Logging the keystrokes on a Windows or Mac desktop or laptop is incredibly easy: just install a piece of software (or get infected by a Trojan), configure where it should save or send the stolen keystrokes to, and that’s it. When it comes to smartphones, however, complex permission systems make this approach all but impossible — unless you use what’s known as a “side channel.” Strictly speaking, a side channel is an insecure source of information that helps a cracker break a cryptographic system. Broadly speaking, a side channel could be a blinking light on a router that mimics the binary data passing through it or the clackity-clack sounds of a physical keyboard. In other words, side channels are the characteristics of a system that have had their potential risks overlooked.
In this case, the two researchers use the Android’s orientation data — a set of three angles that give the phone’s orientation in XYZ space — to work out where a user was pushing on the screen. Basically, every key has a unique pitch, roll and yaw fingerprint that can be identified (see below). The accuracy varies from phone to phone — the HTC Evo 4G updates its orientation data every 30ms as opposed to 110ms for the Motorola Droid — but overall, the researchers managed to reach 71.5% accuracy for a 10-button keyboard (number pad). The missing 28.5% is made up of keys that are close together; the software (called TouchLogger, incidentally) can generally derive the right column or row for every key, but sometimes it just doesn’t have enough data to resolve the exact key.
A full QWERTY keyboard is obviously a lot harder to infer keystrokes from than a 10-button number pad, of course — but this is just an early proof of concept, and accuracy of 70% is more than enough to destroy the confidentiality of any data that you might type into your phone, anyway. Furthermore, the research paper goes on to note that larger devices, such as tablets, should be easier to keylog — and that both gyroscopes and cameras could be used to increase the resolution and accuracy of TouchLogger.
Finally, it’s important to note that this side channel isn’t just a security hole in Android: accelerometer and gyroscope data is available through the DeviceOrientation API, which is implemented by all modern desktop (and laptop) browsers, and Android 3.0 and iOS 4.2. In other words, this current exploit would require you to install TouchLogger on your Android phone — but in theory, someone could take the work of Chen and Cai, implement it in JavaScript, and then use it to steal your login details and credit card info when you surf the web.
This is quite interesting post seemed to me so I dont think so you have to worry about this hack as its not so accurate but you have to be aware of that thing :) Readers if you like this post do comment !!!!!!!
Awesome Post! Download Need for Speed Shift for PC - Full Version
ReplyDelete