On Thursday, a group of researchers from Lancaster University posted a paper to arXiv that demonstrates how they used a smartphone’s microphone and speaker system to steal the device’s unlock pattern.
Although the average person doesn’t have to worry about getting hacked this way any time soon, the researchers are the first to demonstrate that this kind of attack is even possible. According to the researchers, their “SonarSnoop” attack decreases the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they’re being hacked.
In the infosec world, a “side-channel attack” is a type of hack that doesn’t exploit weaknesses in the program ultimately being targeted or require direct access to the target information. In the case of SonarSnoop, for example, the information the hacker is looking for is the phone’s unlock password. Instead of brute forcing the password by trying all the possible combinations or looking over the person’s shoulder, SonarSnoop exploits secondary information that will also reveal the password—in this case, the acoustic signature from entering the password on the device.
"SonarSnoop is applicable in any environment where microphones and speakers can interact."
Acoustic side-channel attacks have been widely demonstrated on PCs and a variety of other internet connected devices. For example, researchers have recovered the data from an air gapped computer by listening to it’s hard drive fan. They’ve also been able to determine the contents printed on a piece of paper by an internet-connected printer and reconstructed a printed 3D object based on the sounds of a 3D printer. In most cases, these are passive side-channel attacks, meaning an attacker is just listening for sounds naturally produced by the devices. This is the first time, however, that researchers have successfully demonstrated an active acoustic side-channel attack on a mobile device, which forces the device itself to emit certain sounds.
The attack begins when a user unwittingly installs a malicious application on their phone. When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing. This sound signal is reflected by every object around the phone, creating an echo. This echo is then recorded by the phone’s microphone.
By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving—this is known as sonar. The researchers were able to leverage this phenomenon to track the movement of someone’s finger across a smartphone screen by analyzing the echoes recorded through the device’s microphone.
There are nearly 400,000 possible unlock patterns on the 3x3 swipe grid on Android phones, but prior research has demonstrated that 20 percent of people use one of 12 common patterns. While testing SonarSnoop, the researchers only focused on these dozen unlock combinations.
To test their sonar attack, the researchers used a Samsung Galaxy S4, an Android phone first released in 2013. Although this attack should work on any phone model, the signal analysis would have to be tailored to a particular phone model because of the different placement of speakers and microphones. “We expect iPhones are similarly vulnerable, but we only tested our attack on Androids,” Peng Cheng, a doctoral student at Lancaster University told me in an email.
Ten volunteers were recruited for the study and were asked to draw each of the 12 patterns five different times on a custom app. The researchers then tried a variety of sonar analysis techniques to reconstruct the password based on the acoustic signatures emitted by the phone. The best analysis technique resulted in the algorithm only having to try 3.6 out of the 12 possible patterns on average before it correctly determined the pattern.
Although the SonarSnoop attack isn’t perfect, it reduces the number of patterns the researchers would have to try by up to 70 percent. In the future, the researchers wrote that it may be possible to improve on this by reduce the amount of time between sonar pulses as well as exploring different signal analysis strategies.
To prevent these types of attacks from proliferating in the wild, the researchers suggested that mobile devices could be designed to prevent them. The most obvious way of doing this is by limiting the acoustic range of a device’s speakers to only human-audible signals or allowing users to selectively turn off their sound system if they are engaging with sensitive information on their device. Or, continuing to improve protections against the downloading of malicious applications in the first place.
As biometric features such as fingerprint unlocks become increasingly common on mobile devices, the usefulness of this attack for unlocking phones will diminish significantly. Yet as the researchers noted, similar techniques could be used to glean other sensitive information entered using a phone’s touch screen, such as web passwords or even swipe patterns on dating apps like Tinder.
“Although our experiment tried to steal only Android unlock patterns, SonarSnoop is applicable in any environment where microphones and speakers can interact,” Jeff Yan, a security researcher at Lancaster University told me in an email. “Our next big question is more about helping with everyday people. We’d like them to have a peaceful mind with our attacks and we aim to achieve that by helping computer engineers properly address the security threats in next-generation devices.”