In the jungle of sensors and components that lives under the casing of modern mobiles, the accelerometer is practically the goofy sister. With the GPS system recording our location, the camera turned into a window into our lives and the internet connection putting us within reach of a world of cyber threats, who is going to worry about protecting the sad sensor that measures force and acceleration? that apply when moving the device? So secondary is its role that the applications we install on the phone do not even require specific permissions to access it. But the risk exists: from the vibrations recorded by the accelerometer, the identity of the speakers and even the content of the conversation can be inferred.
This has been verified by a team of researchers from the SPIES Lab, University of Alabama at Birmingham, with the collaboration of WINLAB, Rutgers University. The attack they have designed, dubbed Spearphone, collects the impact of speaker reverberations on the accelerometer and processes them with machine learning techniques to extract sensitive information such as the speaker’s gender or identity. In addition, they applied language recognition and reconstruction techniques to extract more information from the conversation. And all this without requiring access to the microphone, which would need an explicit permission. Why is the accelerometer so easy to access? The normal thing is that this component does not handle sensitive information, its measurements are used to implement secondary functions such as adjusting the orientation of the screen or counting steps.
“We focus on the privacy of the conversation because many cell phones and other smart devices are controlled by voice,” explains Abishek Anand, one of the study leaders. “We focus particularly on the smartphones for its massive use and the growing number of high precision sensors that they incorporate ”. In addition to the use of the hands-free in phone calls and our interactions with voice assistants, another scenario susceptible to being spied on is the reproduction of voice notes sent by instant messaging.
Converting an ordinary accelerometer into an intrusive accelerometer is not easy, since it requires technical knowledge to obtain and exploit the sensor measurements. But, the researchers warn, it’s not that complicated: To prove it, they limited themselves to using pre-designed techniques, such as standard classification algorithms, that don’t require a lot of training or large computing resources. This means that the attack is accessible even to low-level attackers. “Additionally, we use an open source machine learning tool (Wenka), which requires very little code to be written from the attacker’s perspective.”
How does Spearphone work? In the scenario proposed by the researchers, the attackers would be able to access the information collected by the motion sensors by tricking the victim into installing a malicious application that would then be activated in the speaker usage scenarios. The sound of these would then travel through the components of the phone and generate different measurements on the accelerometer. This data would go to the spy who would have to process it to extract information about his victims. As was found during the experiment, the earpiece we use in calls without a speakerphone is not exposed, since it does not generate reverberations strong enough to impact the accelerometer. Along the same lines, the researchers found that the gyroscope, another of the sensors built into the phone, is not so promising for an attack of this type.
The ruse was tested on four devices, with different surfaces and volumes and in different use scenarios with acceptable results. “Our work has shown that using prefabricated tools allows us to obtain the gender, the identity of the speaker and partially reconstruct the dialogue. It would be expected that a more personalized technique to extract information from the speech would allow a complete reconstruction and lead to a very serious privacy violation, ”the researchers warn.
It is not the first time that secondary sensors have been identified as a potential vector of attacks on privacy. Other studies have exposed the possibility of collecting the vibrations generated by the keystrokes on touch keyboards to interpret what is being typed. And, outside of the multimedia mobile phone market, Mitsubishi Electric has been working on a security sensor that prevents attacks targeting the accelerometers of cars or drones.
The mere existence of such attacks, the researchers emphasize, is a symptom of the lax security policies applied to these sensors. “Apple has been implementing stricter access policies and Google has been working to better inform users of the privileges that applications installed on Android have,” they clarify. “However, it is necessary to strike a balance between usability and security.” One of the measures they propose to neutralize the threat of Spearphone without great sacrifices in the user experience is to design the motion sensors so that they are isolated from the vibrations that are generated in the rest of the device, leaving the accelerometer capable of performing its tasks. functions but impervious to sound vibrations and essentially deaf as a wall.