Spying and violation of privacy are topics that never seem to be out of the headlines these days. Stories about mobile malware being used by governments and law enforcement agencies to spy on people (Finfish), smartphones coming off the production line with spyware preinstalled (Android.Uupay), or stories about cameras and microphones on smartphones being used for spying are all fairly common. Many spyware programs rely on data gathered from a device’s onboard sensors such as the microphone, camera, GPS etc., however, there is one sensor that has perhaps been overlooked and, unlike those already mentioned, this one can be accessed by applications and even websites with comparative ease. That sensor is the gyroscope found in most smartphones and it is used for measuring the phone’s orientation.
The data gathered by the gyroscope is used for things such as adjusting the screen from the vertical to the horizontal view, image stabilization, and many motion-based games. However, another less conventional use for this sensor has been discovered.
Researchers have been able to use the gyroscope sensors found in smartphones to eavesdrop on conversations. The gyroscope sensors are made up of a small vibrating plate on a chip that works by detecting changes caused by the Coriolis effect. However, the tiny plate can also detect minute air vibrations such as those caused by sound.
The researchers, Yan Michalevsky, Dan Boneh, and Gabi Nakibly, created a custom speech recognition program called Gyrophone to decipher the unintelligible noise picked up by the sensor and turn it into actual words. To try out their program, the researchers tested its ability to decipher gyroscope-recorded speech by having a single person in the same room as the mobile device say the digits one to ten as well as the vowel O, as this would mimic someone reciting their payment card details for example. The program could identify around 65 percent of the speech picked up and could also tell whether the speaker was male or female with up to 84 percent accuracy. It could also identify individual speakers out of a group of five with up to 65 percent accuracy. The researchers said that the accuracy could be vastly improved with better speech recognition software.
“The point is that there’s acoustic information being leaked to the gyroscope. If we spent a year to build optimal speech recognition, we could get a lot better at this. But the point is made,” said Dan Boneh, a computer security professor at Stanford.
So what does this mean for mobile users that just want their gyroscope to instinctively switch their screen from landscape to portrait and keep its nose out of their conversations? As yet, you don’t have too much to worry about, as the researchers themselves admitted that the technique has a long way to go before it can match the snooping capabilities of a device’s microphone. The team said they merely wanted to demonstrate that this type of eavesdropping is possible but, as is proven time and again, technology can move pretty quickly, especially when it comes to taking advantage of something like this.
Granting access to sensors can sometimes be risky. Mobile users are warned on a regular basis to be suspicious of apps that unnecessarily require permission to use their device’s microphone. However, unlike the smartphone’s microphone, the gyroscope sensor can be accessed much more easily without requiring any permissions on iOS or Android devices.
Google has stated that it is aware of the study and said that the research should allow it to develop defenses before there is any likelihood of real exploitation.
One way in which protection could be put in place to prevent the gyroscope being used for audio snooping is to limit the reading of data from the gyroscope. Human speech ranges from between 80 to 250 hertz and the Android operating system allows data from the gyroscope sensor to be read at 200 hertz, meaning that the majority of voices can be picked up using the technique discussed in this research. Apple’s mobile operating system iOS limits the reading of the sensor to 100 hertz, severely limiting the opportunity for eavesdropping as the majority of human speech registers above this level. According to the researchers, if an attacker wanted to listen in on an Android device, all they would need to do is trick the user into visiting a malicious website using Firefox as this browser allows sites to read data from the sensor at the full 200 hertz. However, both Chrome and Safari limit sites to 20 hertz.
This isn’t the first time sensors, which at first wouldn’t be considered a risk to privacy, have been shown to be exploitable for potentially malicious actions. Mobile device accelerometers have been used in the past to construct a unique hardware fingerprint that can be used for de-anonymizing devices on a network or even deciphering what is being typed on a nearby keyboard. Sensors, by definition, are designed to receive data and in today’s world data is something that is highly desired. As such, the manufacturers and developers of the technology we use, as well as the end users, need to be aware of what data is being collected and by which sensors, regardless of what the sensor was originally designed for.
The research, entitled Gyrophone: Recognizing Speech From Gyroscope Signals, was carried out by Stanford University’s Computer Science Department and Israel’s Rafael National Research and Simulation Center and was presented at this year’s USENIX Security Symposium.