Security experts have blown the whistle on countless software vulnerabilities, but it's not every day that hardware is blamed for compromising privacy. When such topics do arise, they usually focus on the nefarious use of an infected device's camera or microphone. However, Georgia Tech researchers have shown how a smartphone's accelerometer and gyroscope can be used to record and decipher keystrokes made on your desktop or laptop.
Vibrations created by typing on a keyboard can be detected by a smartphone's accelerometer, the chip that's used to detect your device's orientation. Patrick Traynor of Georgia Tech noted that accelerometers are less sensitive than microphones (100 versus 44,000 samples per second) and typically lack extensive security protection. Mobile operating systems let you restrict an app's access to sensors, but the accelerometer is often excluded.
The first experiment was conducted with an iPhone 3GS, but the results were difficult to read. The iPhone 4's gyroscope improved things, however. When used in conjunction with special software, the method can reconstruct sentences with up to 80% accuracy. The program models keyboard events in pairs and approximates their location and distance. Then that's compared against words with similar characteristics in a preloaded dictionary.
For example, the researchers explained that the word "canoe" is dissected into four keystroke pairs: C-A, A-N, N-O, and O-E. The software reads that sequence as Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far. Then it compares those attributes against words that have already been analyzed in a dictionary. Probability dictates that it'll be fairly accurate, though Traynor said the technique is only reliable with words of three or more letters.
Based on its findings, the team believes that smartphones made within the last two years are sophisticated enough to launch this attack. Nonetheless, you probably shouldn't feel particularly alarmed about the discovery. It would still require an attacker to have some form of malware on the device (perhaps downloaded through an application store) and the researchers say the exploit is easily mitigated: just leave your phone in your pocket.