- A new acoustic side-channel attack uses smartphone’s speaker and microphone to steal user’s information.
- It works by generating sound waves to track movements of user’s fingers on the touchscreen.
- It can reduce the number of possible unlock patterns in Android phones by 70%.
In the last couple of decades, radar and sonar systems have been developed extensively to improve interactions between computer and human by tracking the movements of human hands, arms, fingers or other body parts. However, the research done so far in this area has rarely examined the security implications.
Recently, researchers at the Lancaster University and Linköping University identified a new class of security threats. They reported an alarming security implication of tracking human movement through sound waves.
Previous studies had analyzed several techniques to hack unlock patterns by reading accelerator, video footage or smudges. However, this is quite a different case – the first active acoustic side channel attack.
How It’s Possible?
The new active acoustic side-channel attack can be utilized to hack sensitive data, including Android screen lock pattern. To build and execute such attacks, researchers developed a framework of generic value named SonarSnoop.
In this framework, acoustic signals are emitted through speakers and the echo is captured via microphones. This makes the acoustic system of a smartphone behave as a sonar system. The sound waves emitted by this framework falls under the range of 18 and 20 kilohertz, and thus inaudible to human ears.
Since the objects (smartphones in this case) are static, all echoes arrive at the same moment, and the difference is analyzed when the user moves his finger on the screen. To visualize this shift and observe movement, researchers transformed these received signals into an echo profile matrix.
Then they merged all the signals observed by different microphones to accurately measure strokes and inflections. The echo stream not only provides the data of users’ finger movement but reveals their secrets as well.
Tests and Results
12 most popular unlock patterns
Researchers evaluated the SonarSnoop’s performance in Android unlock patterns. Specifically, they used a total of 12 unlock pattern data collection from 10 users and fed them to a machine learning algorithm to classify each stroke.
In theory, there are 389,112 possible unlock patterns, but not each of them is selected by users with the same probability. Users have bias in selecting patterns, and several algorithms have been developed to measure the likelihood of unlock patterns.
Using this technique, the number of attempts to successfully unlock the phone can be decreased by up to 70% (tested on Galaxy S4 running on Android 5.0.1).
Courtesy of researchers
The above image shows the simplified paths of the top and bottom speaker, and the echo coming to top and bottom microphone, in Samsung Galaxy S4.
The technique isn’t perfect yet: it has dozens of limitations and room for improvements. First of all, there must be a malicious code running on the phone so that it can emit sound waves from the speaker.
Since the system depends on clear separation of strokes within a pattern, it’s quite impossible to distinguish different strokes when users don’t pause at an inflection. Moreover, the researchers conducted experiments on the limited number of inputs, so it would be useful to extend the data with a wider variety of patterns.
Although the tests are conducted with smartphones, the technique can be applied to other types of computing devices and surrounding where speakers and microphones are available. Researchers plan to examine and qualify the effectiveness of such attacks in different conditions and investigate the best countermeasures for each of those conditions.