{"id":17168,"date":"2019-12-11T11:10:04","date_gmt":"2019-12-11T19:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/12\/11\/news-10904\/"},"modified":"2019-12-11T11:10:04","modified_gmt":"2019-12-11T19:10:04","slug":"news-10904","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/11\/news-10904\/","title":{"rendered":"The little-known ways mobile device sensors can be exploited by cybercriminals"},"content":{"rendered":"

Credit to Author: Logan Strain| Date: Wed, 11 Dec 2019 17:51:03 +0000<\/strong><\/p>\n

The bevy of mobile device<\/a> sensors in modern smartphones and tablets make them more akin to pocket-sized laboratories and media studios than mere communication devices. Cameras, microphones, accelerometers, and gyroscopes give incredible flexibility to app developers and utility to mobile device users. But the variety of inputs also give clever hackers new methods of bypassing conventional mobile security\u2014or even collecting sensitive information outside of the device. <\/p>\n

Anyone who is serious about security and privacy, both for themselves and for end users, should consider how these sensors create unique vulnerabilities and can be exploited by cybercriminals.<\/p>\n

Hackers of every hat color have been exploiting mobile device sensors for years. In 2012, researchers developed malware called PlaceRider<\/a>, which used Android sensors to develop a 3D map of a user\u2019s physical environment. In 2017, researchers used a smart algorithm<\/a> to unlock a variety of Android smartphones with near complete success within three attempts, even when the phones had fairly robust security defenses.\u00a0<\/p>\n

But as updates have been released with patches for the most serious vulnerabilities, hackers in 2019 have responded by finding even more creative ways to use sensors to snag vulnerable data.<\/p>\n

\u201cListening\u201d to passwords<\/strong><\/h3>\n

Researchers were able to learn computer passwords by accessing the sensors in a mobile device\u2019s microphone<\/a>. The Cambridge University and Linkoping University researchers created an artificial intelligence (AI) <\/a>algorithm that analyzed typing sounds. Out of 45 people tested, their passwords were cracked seven times out of 27. The technique was even more effective on tablets, which were right 19 times out of 27, inside of 10 attempts.<\/p>\n

\u201cWe showed that the attack can successfully recover PIN codes, individual letters, and whole words,\u201d the researchers wrote. Consider how easily most mobile users grant permission for an app to access their device\u2019s microphone, without considering the possibility that the sound of their tapping on the screen could be used to decipher passwords or other phrases. <\/p>\n

While this type of attack has never happened in the wild, it\u2019s a reminder for users to be extra cautious when allowing applications access to their mobile device\u2019s mic\u2014especially if there\u2019s no clear need for the app\u2019s functionality.<\/p>\n

Eavesdropping without a microphone<\/strong><\/h3>\n

Other analysts have discovered that hackers don\u2019t need access to a device\u2019s microphone in order to tap into audio. Researchers working at the University of Alabama at Birmingham and Rutgers University eavesdropped on audio played through an Android device\u2019s speakerphone with just the accelerometer, the sensor used to detect the orientation of the device. They found that sufficiently loud audio can impact the accelerometer<\/a>, leaking sensitive information about speech patterns. <\/p>\n

The researchers dubbed this capability as \u201cspearphone eavesdropping,\u201d stating that threat actors could determine the gender, identity, or even some of the words spoken by the device owner using methods of speech recognition or reconstruction. Because accelerometers are always on and don\u2019t require permissions to operate, malicious apps could record accelerometer data and playback audio through speech recognition software. <\/p>\n

While an interesting attack vector that would be difficult to protect against\u2014restricting access or usage of accelerometer features would severely limit the usability of smart devices\u2014this vulnerability would require that cybercriminals develop a malicious app and persuade users to download it. Once on a user\u2019s device, it would make much more sense to drop other forms of malware or request access to a microphone to pull easy-to-read\/listen-to data. <\/p>\n

Since modern-day users tend to pay little attention to permissions notices or EULAs, the advantage of permission-less access to the accelerometer doesn\u2019t yet provide enough return on investment for criminals. However, we once again see how access to mobile device sensors for one functionality can be abused for other purposes.<\/p>\n

Fingerprinting devices with sensors<\/strong><\/h3>\n

In May, UK researchers announced they had<\/a> developed a fingerprinting technique that can track mobile devices across the Internet by using easily obtained factory-set sensor calibration details. The attack, called SensorID<\/a>, works by using calibration details from the accelerator, gyroscope, and magnetometer sensors that can track a user\u2019s web-browsing habits. This calibration data can also be used to track users as they switch between browsers and third-party apps, hypothetically allowing someone to get a full view of what users are doing on their devices.<\/p>\n

Apple patched the vulnerability in iOS 12.2, while Google has yet to patch the issue in Android.<\/p>\n

Avoiding detection with the accelerometer <\/strong><\/h3>\n

Earlier this year, Trend Micro uncovered two malicious apps on Google Play that drop wide-reaching banking malware<\/a>. The apps appeared to be basic tools called Currency Converter and BatterySaverMobi. These apps cleverly used motion sensors to avoid being spotted as malware.\u00a0<\/p>\n

A device that generates no motion sensor information is likely an emulator or sandbox environment used by researchers to detect malware. However, a device that does generate motion sensor data tells threat actors that it\u2019s a true, user-owned device. So the malicious code only runs when the device is in motion, helping it sneak past researchers who might try to detect the malware in virtual environments. <\/p>\n

While the apps were taken down from Google Play, this evasive technique could easily be incorporated into other malicious apps on third-party platforms.<\/p>\n

The mobile security challenges of the future<\/strong><\/h3>\n

Mobile device sensors are especially vulnerable to abuse because no special permissions or escalations are required to access these sensors. <\/p>\n

Most end users are capable of using strong passwords and protecting their device with anti-malware software<\/a>. However, they probably don\u2019t think twice about how their device\u2019s gyroscope is being used.\u00a0<\/p>\n

The good news is that mobile OS developers are working to add security protections to sensors. Android Pie tightened security<\/a> by limiting sensor and user input data. Apps running in the background on a device running Android Pie can\u2019t access the microphone or camera. Additionally, sensors that use the continuous reporting mode, such as accelerometers and gyroscopes, don\u2019t receive events.<\/p>\n

That means that mobile security challenges of the future won\u2019t be solved with traditional cryptographic techniques. As long as hackers are able to access sensors that detect and measure physical space, they\u2019ll continue exploit that easy-to-access data to secure the sensitive information that they want. <\/p>\n

As mobile devices expand their toolbox of sensors, that will create new vulnerabilities\u2014and yet-to-be discovered challenges for security professionals.<\/p>\n

The post The little-known ways mobile device sensors can be exploited by cybercriminals<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Logan Strain| Date: Wed, 11 Dec 2019 17:51:03 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Mobile device sensors offer great utility to users\u2014from taking pictures and commanding voice assistants to determining which direction to flip your screen. However, they harbor little-known vulnerabilities that could be exploited by crafty cybercriminals.<\/p>\n

Categories: <\/p>\n