Android phone's accelerometer can eavesdrop on any audio via its speakerphone

News by Rene Millman

Android phones exposed to "Spearphone" eavesdropping as attackers use always-on accelerometer to listen in on any audio played through its speakerphone

It is possible to use an Android phone’s accelerometer to eavesdrop on any audio played through its speakerphone, according to scientists.
Dubbed "Spearphone", researchers found that sound waves from inbuilt loudspeakers, at an appropriate loudness, can impact the accelerometer, leaking sensitive information about the speech.
Spearphone stands for "Speech privacy exploit via accelerometer-sensed reverberations from smartphone loudspeakers" and was found by scientists working at the University of Alabama at Birmingham and Rutgers University in the US.
As accelerometers are always on and don’t require permissions to operate, malicious apps or websites could record accelerometer data and playback audio from them.
Researchers tested three Android phones: LG G3, Samsung Galaxy S6 and Samsung Note 4. These were chosen as the phone speaker and accelerometer are fitted close by each other.
"These speech reverberations are generated due to the smartphone’s body vibrating due to the principle of forced vibrations, behaving in a manner similar to a sounding board of a piano," said researchers in a published paper.
"It is possible to compromise the speech privacy of a live human voice, without the need of recording and replaying it at a later time instant."
Researchers said that the smartphone’s user’s gender could be figured out as well as their identity, or even the words by carrying out speech recognition or reconstruction.
They added that a hacker could gain access to the accelerometer’s data to figure out speech patterns through this vulnerability.
"The attacker can fool the victim into installing a malicious application or a malicious website could track the motion sensor readings in the background via JavaScript while the unsuspecting victim is browsing," said the team.
"Thus, the malicious attack through Javascript on a Gecko-based browser would work similar to a malicious application installed on the Android platform. These malicious applications can be designed to get triggered for specific threat instances described previously and can start logging the motion sensor output. The output can then be transmitted to the attacker where the attacker can extract confidential information."
Researchers said that to avoid this sort of attack would require Android to implement stricter access control policies that restrict the usage of these sensors.
"However, a stricter access control policy for the sensors directly affects the usability of the smartphones. Even implementing the explicit usage permission model by the applications often does not work since users do not pay proper attention to the asked permissions," researchers said.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that this is an interesting attack vector which, for now, seems like it may remain theoretical with the exception of some specific cases. 
"Ultimately, to carry out this attack, a malicious app needs to be downloaded onto the phone, and if that is possible, then an attacker may choose to install different malware which would capture more data other than just voice such as text messages," he said.
"This attack is also dependent upon the victim playing audio through the speakerphone, so it won't work in every case, even when successfully deployed onto a smartphone. However, this does bring up a valid point that access to one function on a phone may inadvertently leak data from other parts, something that needs to be thought of and designed into phones as the risks will only increase over time."
Paul Ducklin, senior technologist at Sophos, told SC Media UK that the best defence against this and any phone attack based on a rogue app is to avoid untrusted apps in the first place. 
"If crooks can trick you into installing an app you didn't want. and persuade you to give it the permissions that most apps ask for anyway, then they can already do much worse than listen to the vague vibrations of your accelerometer. Any app that collects data sloppily or needlessly, even if it wasn't designed to be malicious, could hurt your privacy, so the simplest advice is that when it comes to apps, less is more, and fewer is better. Stick to a core set of apps that you need, and that come with a good reputation," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews