By Dan Goodin | Published April 23, 2012 5:05 PM

An overview of the TapLogger attack.

Computer scientists have devised an attack that logs phone numbers, Social Security IDs, and personal identification numbers entered into smartphones by monitoring the devices' integrated motion sensors.

TapLogger, as their proof-of-concept application for phones running Google's Android operating system is called, masquerades as a benign game that challenges the end user to identify identical icons from a collection of similar-looking images. In the background, the trojan monitors readings returned by the phone's built-in accelerometer, gyroscope, and orientation sensors to infer phone numbers and other digits entered into the device. This then surreptitiously uploads them to a computer under the control of the attackers.

Based in part on a similar smartphone keylogger called TouchLogger demonstrated last year , TapLogger exploits a design weakness in Android that allows all installed apps free access to motion sensor readings. Because similar permission systems are found in Apple's iOS and Research in Motion's Blackberry OSes, there's nothing stopping similar apps from targeting iPhones and Blackberries according to researchers.

"The fundamental problem here is that sensing is unmanaged on existing smartphone platforms," Zhi Xu, a PhD candidate in the Pennsylvania State University's Department of Computer Science and Engineering, wrote in an email to Ars. "TapLogger shows that those unmanaged 'insensitive sensors' can really be used to infer very sensitive user information (e.g. passwords and PIN numbers). Inspired by TapLogger, we believe that more and more sensor-based attackers will be introduced in the near future."

TapLogger works by using a device's motion sensors to record subtle real-time changes of orientation as a user enters numbers to release a phone's screenlock, dial a phone number, or provide a social security number during a call to a health-insurance service center. By logging the precise changes along three dimensions—azimuth, pitch, and roll—the trojan makes educated guesses about the touchscreen regions that were tapped to generate the orientation changes. TapLogger then maps those regions to the user interface of the screenlock or dial pad of a specific Android phone.

To accurately infer taps, the trojan first must learn the patterns of a specific person using a specific Android phone, since precise pitch and roll will be different for each user and smartphone model. Masquerading as a game called HostApp, TapLogger surreptitiously collects training data as players match the icons. The more rounds a user plays, the better the trojan gets at guessing the keys that are tapped when users' are entering numbers into the screenlock or dial pad interfaces.

"When a user taps on the touchscreen, the display and its supporting hardware and firmware will report the coordinates of tap events to the operating system of the smartphone," explains a paper titled " TapLogger: Inferring User Inputs On Smartphone Touchscreens Using On-board Motion Sensors ." Xu and two other researchers presented it last week to the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks . "The coordinates of a tap event together with knowledge of the application view currently displayed on the touchscreen determine the corresponding user input. For example, a tap event with coordinates within the boundary of a button displayed on the touchscreen stands for a tap action on this button."

Even after TapLogger has been trained to deduce the taps of a given user on a specific smartphone model, background vibrations and other variables prevent TapLogger from determining the exact sequence of numbers entered into a device. Despite this limitation, the trojan can still greatly reduce the number of guesses required to recover a user's PIN, social security number, or other numerical string entered into the phone.

For example, trying every possible combination to crack a four-digit PIN would require a maximum of 10,000 combinations. By using the information returned by TapLogger, an attacker can narrow the number of tries to just 81 with an average of a 100-percent chance of success. Using TapLogger data to deduce a six-digit PIN, meanwhile, would generate a search space of 729 likely combinations with an average success rate of 80 percent. By contrast, it would require a maximum of 1 million possible combinations to crack the same PIN using brute-force methods.

The research is the latest to show the vulnerability of smartphones to techniques that could allow adversaries to gain unauthorized access to sensitive data stored on the devices. In addition to last year's TouchLogger technique, attacks that analyze smudges to deduce password patterns have been adopted for devices running Android , and researchers say Windows 8 devices are susceptible to similar attacks .

The paper, which was co-authored by Kun Bai (of IBM's T.J. Watson Research Center) and Sencun Zhu (of the University of Pennsylvania), warns that the risks that arise from data leaked by integrated motion sensors won't be curbed without fundamental changes by the OS developers. Whereas Android, iOS, and the Blackberry OS all have mechanisms to prevent one app from accessing privileged functions, data, and files of other apps, there are no such prohibitions on the access to the speed and orientation readings returned by a phone's sensors.

"To prevent such types of attacks, we see an urgent need for sensing management systems on the existing commodity smartphone platforms," they wrote. "Sensors, such as accelerometer and orientation sensors, should all be considered as sensitive to user's privacy and need gaining security permissions to access."

Ars Technica News