
Smartphones' accelerometer can track strokes on nearby keyboards - duck
http://digitallounge.gatech.edu/digitallife/index.html?nid=71506
======
tectonic
I read somewhere that this can also be done with some accuracy by listening to
the sounds of keypresses.

Other examples of (mostly) passive information gathering:

\- screens can be read via electromagnetic emissions (at least CRTs could, I
don't know about LCD displays these days)

\- listening in to a room by bouncing a laser off of a window

\- wifi snooping, cell snooping (both obvious)

\- car tracking via the rfids embedded in some tires

\- person and passport tracking via the rfids in the newest generation of
passports (and credit cards)

\- printer signature tracking of documents -
<http://news.bbc.co.uk/2/hi/technology/3753886.stm> (old, don't know how much
it's advanced)

\- the wide world of temporal correlation attacks (both on social networks and
in the physical world with <http://en.wikipedia.org/wiki/Multilateration>)

I got a bit sidetracked there. But yea, this is yet another one for the list.
Of course, if you've hacked into the phone, you could also try breaking into
any wifi networks or, you know, recording conversations.

~~~
shabble
Also the rather neat _Information Leakage from Optical Emanations_ [1], which
demonstrated the ability to read data from networking equipment based on the
state of the Rx/Tx LEDs on the front panel. In a lot of cases, the LEDs were
being updated for individual bits sent and received.

I can't remember where I came across it, but there was a vendor with an
advisory of something like "Mitigation Strategy: Cover Indicator LEDs with
light-insulating tape".

Edit: Just remembered about the demo of an attack against signals radiated by
(non-wireless) keyboard leads, and their detection and decoding:
<http://lasecwww.epfl.ch/keyboard/>

[1] <http://applied-math.org/acm_optical_tempest.pdf> (PDF, obviously)

------
bdhe
Fascinating preliminary research work. Side-channels in cryptography are
infamous but it is clear that the concept of side-channels is a more generic
concept about information leaking in ways that aren't typically considered
and/or modeled.

The fact that an accelerometer could detect vibrations from typing reminded me
of this work on Acoustic Cryptanalysis [1]. It is a fascinating read. The
authors found out that the PC Chips M754LMR motherboard had a bank of 1500µF
capacitors near the CPU and power connector and of all the possible places,
this was leaking information about the CPU's HLT idling state and otherwise.
And it turns out that (at a proof-of-concept level) it was sufficient to break
crypto implementations.

[1] <http://cs.tau.ac.il/~tromer/acoustic/>

------
jrockway
This seems like pretty much the same thing as the passwords-over-ssh thing
from a few years ago. The timing between keypresses is almost as good as the
keypresses themselves. And you can get those via an accelerometer on a nearyby
smartphone, or you can watch the packetstrem as they tap away on their ssh
connection.

Back channels are fun.

~~~
yew
Passwords usually aren't sent letter-by-letter as far as I'm aware. Although
that's mostly because doing so would make the server side much more
complicated than it needs to be.

These sort of attacks are very interesting though. Information introduces all
sorts of regularities into the environment and as long as they aren't big
enough to disrupt functionality most people never even think about them... For
that matter, people seem to have a general problem with thinking about
"outside-the-box applications" (probably not the best way to phrase that).

~~~
jrockway
The attack is for when you get a password prompt on the other end, like for
su, sudo, or logging into another machine. The password for the original
connection is sent as one packet, but the other passwords are normal
keystrokes.

~~~
gaius
Well, in TCP anyway. LAT was a line-oriented protocol. This is why back in the
day VMS boxes could support so many more users than Unix boxes - the host
didn't have to process every keypress and the network didn't have to send a
packet for it, if you were dealing in complete lines. The flipside obv is that
VMS needed (very) slightly smarter dumb terminals.

------
cjdavis
Ignoring the security implications, this could be a great way to use an old
spare keyboard for text entry on your phone. And with some training, it would
probably be far more than 80% accurate.

~~~
looklookatme
Not to rain on your parade here, but eighty percent accuracy would require
every sixth keypress to be backspace. Likely promoting it to the most pressed
key.

Obviously, auto-correct mitigates this somewhat but for the amount of
frustration and lost time, I'm betting it's probably worthwhile just
purchasing a new keyboard.

~~~
gojomo
But what if the keyboard – unpowered and wireless – were designed for this
purpose, emitting unique sounds per key, perhaps even outside normal human
hearing range?

