As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States.

Reminder that neither the gyroscope, accelerometer, of magnetometer require permissions to access on Android, iOS, or any other mainstream operating system. There’s even an API for the browser that again, needs zero permissions.

Actually, this is old news. There was a Stanford study that successfully used the gyroscope to record not just what the speaker is saying, but sounds in the entire room! As far as I know it wasn’t high enough quality to be audible sound, but a voice recognition algorithm fed the processed output was capable of recovering the words said around the phone with scary accuracy.

Actually actually, the biggest hurdle in the study was the fact that the operating system limited the frequency at which the gyroscope could be sampled to 200 Hz (it’s honestly terrifying how voice recognition could still work on 200 Hz samples). The sensor itself can do several kilohertz, which would in theory be enough to make audible sound recordings if a rootkit (or the OS itself) could bypass the limit and access the raw sensor output. Or, another pathway that I’ve seen discussed is how the gyroscope, accelerometer, and other sensors could all be used like this, and are essentially three sensors in one (for the three axis in space) and if they’re all sampled at 200 Hz but there is any sort of phase/timing difference between them, that can be used to increase the recorded frequency for even more sound information. In the worst case scenario with maximal simple time offsets, three axis in the gyro, three in the accelerometer, three in the magnetometer, gets you 1800 Hz in total which is a good chunk of the human audible range.

☆ Yσɠƚԋσʂ ☆

Basically, if you want to have a secure conversation don’t bring a phone.

Create a post

Confidentiality Integrity Availability

  • 0 users online
  • 1 user / day
  • 1 user / week
  • 5 users / month
  • 30 users / 6 months
  • 1 subscriber
  • 413 Posts
  • Modlog