> We demonstrate how an inactive or even a minimised web page, using JavaScript, is able to listen to and silently report the device motion and orientation data about a user who is working on a separate tab or a separate app on the device.
This is brilliant and well-explained.
On page 6 of the PDF, the authors include a breakdown of the leakages they found in each browser family. The two that were most significant to me is Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe this means that malicious Javascript (1) on Google Chrome on an iPhone on an inactive tab, and (2) on mobile Safari while the screen is locked, can access tilt and motion data at a level of detail sufficient to deduce what the user is typing.
Accelerometer data could be used too to figure out how long it took to move from one entry on a virtual keyboard to another reducing the search space considerably.
Bingo. It's not really Chrome at all. A better author would have pointed out that the iOS platform is flawed, its singular browser in any of its different wrappers is vulnerable in exactly the same way.
Sure, but you can't do that if you're a web page. This is about a malicious app or website listening to the accelerometer and gyro to determine what the user is typing on the keyboard into a separate app.
This is why I chose one that doubles back on itself in a non-obvious way. I've tested it by trying to teach people the password, it usually takes them quite a while to learn it, even when I do it really, really slowly and give them lots of tries
Last time I used this on Android, there were 9 points but I couldn't use any one more than once. You can double back in a very limited way, but the more complex patterns I wanted to use were impossible.
I'm sure there's more written on this, but most patterns I've seen are just way too short. And hug the outer edge, are in-order, etc.
You're still limited by your video receiver and limited knowledge of what's going on the background. Using commodity hardware and visible spectrum light this technology shouldn't yet be used for more than very simple tasks.
Even humans are very prone to "glass of juice" vs "gas the jews" type errors.
There was a 2014 SIGGRAPH submission called "The Visual Microphone" [1]; it is also discussed in the 'research highlights'section of the Communications of the ACM [2].
As a university project, I did something very similar, only using a malicious app. The app would monitor the device state, and record gyro data as soon as the screen was on, but the device was locked. We didn't have the time to properly implement a decent classifier, but the data collection was surprisingly effective.
That surely is an interesting finding, especially if it can be confirmed.
Null hypothesis: females in general are more trusting and [consider themselves more] trustworthy. As humans we tend to project our own morality on to others, thus expecting people to be less likely to try and attack their stuff and so being less desirous of strong protection?
We're using alternate definitions: I'm using "my null hypothesis", as in my zero-numbered hypothesis that I would then attempt to test for. You're using, presumably "the Null Hypothesis" as a specific hypothesis suggesting that two populations have no causal relationship [IIRC]. My null-ordered labelling just confused my hypothesis with a particular default used in some statisitical arenas AFAICT.
idanoeman's use of "null hypothesis" is far more standard than yours. And if you use such a phrase in a highly non-standard way, you can't be surprised that people think it means something other than what you meant...
There is a one-to-one correspondence between them: a length 9 combination is just a length 8 combination followed by the sole remaining node. The lock screen has 9 nodes.
I reduce predictability - and people peeking - by passing over already selected nodes and deactivating the visual tracing of the graph. I can draw my code before someone several times without they being able to unlock my phone :)
In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.
One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.
I've seen a movie where a bad guy entered password and a good girl counted the number of characters: one-two-three-four-five. Then she noticed that his suit had "GREED" badge on it. Combining these two facts she succesfully hacked into his laptop and prevented some shit. Since then I started to always mix few backspaces into my passwords. Not that I'm really bad, but life is life.
The backspace key on most keyboards has a very distinct sound. Not to mention it's positioning means timing will be noticeably different as well. Might be better off mixing in a few meaningless modifier keys (press Ctrl, Alt or Caps Lock).
Unless the gibberish is the same every time, the repeated sound of your password will still be parsable from a long enough sound recording of your computer usage.
I think it is more accurate to say that the gibberish is unlikely to _always_ be the same.
I think one can tend to create similar gibberish over time. I've worked on a system where I needed to do a new signup every time I wanted to test a feature and I've run into issues where the gibberish I entered matched an account that I had previously created.
Yep! Always a bit of fun when someone goes to use my laptop for an end-of-sprint presentation and types a bunch of gibberish infront of all the stakeholders :D
No. The idea that you could discern the difference between keys based on their relative volume due to their distance and angle from the recording device is complete nonsense. OP is living a fantasy and taking HN along for the rise.
No. The idea that you could discern the difference between keys based on their relative volume due to their distance and angle from the recording device is complete nonsense. OP is living a fantasy and taking HN along for the ride.
There is a paper from one of the guys who made RSA about that.
They can reconstitute private keys, by listening repeatedly to the sound the power supply of a laptop makes when encrypting/decrypting emails, from 5m away.
the good old days in the military where our main communications computers and such were in shielded areas to prevent leakage outside which could be picked up.
I think it was in the book Spycatcher [0] that I recall there was a story of how English intelligence bugged a foreign embassy with a microphone and was able to figure out what they were typing on a typewriter by analyzing the sound of the keystrokes. That was way back in the 1950's I think, so the idea has been around for a while. The book has a lot of interesting details about spy technology at the time. In addition to all the juicy intelligence stories it's also a fun read from a security engineering point of view. The British government tried to ban it which naturally triggered the Streisand effect and made it a best seller.
