A smartphone’s gyroscopes can serve as a crude microphone for a bad guy to listen in on, researchers said.
“While the privacy risks associated with some sensors like a microphone (eavesdropping), camera or GPS (tracking) are obvious and well understood, some of the risks remained under the radar for users and application developers,” said researchers Yan Michalevsky and Dan Boneh of the Computer Science Department at Stanford University and Gabi Nakibly of the National Research & Simulation Center at Rafael Ltd. in a paper.
“In particular, access to motion sensors such as gyroscope and accelerometer is unmitigated by mobile operating systems. Namely, every application installed on a phone and every web page browsed over it can measure and record these sensors without the user being aware of it,” the researchers said.
Gyroscopes measure a mobile device’s orientation, and the data they provide is crucial for camera apps and certain types of games to work properly. But gyroscopes found on modern smartphones are also sensitive enough to measure acoustic signals in the vicinity of the phone (speech, ambient noises).
The researchers found a way to extract information from gyroscope measurements and, by using automatic speech recognition, they managed to “translate” it into sounds and speech.
Most human voices have a fundamental frequency from 85 to 255 Hz. The researchers test results come from Android devices, as the OS (currently) imposes a gyroscopes’ sampling rate of 200Hz, which allows the app called Gyrophone, created by the researchers, to capture “a large fraction of the interesting frequencies.”
On the other hand, iPhone’s sensors end up limited to frequencies below 100 Hz, so it is difficult to capture enough data.
The researchers said the results they achieved are not good enough to present a threat at this moment, but they also noted improving the speech recognition algorithms could lead to better and even usable results in the future.
Luckily, there is a simple way for mobile OS manufacturers to shut down this particular attack vector: Filter the raw samples provided by the gyroscope and limit them, for example, to 20 Hz.
“In case a certain application requires an unusually high sampling rate, it should appear in the list of permissions requested by that application, or require an explicit authorization by the user,” they said. “To defend against attackers who gain root access, this kind of filtering should be performed at the hardware level.”
Click here to download the paper.