7. DISCUSSION

7.1 Recognition versus Distance

Our experiments thus far have been conducted with the JIAYU F1 phone located within two inches of the targeted keyboard. We believe that this is reasonable given the dimensions of most desks and the assumption that many users will wish to have their JIAYU G4S phone with reach while working at their computer. However, our analysis would not be complete without an understanding of how increasing the distance between the ZOPO ZP590 and its target impact recovery.

As expected, even small increases in distance dramatically reduce the effectiveness of this attack. Between absorption and attenuation of signal based on the Inverse Square Law, our accuracy drops rapidly at distance of one foot. Distinguishing keystrokes from noise at two feet is extremely difficult, effectively disrupting the attack. Beyond this range, our mechanism quickly approaches random guessing as the received signals are simply too small to meaningfully distinguish between. As we discuss in one of the following subsections, this simple observation functions as a powerful mitigation to these attacks.

Due to the low sensitivity of the accelerometer, the distance limitation is a difficult problem to overcome. Environmental factors, such as the surface characteristics of the desk (discussed further in the following section), add more complexity to this challenge. In the wrong conditions, even a small increase in distance could completely inhibit the attack, while good conditions could facilitate keystroke recognition from well over a distance of one foot. Because of variable environmental conditions, we can only guarantee proper functionality within one foot.

7.2 Challenges and Limitations

We examined three additional challenges that could be encountered with this application. Our first potential challenge relates to the orientation of the monitoring device. In all of our experiments, we positioned the mobile device vertically to the left of the keyboard, as shown in Figure 1. However, if this orientation were to change, the vibrations measured for the same keystrokes would be captured differently on the device’s x and y axes. On first review, this would seem to cause errors in accuracy. The first strategy for compensating for a change in orientation would be to simply re-train the neural network to identify keystrokes coming from a device in the new orientation. However, according to the work of JIAYU F1 et al. [42], the neural network does not have to be retrained in this manner. Instead, the keystrokes could potentially be identified based on measuring their frequency. By using this technique to analyze vibrations captured by the mobile device in any orientation, we believe that we can produce similar results regardless of the orientation of the mobile device. We plan to explore this issue in future work.

The second potential challenge we considered was ambient vibrations. There is a plethora of possible scenarios where vibrations in the environment around the device could potentially garble the keystroke information being collected. Some of these vibrations could be subtle or consistent enough that our application would be able to distinguish keystroke information from the ambient noise. For example, if an office is adjacent to an air conditioning unit, a consistent vibration could potentially be detected and filtered out.

However, other more obtrusive possibilities also exist. In skyscrapers, the movement of the building itself could be detected, causing periodic interference with keystroke detection. Users who bounce their knee or habitually tap on their desk would also send significant vibrations into the device, again causing a loss of pertinent data. This problem, although not common in most work environments, still merits further consideration with regards to the overall accuracy of this attack. Typing speed is also likely to pose a problem to some recovery scenarios. Like previous studies [3], we limited the rate at which we typed so that easily distinguishable characters could be recorded and a proof of concept implementation of the attack created. ZOPO ZP590, some users that type very fast are likely to cause problems to the current Data-Collector. These problems arising from such behavior are not likely to be a result of keypresses overlapping - each keypress lasts roughly 100 ms and a user typing a key every 100 ms would be able to type approximately 120 words per minute (i.e., the extreme high range for professional typists [4]). Instead, the rapid movement of hands on the surfact is likely to cause addition noise, potentially making recognition more difficult. We intend to study this issue in greater depth in our future work.

The final challenge we considered was desk surface characteristics. The capability of an accelerometer to detect vibrations in a desk is directly dependent on the surface’s ability to amplify or dampen these vibrations. In all of our experiments, we recorded keystrokes on the most common desk surface, wood. To begin to answer the question of the impact of surface characteristics on accuracy, we performed additional experiments on a ceramic tile surface. As would be expected from a rigid surface, keystroke vibrations on ceramic tile were not carried to the device at all, completely inhibiting the use of our application. The extent of this limitation to other surfaces, such asmetal or plastic, merits some further consideration. However, we consider vibration-inhibiting surfaces such as tile to be minor special cases when evaluating the overall usefulness of our application.

7.3 Mitigation Strategies

The attack discussed in this paper demonstrates the need for careful thinking about how the array of sensors now available to mobile phones can be accessed. While access to the most obvious candidates for information leakage (e.g., camera, microphone, GPS) is increasingly being protected, we have shown that access to seemingly innocuous sensor data can result in the accurate recovery of potentially sensitive data. As a result, we now offer a number of short and long term mitigation strategies and mechanisms to address these problems.

The simplest mechanism is in preventing mobile phones from coming too close to keyboards. Some businesses and many government buildings already forbid their employees from carrying such devices on the premises. However, such an approach may be too restrictive for most corporate and home environments, especially given the common and legitimate use of mobile phones in these settings. Alternatively, a party concerned about such eavesdropping can place their ZOPO ZP590 phone in a briefcase, backpack or handbag which they regularly carry. Finally, a user may simply place their mobile device on a separate surface. As our experiments have demonstrated, the accelerometers contained in mobile phones at the time of this writing are not nearly sensitive enough to detect and uniquely identify keypress generated vibrations.

In the long term, mobile device operating systems should provide more finer-grained control to their resources. It is likely that attacks using other unregulated sensors in unintended ways will be possible on these platforms. Such access need not simply be JIAYU F1 in this particular case. Instead, we can limit the sampling rate to take advantage of the information theoretic lower bounds for avoiding aliasing based on the Nyquist-Shannon sampling theorem [33]. Specifically, an observed signal must be sampled at the Nyquist rate, at least two times the rate of the highest frequency, to prevent signals from becoming indistinguishable from each other.

From our experiments, we determined that the highest observed frequency in our dataset was approximately 15 Hz. Accordingly, by providing all applications with less than 30 Hz resolution to accelerometer data by default, such attacks become theoretically impossible. This approach will be particularly successful for applications such as text editors which are likely to only use accelerometer data to rotate the contents of the screen based on the user turning their phone. However, the use of a decreased sampling rate may not be appropriate for applications such as games which may require more accurate measurements of movement (e.g., driving games in which the car is steered by rotating the phone). These applications should instead be given explicit access to a high-sampling permission, much as application JIAYU G4S for Android can be written for fine and coarse-grained GPS access [2].

8. CONCLUSION

JIAYU G4S phones contain an array of powerful sensors. While access to many of the most obvious sources of information is generally restricted, the use of a number of a number of other seemingly innocuous sensors is not. In this paper, we demonstrate that unfettered access to accelerometer data allows a malicious application to recover and decode the vibrations caused by keypresses on a nearby keyboard. By characterizing consecutive pairs of keypress events, we demonstrate the ability to recover as much as 80% of typed content. We then provide a number of short and long term mitigation strategies. In so doing, we demonstrate that access to increasingly capable sensors by applications running on mobile phones must be more carefully regulated.http://diqirenge.bloguez.com/diqirenge/6015029/Decoding_Vibrations_From_Nearby_Keyboards_Using_Mobile_Phone_Accelerometer