Your office orders pizza every Tuesday at the same time, via a coworker's cell phone. You are working on a technology that has the potential to disrupt several leading industries that are in bed with the government. After much lobbying, it is decided one day that your call to Domino's is to be rerouted via your broadband processor to an operative that mirrors your order to the real Domino's, and hand delivers the pizza at the front desk.
On their way out, they place a small, embedded, self-destructable camera device that focuses on your fancy new plexiglass installment. Over the next few weeks, the device documents all keystrokes and conversations from the front desk, and finds a way to socially engineer a copy of your codebase. Next year, seemingly out of nowhere, another venture suddenly launches ahead of your launch schedule, with your exact business model. All because you wanted some plexiglass and didn't think it was worth the money to actively scan the entire perimeter for bugs daily.
If this sounds crazy and far-fetched to anyone, then it would behoove them to look into past CIA infiltration techniques and also to realize that this is exactly the kind of stuff the CIA exists to do.
That reminds me—in elementary school, I used to figure out what someone was writing by listening to the sound of their pencil, sometimes by putting my head to the desk. It probably worked mainly because they were writing pretty slowly in large print, but I imagine you could come up with a software implementation as a useless gimmick if you had enough training data.
I’ve considered implementing this as a keyboard layout in Android, so you could put your phone on the desk and type by scratching a stylus or fingernail on the surface next to it.
I saw an ATM before that scrambled the number pad on it's touchscreen so the numbers were in a different position every time. Would that work to mitigate this attack?
I can't remember when I last used an ATM (maybe 5 years ago?) and haven't seen the one near work used much so checked usage stats. It's more common here than I thought (as are cheques) but it's not used much. http://www.paymentsnz.co.nz/articles/nz-payments-stats-a-yea...
There's an option to do this in many third party Android ROMs, which I personally take advantage of. I don't think it's really "terrible ux"; it hasn't been that hard to adjust to.
In fact, if the numbers on the lockscreen are not scrambled, a low-tech version of this is to look at where the most prominent smudges are on the screen to find the PIN number :)
Fingerprints are "something you have", but for multi-factor authentication you might also want to rely on "something you know". This news just indicates a problem of entering "something you know" into a device: it's definitely not a point in favour of fingerprint (they aren't simply alternatives)
Nice hack. I've been using my phone for less and less over the years, out of security concerns, since it's my 2fa device and I sometimes check email with it. After the Broadcom wifi thing I even stopped carrying it around. I guess it's past time to buy a dedicated 2fa device.
YubiKeys are supposed to be great. I don't have one myself — been mulling it over, but not sure if I need one since I have an authenticatior app on my phone. If anyone thinks I should though I'm all ears!
But isn't the point of 2FA that it's OK to have each of the factors individually be (relatively) insecure—passwords being about as insecure as imagineable for most users—as long as no-one is likely to have access to both of them? Thus, it's OK if someone can read your texts, as long as they don't also know your passwords.
Hackers have stolen large amounts of cryptocurrencies from individual targets because they used SMS 2FA. (If probably more money than I've ever had counts as large.) You might not be as juicy a target, but if you're reading HN I guess you're at least mildly interesting these days, this being the cyberpunk future.
At least there is 5%(Nexus and Pixel) that get patched. The baseband is wide open on 100% of cellphones with a SIM card in them, and it's never getting patched.
I wonder if you could hold the phone flat in one hand and press the buttons with the other hand to defeat this. Or wobbling while entering it one-handed.
How about not letting javascript run when the phone is locked? Heck, on my phone I'd be fine with not letting it run when the browser tab isn't active.
Suspend tab by Piri (piro_or) is the one on my laptop at least.
In the description it also mentions other extensions, especially suspend-background-tabs looks like something I might be using on one of my/someone elses machine.
also, I'm realizing that I've told people "you don't need to quit apps in iOS, it takes care of memory itself" but quitting browsers sounds like it is a good idea now.
That app makes it a little harder for a stranger to read what's on your screen, it doesn't have anything to do with browser access to the accelerometer and other sensors.
Heh, I tend to tilt my device a particular way to avoid prying eyes when typing in a password so I assumed a direct connection but others probably don't behave the same way
This attack and an annoyance that I see on Android from time to time could be easily mitigated if in Chrome if they would simply ship permissioning for access to hardware devices.
There is this annoying popup add that infects the ad networks of a few websites that first smashes the history of the tab and then vibrates your phone and has a page with a bunch of red warning text telling you that you have a virus, your phone is "damaged" and trying to get you to download some crappy virus scamware.
No way in hell a random website should be able to make your phone vibrate without your permission much less tell how its moving with the accelerometer.
I've google around a lot there is NO WAY to disable this :/
Chrome will soon require an SSL cert in order for web services to use the device orientation API, which is a step in the right direction, but ultimately doesn't help in prevention.
For example, the bar for Men's shopping password length is 3x-4x longer than for Women's, but in reality the value (in tiny font) is only ~8% greater (the others are ~4% and ~10%).
