TapLogger is just a prof-of-concept trojan for Android, but the issues it exposes for the smartphone world and smartphone-tailored security practices couldn’t be more practical: the trojan uses data coming from motion sensors of a phone to infer security code numbers tapped by the user on the on-screen virtual keyboard.
Created as part of a research study by students and scientists of Pennsylvania State University in collaboration with IBM, TapLogger disguises itself as an icon-matching game where the users have to play 30 different rounds engaging in more than 400 “tap events”.
These first tap events, the study explains, are the trojan’s “training mode” that let it records enough sensor data to infer what virtual keys the user will be pressing afterward. The “trick” works because of the very slight changes to the smartphone acceleration and position while using a virtual keyboard: “By observing the gesture changes during a tap event – the researchers say – the attacker may roughly infer the tapped position on the touchscreen”.
This “rough” inference, it turns out, is enough to try and build up a couple of practical attacks: not only the Penn researchers developed the trojan code, they even used TapLogger to guess the PIN number (used to protect the tested handheld) and a credit card PIN as demonstrated at the ACM WiSec conference held in Tucson, Arizona.
The not-so-secure Android mobile-OS has now another issue to deal with, but it isn’t alone: the researchers explain that even if they have developed the TapLogger code for the Google OS, the same “leaking sensors” problem can be applied to Apple iOS (iPhone/iPod/iPad). It’s the entire security model of unrestricted access to sensors’ data given to unprivileged apps that should be reformed for good.