In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.
One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.
I think it was in the book Spycatcher [0] that I recall there was a story of how English intelligence bugged a foreign embassy with a microphone and was able to figure out what they were typing on a typewriter by analyzing the sound of the keystrokes. That was way back in the 1950's I think, so the idea has been around for a while. The book has a lot of interesting details about spy technology at the time. In addition to all the juicy intelligence stories it's also a fun read from a security engineering point of view. The British government tried to ban it which naturally triggered the Streisand effect and made it a best seller.
There is a paper from one of the guys who made RSA about that.
They can reconstitute private keys, by listening repeatedly to the sound the power supply of a laptop makes when encrypting/decrypting emails, from 5m away.
That reminds me—in elementary school, I used to figure out what someone was writing by listening to the sound of their pencil, sometimes by putting my head to the desk. It probably worked mainly because they were writing pretty slowly in large print, but I imagine you could come up with a software implementation as a useless gimmick if you had enough training data.
I’ve considered implementing this as a keyboard layout in Android, so you could put your phone on the desk and type by scratching a stylus or fingernail on the surface next to it.
Your office orders pizza every Tuesday at the same time, via a coworker's cell phone. You are working on a technology that has the potential to disrupt several leading industries that are in bed with the government. After much lobbying, it is decided one day that your call to Domino's is to be rerouted via your broadband processor to an operative that mirrors your order to the real Domino's, and hand delivers the pizza at the front desk.
On their way out, they place a small, embedded, self-destructable camera device that focuses on your fancy new plexiglass installment. Over the next few weeks, the device documents all keystrokes and conversations from the front desk, and finds a way to socially engineer a copy of your codebase. Next year, seemingly out of nowhere, another venture suddenly launches ahead of your launch schedule, with your exact business model. All because you wanted some plexiglass and didn't think it was worth the money to actively scan the entire perimeter for bugs daily.
If this sounds crazy and far-fetched to anyone, then it would behoove them to look into past CIA infiltration techniques and also to realize that this is exactly the kind of stuff the CIA exists to do.
> We demonstrate how an inactive or even a minimised web page, using JavaScript, is able to listen to and silently report the device motion and orientation data about a user who is working on a separate tab or a separate app on the device.
This is brilliant and well-explained.
On page 6 of the PDF, the authors include a breakdown of the leakages they found in each browser family. The two that were most significant to me is Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe this means that malicious Javascript (1) on Google Chrome on an iPhone on an inactive tab, and (2) on mobile Safari while the screen is locked, can access tilt and motion data at a level of detail sufficient to deduce what the user is typing.
Accelerometer data could be used too to figure out how long it took to move from one entry on a virtual keyboard to another reducing the search space considerably.
This attack and an annoyance that I see on Android from time to time could be easily mitigated if in Chrome if they would simply ship permissioning for access to hardware devices.
There is this annoying popup add that infects the ad networks of a few websites that first smashes the history of the tab and then vibrates your phone and has a page with a bunch of red warning text telling you that you have a virus, your phone is "damaged" and trying to get you to download some crappy virus scamware.
No way in hell a random website should be able to make your phone vibrate without your permission much less tell how its moving with the accelerometer.
I've google around a lot there is NO WAY to disable this :/
Chrome will soon require an SSL cert in order for web services to use the device orientation API, which is a step in the right direction, but ultimately doesn't help in prevention.
I reduce predictability - and people peeking - by passing over already selected nodes and deactivating the visual tracing of the graph. I can draw my code before someone several times without they being able to unlock my phone :)
I saw an ATM before that scrambled the number pad on it's touchscreen so the numbers were in a different position every time. Would that work to mitigate this attack?
There's an option to do this in many third party Android ROMs, which I personally take advantage of. I don't think it's really "terrible ux"; it hasn't been that hard to adjust to.
As a university project, I did something very similar, only using a malicious app. The app would monitor the device state, and record gyro data as soon as the screen was on, but the device was locked. We didn't have the time to properly implement a decent classifier, but the data collection was surprisingly effective.
