Researchers can keylog your PC using your iPhone’s accelerometer

Thinking about today’s discussions about Malware in general, I found this story interesting and pretty relevant to what we did today. Researchers with MIT and Georgia Tech have developed a proof of concept to demonstrate that they can use a smartphone’s accelerometer to keylog a user’s computer. It can accurately decipher the keys from the vibrations of the keyboard when the smartphone is placed on a desk next to the keyboard.

According to Traynor, the method is 80 percent accurate with a 58,000 word dictionary. Even that accuracy, though, requires thoroughly modern equipment. “We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” Traynor said in a statement. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

The researchers said that the probability of a smartphone user falling victim to this attack as “pretty low”. It only has 80% accuracy and would then have trouble with username’s and passwords that would not be in a dictionary.



6 thoughts on “Researchers can keylog your PC using your iPhone’s accelerometer

  1. Now this is interesting. Personally, I keep my phone on a belt clip, so it probably wouldn’t do much good to hack my phone to try and steal my passwords. The researchers might downplay the probability of someone hacking your phone to use as a key logger as well, but consider this: If I have physical access to the home or workspace of someone I want to grab passwords from, what if I set my phone up to attempt to keylog in this way, and leave it behind? It’s not difficult:
    Swing by the cubicle to ask questions about that project. Take a (faked?) phone call. Set the phone down on the desk while you look over the material pertinent to your questions. “Forget” the phone when you head back to your desk.
    It gets even better if you can remotely access your phone from your desktop, wirelessly. Connect to the phone, and see what kind of data it’s getting, if any at all. Wait until you have strings in the buffer you think might be passwords, then call the guy up and let him know you misplaced your phone, and think you may have left it at his desk.
    The down side here is, you leave your phone behind, and if anyone tries to call you, it will be noticed and returned, potentially before you collect anything useful, but you can always shut the phone portion off. Also, if you don’t get the phone close enough to detect anything, you probably don’t get another shot at it for a while. Unless you’re naturally forgetful, if you suddenly keep leaving your phone behind a lot, it starts to look suspicious.

  2. As far as proof of concepts go, this one is very cool. It might not work all that well, but it was an idea I would have never though of!

  3. This is very intersting and could be a potentialy new attack method if perfected. Obviously the problem is the range and for now it means that people are safer but if this were to change it could be a very big threat for phone users alike.

  4. This reminds me of an article I read a couple of years back about researchers that could decipher key strokes by the noise the keys made. Apparently each key has a specific tone when clicked and they could then match the tone to a key a get an accurate idea of what was typed. According to this article:
    “His researchers were able to guess 90 percent of all randomly generated five-character passwords within 20 tries using these techniques,”

Comments are closed.