Interestingly novel!<p>In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.<p>One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.<p>Fun times ensued. ;)
> We demonstrate how an inactive or even a minimised web page, using JavaScript, is able to listen to and silently report the device motion and orientation data about a user who is working on a separate tab or a separate app on the device.<p>This is brilliant and well-explained.<p>On page 6 of the PDF, the authors include a breakdown of the leakages they found in each browser family. The two that were most significant to me is Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe this means that malicious Javascript (1) on Google Chrome on an iPhone on an inactive tab, and (2) on mobile Safari while the screen is locked, can access tilt and motion data at a level of detail sufficient to deduce what the user is typing.
This attack and an annoyance that I see on Android from time to time could be easily mitigated if in Chrome if they would simply ship permissioning for access to hardware devices.<p>There is this annoying popup add that infects the ad networks of a few websites that first smashes the history of the tab and then vibrates your phone and has a page with a bunch of red warning text telling you that you have a virus, your phone is "damaged" and trying to get you to download some crappy virus scamware.<p>No way in hell a random website should be able to make your phone vibrate without your permission much less tell how its moving with the accelerometer.<p>I've google around a lot there is NO WAY to disable this :/
Relevant: A friend of mine analyzed lock patterns for her thesis. Got some press: <a href="https://arstechnica.com/security/2015/08/new-data-uncovers-the-surprising-predictability-of-android-lock-patterns/" rel="nofollow">https://arstechnica.com/security/2015/08/new-data-uncovers-t...</a><p>The patterns are predictable, and can be further narrowed down if you now the hand they normally use.
I saw an ATM before that scrambled the number pad on it's touchscreen so the numbers were in a different position every time. Would that work to mitigate this attack?
As a university project, I did something very similar, only using a malicious app. The app would monitor the device state, and record gyro data as soon as the screen was on, but the device was locked. We didn't have the time to properly implement a decent classifier, but the data collection was surprisingly effective.
Source with more details: <a href="https://blogs.ncl.ac.uk/security/author/b2031864/" rel="nofollow">https://blogs.ncl.ac.uk/security/author/b2031864/</a>
How about not letting javascript run when the phone is locked? Heck, on my phone I'd be fine with not letting it run when the browser tab isn't active.<p>What use case am I not thinking of here?
Nice hack. I've been using my phone for less and less over the years, out of security concerns, since it's my 2fa device and I sometimes check email with it. After the Broadcom wifi thing I even stopped carrying it around. I guess it's past time to buy a dedicated 2fa device.
I thought you just make the key board random every stroke and the human has to pick the right, next letter so it's not predictable with a known pattern.<p>edit: I like that "Obviously hackers wear hoodies..." hahaha, I like to wear a mask, and see as little as possible, while I mash on the keys hacking into the NSA.<p>edit: it's not funny though when you happen to see your server logs and you see various attempts to break in using wordpress-access attacks like forget the one xmlrc or something... I don't use Wordpress but man... gotta keep an eye on those logs. Also tracked one of the ips, lead to some site called BoltCloud, looks legit, with a login but... I don't know... not sure if you can bounce attacks from a server without that server's permission.
With machine learning these days I'm sure that accuracy will only increase too.<p>> They say they cracked four-digit pins with 70% accuracy on the first guess and 100% by the fifth guess.<p>I'd expect within a few months they could have 70% accuracy on the first guess for typing text/passwords.
BlackBerry solved this with their picture code lock
<a href="http://n4bb.com/blackberry-10-getting-picture-password-unlock-screen/" rel="nofollow">http://n4bb.com/blackberry-10-getting-picture-password-unloc...</a>
Sorry for digressing from the main topic of the article, but isn't anyone else bothered by this terrible graph from the article <a href="https://cdn.arstechnica.net/wp-content/uploads/2015/08/alp-length-breakdown2-640x319.png" rel="nofollow">https://cdn.arstechnica.net/wp-content/uploads/2015/08/alp-l...</a> ?<p>For example, the bar for Men's shopping password length is 3x-4x longer than for Women's, but in reality the value (in tiny font) is only ~8% greater (the others are ~4% and ~10%).
> They said they'd told all the major tech companies, like Google and Apple, about the risks but no-one has been able to come up with an answer so far.<p>What about putting and end to tracking gestures?
I wonder if you could hold the phone flat in one hand and press the buttons with the other hand to defeat this. Or wobbling while entering it one-handed.
Blackberry released an excellent app[1] for Android phones that helps solve this.<p>Any option for iOS? Can someone recommend a good 4way privacy screen protector?<p>[1] <a href="http://www.theverge.com/2017/3/23/15038364/blackberry-privacy-shade-app-smartphone-feature" rel="nofollow">http://www.theverge.com/2017/3/23/15038364/blackberry-privac...</a>
This attack has been known since at least 2011:
<a href="https://www.usenix.org/legacy/event/hotsec11/tech/final_files/Cai.pdf?wptouch_preview_theme=enabled" rel="nofollow">https://www.usenix.org/legacy/event/hotsec11/tech/final_file...</a>
I kind of can't wait till everything is biologically linked, I don't know if it's a good idea/cost effective. There's usually that scene in horror movies, removing eyeballs, removing hands/fingers etc... for biometric security.<p>Still the thought of someone snatching my wallet and swiping away at my cards. Where as if the card wasn't "active" unless my hand was the one holding it, I don't know how... finger print, pulse, heat, embedded RFID chip activates the card... I don't know. think DNA-linked money too, but someone could steal your hair... I don't know, I'm just not going to carry more than $20.00 on me in any form of money.<p>random thought too: when everyone has their own API and this replaces social media, why would that happen I don't know. If people had custom readers to pull in a person's data.
The solution to this - for PINs and passwords at least - is to scramble the keyboard layout. It's slow, but if you're typing in a 6-digit PIN it doesn't take that long.
this was proofed 2011 already <a href="https://www.extremetech.com/mobile/92946-a-wiggly-approach-to-smartphone-keylogging#" rel="nofollow">https://www.extremetech.com/mobile/92946-a-wiggly-approach-t...</a>