoustic system for our side-channel attack. An inaudible signal is emitted via speakers and the echo is recorded via microphones turning the acoustic system of the phone into a sonar system,” the paper says.
“Using this approach, an attacker that obtains control over a phone’s speaker and microphone is able to observe user interaction, such as the movement of the user’s fingers on the touch screen. As the emitted sound is inaudible for the user, it is hard to detect that the sound system is being used to gather information.”
In order to execute the attack, which the researchers call SonarSnoop, an attacker needs to have a malicious app on the victim’s device. The app would need access to the microphone, something a user would need to explicitly grant permission for upon installation. Once that’s accomplished, the attacker’s app runs in the background and is active whenever the phone starts up. The goal is to generate an acoustic signal that’s inaudible to the victim or others, sent through the speaker and then picked up by the device’s microphone.
“The speakers of the phone send an inaudible OFDM [Orthogonal Frequency Division Multiplexing] sound signal which all objects around the phone reflect. The microphones receive the signal and also the reflections (delayed copies of the signal). The time of arrival of all echoes does not change when objects are static. However, when an object (a finger) is moving a shift in arrival times is observed,” the paper says.
“The received signals are represented by a so called echo profile matrix which visualises this shift and allows us to observe movement. Combining observed movement from multiple microphones allows us to estimate strokes and inflections. By combining the estimated sequence of observed strokes, we can then estimate the unlock pattern they represent.”
Unlike many side-channel attacks, SonarSnoop is an active attack rather than a passive one. And, although the researchers used an Android device in their experiment, the team said the SonarSnoop technique can be used against many other devices and to record other types of user interactions. For example, a compromised phone sitting next to a laptop could be used in concert with the laptop to emit or receive the acoustic signals.
“Any devices with microphones and speakers such as tablets and phones, smart watches, cameras or voice assistants are candidates,” the paper says.
While novel and creative to say the least, this attack likely isn’t much of an immediate threat to most users. However, SonarSnoop is the kind of technique that could be of particular interest to intelligence agencies or attack groups that go after high-level, specific targets.
Android phone image via Johan Larsson's Flickr photostream, Creative Commons