Mobile App can monitor phone calls without authorization, with a success rate of up to 90%: the culprit is beyond your imagination

[[316407]]

You'll never imagine how unreliable your smartphone can be.

Without your knowledge and without any system authorization, your conversation voice can be monitored by malicious attackers through an inconspicuous mobile phone component - the accelerometer - which uses the sound vibration signal emitted by the speaker.

What’s even more frightening is that the attacker’s success rate could theoretically be as high as 90%.

How does the accelerometer betray your information?

Recently, at the top international information security conference "Network and Distributed System Security Conference (NDSS 2020)", a paper on the latest research results from Professor Ren Kui's team from the School of Cyberspace Security of Zhejiang University, McGill University in Canada, and the University of Toronto was published. The results show:

Smartphone apps can use the phone's built-in accelerometer to collect vibration signals from the phone's speakers without the user's knowledge or system authorization, thereby eavesdropping on the user's voice.

Surprisingly, this type of wiretapping does not violate current regulatory rules.

The accelerometer is a common sensor in current smartphones that can measure acceleration. It is usually composed of a mass block, a damper, an elastic element, a sensitive element, and an adaptive circuit. During the acceleration process, the sensor measures the inertial force on the mass block and uses Newton's second law to obtain the acceleration value. The data value it returns is the current acceleration value of the phone in the x, y, and z directions.

In daily mobile phone applications, acceleration sensors are usually used by users to measure speed, record step count, etc. Therefore, they seem to be associated with sensitive information such as calls, text messages, and address books in general perception. Therefore, apps can obtain acceleration information of smartphones without obtaining user authorization.

This leaves criminals with an opportunity to take advantage.

The research team found that because the motion sensors and speakers are configured on the same motherboard of the phone and are located very close to each other, no matter where and how the smartphone is placed (for example, on a table or in the hand), the voice signals emitted by the speaker will always have a significant impact on motion sensors such as gyroscopes and accelerometers.

Specifically, the vibration caused by the voice signal will be received by the accelerometer and generate a reading. The reading generated by the vibration can be analyzed by the attacker through a deep learning algorithm to decipher the key information and even restore it to the sound signal played by the speaker.

In the paper, this attack method is named AccelEve (Accelerometer Eavesdropping) - a new type of "side channel" smartphone eavesdropping attack based on deep learning accelerometer sensor signals.

Through deep learning algorithms, the research team achieved two major types of eavesdropping attacks: speech recognition and speech restoration.

In terms of speech recognition, the researchers used a recognition model called "hot word search" - using 200 short sentences from four volunteers (two men and two women) (each sentence included one to three information-sensitive words, such as passwords, user names, social information, security information, numbers, email addresses, card numbers, etc.) to test it, and found that the recognition rate of this model was as high as 90%.

Even in noisy environments, the recognition rate can reach 80%.

In addition, the research team also used a "reconstruction model" to perform speech restoration - the experimental results showed that when volunteers listened to the reconstructed (containing information-sensitive words) speech, they were able to distinguish the sensitive information contained therein very well.

Leifeng.com (Official Account: Leifeng.com) noted that in order to test the effect in actual scenarios, the researchers also conducted an information attack experiment based on real-world scenarios in the paper. In this experiment, the victim asked for a password by calling, and the goal of the experiment was to use the accelerometer of the victim's mobile phone to locate and identify the password in the conversation - the results showed that in 240 conversation tests, the number of successful positioning and identification of passwords exceeded 85%.

It can be seen that with the support of specific technologies, it has become very easy to use accelerometers to steal personal information.

Of course, considering that the technology uses deep learning algorithms, it is natural that higher accuracy can be achieved when more data is obtained; but in fact, for criminals, an accuracy rate of more than 80% is enough.

In an interview with a reporter from Southern Metropolis Daily, Professor Ren Kui said:

From the perspective of criminals, their goal is not to restore the human voice 100%, as long as the sensitive information in it can be extracted by the attacker, it is enough to generate potential benefits, right? It can be said that there is no cost for attackers to monitor users.

In addition to the accelerometer, be careful about the gyroscope in your phone

It should be noted that the accelerometer is not the only mobile phone sensor that can be exploited by criminals - in fact, the gyroscope can also be used to cause trouble.

In April 2017, a research team from Newcastle University in the UK showed that a large number of sensors in smartphones could potentially leak personal privacy information, and could even identify a four-digit PIN password through the gyroscope's tilt angle information, with a cracking rate of up to 100% after five repeated attempts.

Gyroscopes are also called angular velocity sensors. They are different from accelerometers (G-sensors) in that they measure the angular velocity of rotation during deflection and tilt. Accelerometers cannot measure or reconstruct complete 3D movements, they can only detect axial linear movements; however, gyroscopes can measure rotation and deflection very well, so that the actual movements of the user can be accurately analyzed and determined.

On mobile phones, the gyroscope can measure the angular velocity of deflection, tilt and other movements, allowing the game protagonist's field of view and direction to be controlled by hand. It can also be used to prevent the camera from shaking and assist GPS in inertial navigation. Its essence is to use the Coriolis force in physics to produce tiny changes in capacitance inside, and then measure the capacitance to calculate the angular velocity.

In the research of the British team, they used the data of the change in the tilt of the mobile phone generated when the user pressed the screen. Because the position of the numbers 123456789 is fixed, they can use this to calculate the 4-digit PIN code - of course, the premise is to implant malicious code on the website. After the user actually authorizes the acquisition of information, the sensor data can be obtained without the user's knowledge.

It is worth mentioning that in the process of deciphering the data to crack the password, the accuracy rate of the first attempt was 74%, and the password could be cracked 100% after five attempts. The main difficulty of this method is that it requires accurate knowledge of the user's current movement mode and data acquisition.

However, it should be noted that it is not so easy to obtain gyroscope information. The 74% recognition rate mentioned here is based on hundreds of cracking program trainings.

Of course, the research on voice eavesdropping through mobile phone accelerometers also needs to rely on the deep learning model proposed in the research to a certain extent, which is itself a matter with a high technical threshold - after all, it is extremely difficult for criminals to carry out such eavesdropping in real scenarios.

Despite this, Leifeng.com believes that many studies on smartphone security still fully demonstrate the vulnerability of smartphones in protecting the security of personal information; even at the sensor level that seems to have nothing to do with personal privacy, there are many security loopholes that are easily overlooked.

As Professor Ren Kui said, the discovery of this new attack path and technology can make more people pay attention to the security of mobile sensors, study and investigate mobile phone security vulnerabilities in both software and hardware, and reduce national security and socio-economic losses caused by information leakage.

After all, when it comes to the security of your personal information, you can never be too careful.

[[316408]]