Is your mobile phone spying on you?
Your bank and your credit card provider have put lot of time and effort into protecting your online banking passwords, your online card payment details and the PIN of your card.
However, there are some neat ways to side-step security features by hijacking the phone’s sensors to listen in while you type. In this article we look at such attacks and the impact of current research to deal with this vulnerability.
Work by Maryam Mehrnezhad and Ehsan Toreini at Newcastle University shows that malware embedded in a web page accessed by a mobile browser can detect your passwords / PIN using the mobile phone accelerometer data. As we’ll see, the impact of this research is wide-ranging: the vulnerability has been reported to W3C and browser vendors, who have responded by restricting access to this data.
A side-channel attack is not concerned with trying to attack a system directly, eg by brute force cracking of passwords. Instead, it uses extra information connected with the physical system, which inadvertently provides the attacker with the information they need. Work at Wichita State University and at University of Illinois has shown that the accelerometers in a smartwatch could be used to detect your PIN when you enter it into a PIN pad such as at an ATM or Chip & PIN terminal. So if you have a smartwatch wear it on your left hand, if you enter your PIN with your right hand.
Smartwatches and fitness apps make use of sensors to improve the user experience, by tracking training runs or simply providing more responsive games. The problem is, these sensors such as GPS, camera, microphone and gyroscope, provide an app that is running on the device with side-channel information: such an app could log when a call is being made, where the user is and whether they are moving or stationary, and even work out what PIN number or password is being typed on the device. Add to this the NFC (near field communication) sensors that are present on many modern mobile phones, and we can see that an app with access to this data will be able to read any bank card that is near the phone (for example, kept in the same bag or wallet).
From apps to mobile browsers
This type of attack has been known about for years, and has been unsolved partly because of the complexity of the problem but also because of the low risk of an attack: the user must intentionally download and install the malicious app, and give it permission to use the phone’s sensors. Instances of this attack will trick the user into doing this by posing as a free game app which requires access to the data. However, app stores such as Apple’s App Store or the Google Play Store do have a screening program which would prevent the distribution of an app that is found to contain malicious content.
Following responsible disclosure practices, the Newcastle team informed W3C and browser vendors in private of these findings. Accordingly, W3C acknowledged the problem, and a new version of the specification has been drafted with reference to this research.
suspending the availability of this [motion and orientation] data when the web view is hidden.
Both patches acknowledge the contributions by the Newcastle research team.
Maryam and Eshan are currently working on further methods of addressing this exposure. Later on this week you will see their practical advice on mobile phone app safety.
© Newcastle University