According to a new study, using the sonar signal in a smartphone’s speaker can steal the passcode to unlock the phone, Motherboard reported.
A team of researchers from Lancaster University has submitted a paper to arXiv showing how they can use a smartphone’s microphone and speaker system to steal a phone’s unlock mode.
While the average person doesn’t have to worry about being attacked in this way anytime soon, researchers are the first to show that such attacks are possible.
According to the researchers, their “SonarSnoop” attack reduces the number of unlock modes an attacker must attempt by 70 percent, and can be performed without the victim knowing they have been hacked.
In the field of information security, a “bypass attack” is a type of hacking that does not attack the target itself and does not require direct access to the target’s information. In SonarSnoop’s case, for example, what the hacker wants is the password to unlock the phone, but SonarSnoop doesn’t force the password by trying every possible combination, nor does it peek at the user’s password. Instead, SonarSnoop uses other auxiliary information to get the password — stealing it by voice.
Acoustic bypass attacks have been widely demonstrated on laptops and a variety of other Internet-connected devices. For example, the researchers recovered data from an air-sealed computer by listening to a fan on the hard drive. They will also be able to determine what is printed on paper using an Internet-connected printer and reconstruct the printed object from the sound of the 3D printer.
Most of the time, these are passive bypass attacks, because the attacker is just listening to the sounds that the device naturally produces. However, the Lancaster study is the first time that researchers have successfully demonstrated active acoustic bypass attack, which forces the device to make certain sounds to perform an aggressive act, on a mobile device.
The attacks begin when users inadvertently install malicious applications on their phones. When users download toxic apps, their phones start emitting sound signals that happen to be out of range of human hearing. They bounce off every object around the phone and produce echoes that are recorded by the phone’s microphone.
By counting the time between the sound’s emission and its echo’s return to the phone, it is possible to determine where an object is in a given space and whether it is moving – this is called sonar. By analyzing the echoes recorded by the phone’s microphone, researchers can track the movement of someone’s finger across the smartphone screen.
There are nearly 400,000 possible unlock patterns on the 3×3 password grid on Android phones, but previous studies have shown that 20% of people use one of the 12 common patterns. In testing SonarSnoop, the researchers focused on just these dozen unlocking combinations.
Researchers at Samsung tested only the Samsung Galaxy S4 for supply tests. While the attack should work on any phone model, the signal analysis must be tailored to a particular phone model because of the positioning of the speakers and microphones on different smartphones. “We expected iphones to be equally vulnerable, but we tested android phones,” Peng Cheng, a PhD student at Lancaster University, said in an email.
The researchers recruited 10 volunteers and asked them to draw each of 12 patterns five times on a customised app. The researchers then tried various sonar analysis techniques to reconstruct the code from the acoustic signatures emitted by the phone. The best analysis techniques allow the algorithm to correctly determine which pattern it is after an average of 3.6 attempts out of 12 possible patterns.
While the SonarSnoop attack wasn’t perfect, it reduced the number of patterns researchers had to try by 70 percent. Researchers say the correct pattern could be determined more quickly in the future by reducing the amount of time between sonar pulses and exploring different signal analysis strategies.
To prevent these types of attacks from spreading in the wild, the researchers suggest that mobile devices could be designed to prevent them. The most obvious would be to limit the acoustic range of a device’s speakers to signals that only humans can hear, or to allow users to selectively turn off their sound systems when using sensitive information on their devices. Or continue to improve protection against malicious application downloads first.
To prevent this type of attack from being easier to carry out in the wild, the researchers suggest that mobile devices could be designed to target it. The most obvious would be to set mobile device speakers to hear only human voices, or to allow the phone to selectively turn off its voice system when accessing sensitive information on the phone, or to continue to improve protection against malware downloads in the first place.
As biometric features like fingerprint unlocking become more common on mobile devices, such attacks will be much less effective at unlocking phones. However, as the researchers point out, similar technology could also be used to gather other sensitive information entered using a phone’s touch screen, such as web passwords or even swipe patterns on dating apps like Tinder.
“Although our experiment only attempted to steal the unlock mode on Android phones, SonarSnoop works in any environment where the microphone and speaker can interact,” Jeff Yan, a security researcher at Lancaster University, told me in an email. “Our next big question is how to help people. We hope they don’t get too nervous about our attack tests. Our goal is to help computer engineers properly respond to security threats on next-generation devices. “
Please follow Rebuild_ai on wechat for more information.Copy the code