> They said they'd told all the major tech companies, like Google and Apple, about the risks but no-one has been able to come up with an answer so far.
131 comments
[ 2.6 ms ] story [ 191 ms ] threadThis is brilliant and well-explained.
On page 6 of the PDF, the authors include a breakdown of the leakages they found in each browser family. The two that were most significant to me is Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe this means that malicious Javascript (1) on Google Chrome on an iPhone on an inactive tab, and (2) on mobile Safari while the screen is locked, can access tilt and motion data at a level of detail sufficient to deduce what the user is typing.
> They say they cracked four-digit pins with 70% accuracy on the first guess and 100% by the fifth guess.
I'd expect within a few months they could have 70% accuracy on the first guess for typing text/passwords.
I'm sure there's more written on this, but most patterns I've seen are just way too short. And hug the outer edge, are in-order, etc.
Even humans are very prone to "glass of juice" vs "gas the jews" type errors.
[1]: https://people.csail.mit.edu/mrub/VisualMic/
[2]: https://cacm.acm.org/magazines/2017/1/211095-eulerian-video-...
The patterns are predictable, and can be further narrowed down if you now the hand they normally use.
Null hypothesis: females in general are more trusting and [consider themselves more] trustworthy. As humans we tend to project our own morality on to others, thus expecting people to be less likely to try and attack their stuff and so being less desirous of strong protection?
In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.
One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.
Fun times ensued. ;)
[0] http://www.berkeley.edu/news/media/releases/2005/09/14_key.s...
I think one can tend to create similar gibberish over time. I've worked on a system where I needed to do a new signup every time I wanted to test a feature and I've run into issues where the gibberish I entered matched an account that I had previously created.
They can reconstitute private keys, by listening repeatedly to the sound the power supply of a laptop makes when encrypting/decrypting emails, from 5m away.
https://en.wikipedia.org/wiki/Side-channel_attack
[0] https://en.wikipedia.org/wiki/Spycatcher
Some of us are even familiar with acoustic cryptoanalysis[0].
However, combine these methods with this[1] tech, inspired on the work done here[2], and we have ourselves an impending crisis on our hands.
[0] Acoustic Cryptoanalysis - https://courses.csail.mit.edu/6.857/2014/files/23-shroff-hu-...
[1] Extracting Audio From Visual Information - https://news.mit.edu/2014/algorithm-recovers-speech-from-vib...
[2] Eularian Video Magnification - https://people.csail.mit.edu/mrub/papers/vidmag.pdf
Let's run through a scenario.
Your office orders pizza every Tuesday at the same time, via a coworker's cell phone. You are working on a technology that has the potential to disrupt several leading industries that are in bed with the government. After much lobbying, it is decided one day that your call to Domino's is to be rerouted via your broadband processor to an operative that mirrors your order to the real Domino's, and hand delivers the pizza at the front desk.
On their way out, they place a small, embedded, self-destructable camera device that focuses on your fancy new plexiglass installment. Over the next few weeks, the device documents all keystrokes and conversations from the front desk, and finds a way to socially engineer a copy of your codebase. Next year, seemingly out of nowhere, another venture suddenly launches ahead of your launch schedule, with your exact business model. All because you wanted some plexiglass and didn't think it was worth the money to actively scan the entire perimeter for bugs daily.
If this sounds crazy and far-fetched to anyone, then it would behoove them to look into past CIA infiltration techniques and also to realize that this is exactly the kind of stuff the CIA exists to do.
I’ve considered implementing this as a keyboard layout in Android, so you could put your phone on the desk and type by scratching a stylus or fingernail on the surface next to it.
Google 1st: https://security.stackexchange.com/questions/150153/is-a-dum...
But isn't the point of 2FA that it's OK to have each of the factors individually be (relatively) insecure—passwords being about as insecure as imagineable for most users—as long as no-one is likely to have access to both of them? Thus, it's OK if someone can read your texts, as long as they don't also know your passwords.
Here is a helpful discussion including using the Yubikey Neo NFC with Android phones and alternatives to Yubikey: https://news.ycombinator.com/item?id=13635433
finally!
http://www.theverge.com/2016/5/2/11540962/iphone-samsung-fin...
What use case am I not thinking of here?
Saves a lot of CPU if I have google search result in background tabs.
In the description it also mentions other extensions, especially suspend-background-tabs looks like something I might be using on one of my/someone elses machine.
Any option for iOS? Can someone recommend a good 4way privacy screen protector?
[1] http://www.theverge.com/2017/3/23/15038364/blackberry-privac...
There is this annoying popup add that infects the ad networks of a few websites that first smashes the history of the tab and then vibrates your phone and has a page with a bunch of red warning text telling you that you have a virus, your phone is "damaged" and trying to get you to download some crappy virus scamware.
No way in hell a random website should be able to make your phone vibrate without your permission much less tell how its moving with the accelerometer.
I've google around a lot there is NO WAY to disable this :/
For example, the bar for Men's shopping password length is 3x-4x longer than for Women's, but in reality the value (in tiny font) is only ~8% greater (the others are ~4% and ~10%).
What about putting and end to tracking gestures?