How about not letting javascript run when the phone is locked? Heck, on my phone I'd be fine with not letting it run when the browser tab isn't active.
also, I'm realizing that I've told people "you don't need to quit apps in iOS, it takes care of memory itself" but quitting browsers sounds like it is a good idea now.
Nice hack. I've been using my phone for less and less over the years, out of security concerns, since it's my 2fa device and I sometimes check email with it. After the Broadcom wifi thing I even stopped carrying it around. I guess it's past time to buy a dedicated 2fa device.
I thought you just make the key board random every stroke and the human has to pick the right, next letter so it's not predictable with a known pattern.
edit: I like that "Obviously hackers wear hoodies..." hahaha, I like to wear a mask, and see as little as possible, while I mash on the keys hacking into the NSA.
edit: it's not funny though when you happen to see your server logs and you see various attempts to break in using wordpress-access attacks like forget the one xmlrc or something... I don't use Wordpress but man... gotta keep an eye on those logs. Also tracked one of the ips, lead to some site called BoltCloud, looks legit, with a login but... I don't know... not sure if you can bounce attacks from a server without that server's permission.
Sure, but you can't do that if you're a web page. This is about a malicious app or website listening to the accelerometer and gyro to determine what the user is typing on the keyboard into a separate app.
This is why I chose one that doubles back on itself in a non-obvious way. I've tested it by trying to teach people the password, it usually takes them quite a while to learn it, even when I do it really, really slowly and give them lots of tries
For example, the bar for Men's shopping password length is 3x-4x longer than for Women's, but in reality the value (in tiny font) is only ~8% greater (the others are ~4% and ~10%).
> They said they'd told all the major tech companies, like Google and Apple, about the risks but no-one has been able to come up with an answer so far.
[+] [-] kinkora|9 years ago|reply
In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.
One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.
Fun times ensued. ;)
[+] [-] programd|9 years ago|reply
[0] https://en.wikipedia.org/wiki/Spycatcher
[+] [-] user5994461|9 years ago|reply
They can reconstitute private keys, by listening repeatedly to the sound the power supply of a laptop makes when encrypting/decrypting emails, from 5m away.
[+] [-] evincarofautumn|9 years ago|reply
I’ve considered implementing this as a keyboard layout in Android, so you could put your phone on the desk and type by scratching a stylus or fingernail on the surface next to it.
[+] [-] kakarot|9 years ago|reply
Some of us are even familiar with acoustic cryptoanalysis[0].
However, combine these methods with this[1] tech, inspired on the work done here[2], and we have ourselves an impending crisis on our hands.
[0] Acoustic Cryptoanalysis - https://courses.csail.mit.edu/6.857/2014/files/23-shroff-hu-...
[1] Extracting Audio From Visual Information - https://news.mit.edu/2014/algorithm-recovers-speech-from-vib...
[2] Eularian Video Magnification - https://people.csail.mit.edu/mrub/papers/vidmag.pdf
Let's run through a scenario.
Your office orders pizza every Tuesday at the same time, via a coworker's cell phone. You are working on a technology that has the potential to disrupt several leading industries that are in bed with the government. After much lobbying, it is decided one day that your call to Domino's is to be rerouted via your broadband processor to an operative that mirrors your order to the real Domino's, and hand delivers the pizza at the front desk.
On their way out, they place a small, embedded, self-destructable camera device that focuses on your fancy new plexiglass installment. Over the next few weeks, the device documents all keystrokes and conversations from the front desk, and finds a way to socially engineer a copy of your codebase. Next year, seemingly out of nowhere, another venture suddenly launches ahead of your launch schedule, with your exact business model. All because you wanted some plexiglass and didn't think it was worth the money to actively scan the entire perimeter for bugs daily.
If this sounds crazy and far-fetched to anyone, then it would behoove them to look into past CIA infiltration techniques and also to realize that this is exactly the kind of stuff the CIA exists to do.
[+] [-] NoCoastCoder|9 years ago|reply
[+] [-] ww520|9 years ago|reply
[+] [-] tboyd47|9 years ago|reply
This is brilliant and well-explained.
