An iPhone can be turned into a ‘SpiPhone’ as it can decipher vibrations to record what is being typed on a nearby computer keyboard, it has been revealed.
Millions every day place their mobile on their desk at work but in fact this could be hijacked by hackers to track what they write in e-mails or sensitive documents.
A research team at the Georgia Institute of Technology in the United States has discovered how to do it using a smartphone accelerometer – the internal device that detects when and how the phone is tilted.
They have found it can be harnessed to sense keyboard vibrations and decipher complete sentences with up to 80 percent accuracy, and the iPhone is best at it.
‘We first tried our experiments with an iPhone 3GS, and the results were difficult to read,’ said Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science.
‘But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.’
The technique works by using mathematical software that detects pairs of keystrokes, rather than individual letters.
Hackers can then determine whether the pair of keys pressed is on the left or right side of the keyboard, and whether they are close together or far apart.
After the system has determined these characteristics for each pair of keys pressed, using probability it compares the results against a preloaded dictionary.
But the technique only works reliably on words of three or more letters.
They used the word ‘canoe,’ which when typed breaks down into four keystroke pairs: “C-A, A-N, N-O and O-E.”
The detection system’s code recorded this as Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF.
By comparing the traditional keyboard to the dictionary it yields ‘canoe’ as the statistically probable typed word.
Working with dictionaries comprising about 58,000 words, the system reached word-recovery rates as high as 80 percent.
‘The way we see this attack working is that you, the phone’s owner, would request or be asked to download an innocuous-looking application, which doesn’t ask you for the use of any suspicious phone sensors,’ said Henry Carter, a PhD student in computer science and one of the study’s co-authors.
‘Then the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening.’
But the effective range has to be at most three inches from a keyboard, so phone users can simply leave their phones in their pockets or bags, or just move them further away from the keyboard.