In an academic study, researchers at Cambridge University and Linkoping University in Sweden were able to learn people’s passwords by getting a phone microphone to listen to the sound waves when they typed, according to a report by The Washington Post.
“We showed that the attack can successfully recover PIN codes, individual letters and whole words,” the researchers wrote.
Hackers would be able to hide the attack in an app that could access a person’s microphone.
“Many apps ask for this permission and most of us blindly accept the list of demanded permissions anyway,” the researchers wrote.
Attackers could also provide a victim with an infected phone.
The researchers created an artificial intelligence (AI) algorithm that was able to analyze vibrations for specific typing. Out of 45 people tested, the researchers cracked the passwords seven times out of 27, inside of 10 tries. The results were better on tablets, which were right 19 times out of 27, inside of 10 attempts.
“We found the device’s microphone(s) can recover this wave and ‘hear’ the finger’s touch, and the wave’s distortions are characteristic of the tap’s location on the screen,” the researchers wrote. “Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device.”
The tests were run on Android phones; the LG Nexus 5 and the Nexus 9 tablet. To run the experiment in a real world environment, the people being tested were placed in different locations. One was at a common room with a coffee machine, one was in a reading room with computers and one was in a library.
The researchers suggested that the best way to combat these types of attacks would be for phone makers to put in a switch that could turn off the microphone at will. Another way would be to make it more obvious to the user when the microphone is on, by using a light or an icon on the phone screen.