In the age of surveillance paranoia, most smartphone users know better than to give a random app or website permission to use their device’s microphone. But researchers have found there’s another, little-considered sensor in modern phones that can also listen in on their conversations. And it doesn’t even need to ask.
In a presentation at the Usenix security conference next week, researchers from Stanford University and Israel’s defense research group Rafael plan to present a technique for using a smartphone to surreptitiously eavesdrop on conversations in a room—not with a gadget’s microphone, but with its gyroscopes, the sensors designed measure the phone’s orientation. Those sensors enable everything from motion-based games like DoodleJump to cameras’ image stabilization to the phones’ displays toggling between vertical and horizontal orientations. But with a piece of software the researchers built called Gyrophone, they found that the gyroscopes were also sensitive enough to allow them to pick up some sound waves, turning them into crude microphones. And unlike the actual mics built into phones, there’s no way for users of the Android phones they tested to deny an app or website access to those sensors’ data.
“Whenever you grant anyone access to sensors on a device, you’re going to have unintended consequences,” says Dan Boneh, a computer security professor at Stanford. “In this case the unintended consequence is that they can pick up not just phone vibrations, but air vibrations.”
For now, the researchers’ gyroscope snooping trick is more clever than it is practical. It works just well enough to pick up a fraction of the words spoken near a phone. When the researchers tested their gyroscope snooping trick’s ability to pick up the numbers one through ten and the syllable “oh”—a simulation of what might be necessary to steal a credit card number, for instance—it could identify as many as 65 percent of digits spoken in the same room as the device by a single speaker. It could also identify the speaker’s gender with as much as 84 percent certainty. Or it could distinguish between five different speakers in a room with up to 65 percent certainty.
But Boneh argues that more work on speech recognition algorithms could refine the technique into a far more real eavesdropping threat. And he says that a demonstration of even a small amount of audio pickup through the phones’ gyroscopes should serve as a warning to Google to change how easily rogue Android apps could exploit the sensors’ audio sensitivity.
“It’s actually quite dangerous to give direct access to the hardware like this without mitigating it in some way,” says Boneh. “The point is that there’s acoustic information being leaked to the gyroscope. If we spent a year to build optimal speech recognition, we could get a lot better at this. But the point is made.”
Modern smartphones use a kind of gyroscope that consists of a tiny vibrating plate on a chip. When the phone’s orientation changes, that vibrating plate gets pushed around by the Coriolis forces that affect objects in motion when they rotate. (The same effect is why the Earth’s rotation causes the ocean’s water to swirl or air currents to form into spinning hurricanes.)
But the researchers found that the same tiny pressure plates could also pick up the frequency of minute air vibrations. Google’s Android operating system allows movements from the sensors to be read at 200 hertz, or 200 times per second. Since most human voices range from 80 to 250 hertz, the sensor can pick up a significant portion of those voices. Though the result is unintelligible to the human ear, Stanford researcher Yan Michalevsky and Rafael’s Gabi Nakibly built a custom speech recognition program designed to interpret it.
The results, says Boneh, aren’t anywhere close to the kind of eavesdropping possible from the phone’s microphone–he describes the software in its current state as picking up “a word here and there.” But he says the research is only intended to show the possibility of the spying technique, not to perfect it. “We’re security experts, not speech recognition experts,” Boneh says.
Boneh says that Google has likely been aware of the study: The company’s staffers were included on the Usenix program committee. A Google spokesperson wrote in a statement that “third party research is one of the ways Android is made stronger and more secure. This early, academic work should allow us to provide defenses before there is any likelihood of real exploitation.”
The research isn’t actually the first to find that phones’ gyroscopes and accelerometers pose a privacy risk. In 2011, a group of Georgia Tech researchers found that a smartphone could identify keystrokes on nearby computers based on the movement of the phone’s accelerometers. And in another paper earlier this month, some of the same Stanford and Rafael researchers found that they could read a smartphone’s accelerometers from a website to identify the device’s “fingerprint” out of thousands.
In this case, the researchers say mobile operating system makers like Google could prevent the gyroscope problem by simply limiting the frequency of access to the sensor, as Apple already does. Or if an app really needed to access the gyroscope at high frequencies, it could be forced to ask permission. “There’s no reason a video game needs to access it 200 times a second,” says Boneh.
In other words: Don’t worry. With a small Android tweak from Google, it’s possible to keep DoodleJump and your privacy too.