On page 6 of the PDF, the authors include a breakdown of the leakages they found in each browser family. The two that were most significant to me is Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe this means that malicious Javascript (1) on Google Chrome on an iPhone on an inactive tab, and (2) on mobile Safari while the screen is locked, can access tilt and motion data at a level of detail sufficient to deduce what the user is typing.
[+] [-] jacquesm|9 years ago|reply
[+] [-] plopz|9 years ago|reply
[+] [-] wh-uws|9 years ago|reply
There is this annoying popup add that infects the ad networks of a few websites that first smashes the history of the tab and then vibrates your phone and has a page with a bunch of red warning text telling you that you have a virus, your phone is "damaged" and trying to get you to download some crappy virus scamware.
No way in hell a random website should be able to make your phone vibrate without your permission much less tell how its moving with the accelerometer.
I've google around a lot there is NO WAY to disable this :/
[+] [-] trakout|9 years ago|reply
[+] [-] maaaats|9 years ago|reply
The patterns are predictable, and can be further narrowed down if you now the hand they normally use.
[+] [-] harperlee|9 years ago|reply
[+] [-] kevindqc|9 years ago|reply
[+] [-] dafrankenstein2|9 years ago|reply
[deleted]
[+] [-] rangibaby|9 years ago|reply
[+] [-] Orangeair|9 years ago|reply
[+] [-] skamoen|9 years ago|reply
[+] [-] driverdan|9 years ago|reply
[+] [-] tomjakubowski|9 years ago|reply
[+] [-] tomjakubowski|9 years ago|reply
[+] [-] joveian|9 years ago|reply
[+] [-] dwighttk|9 years ago|reply
What use case am I not thinking of here?
[+] [-] reitanqild|9 years ago|reply
Saves a lot of CPU if I have google search result in background tabs.
[+] [-] andai|9 years ago|reply
[+] [-] dwighttk|9 years ago|reply
[+] [-] abecedarius|9 years ago|reply
[+] [-] j_s|9 years ago|reply
Here is a helpful discussion including using the Yubikey Neo NFC with Android phones and alternatives to Yubikey: https://news.ycombinator.com/item?id=13635433
[+] [-] ColanR|9 years ago|reply
[+] [-] ZeroManArmy|9 years ago|reply
[+] [-] ww520|9 years ago|reply
[+] [-] tmsldd|9 years ago|reply
[+] [-] roberttod|9 years ago|reply
[+] [-] ge96|9 years ago|reply
edit: I like that "Obviously hackers wear hoodies..." hahaha, I like to wear a mask, and see as little as possible, while I mash on the keys hacking into the NSA.
edit: it's not funny though when you happen to see your server logs and you see various attempts to break in using wordpress-access attacks like forget the one xmlrc or something... I don't use Wordpress but man... gotta keep an eye on those logs. Also tracked one of the ips, lead to some site called BoltCloud, looks legit, with a login but... I don't know... not sure if you can bounce attacks from a server without that server's permission.
[+] [-] stefs|9 years ago|reply
finally!
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] tomglynch|9 years ago|reply
> They say they cracked four-digit pins with 70% accuracy on the first guess and 100% by the fifth guess.
I'd expect within a few months they could have 70% accuracy on the first guess for typing text/passwords.
[+] [-] stefanve|9 years ago|reply
[+] [-] hex1848|9 years ago|reply
[+] [-] LeifCarrotson|9 years ago|reply
[+] [-] fao_|9 years ago|reply
[+] [-] collyw|9 years ago|reply
[+] [-] koolba|9 years ago|reply
[+] [-] andai|9 years ago|reply
[+] [-] Adverblessly|9 years ago|reply
For example, the bar for Men's shopping password length is 3x-4x longer than for Women's, but in reality the value (in tiny font) is only ~8% greater (the others are ~4% and ~10%).
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] cosinetau|9 years ago|reply
What about putting and end to tracking gestures?
[+] [-] avip|9 years ago|reply
>Based on a test set of fifty 4-digit PINs