Two researchers from the University of California Davis, Hao Chen and Lian Cai, have successfully divined the keystrokes on an Android on-screen keyboard by measuring the wiggles, jiggles, and vibrations picked up by the device’s accelerometer. This is significant because the data from accelerometers is not thought of as a potential attack vector, and is thus freely available to any application on any smartphone or tablet.

Logging the keystrokes on a Windows or Mac desktop or laptop is incredibly easy: just install a piece of software (or get infected by a Trojan), configure where it should save or send the stolen keystrokes to, and that’s it. When it comes to smartphones, however, complex permission systems make this approach all but impossible — unless you use what’s known as a “side channel.” Strictly speaking, a side channel is an insecure source of information that helps a cracker break a cryptographic system. Broadly speaking, a side channel could be a blinking light on a router that mimics the binary data passing through it or the clackity-clack sounds of a physical keyboard. In other words, side channels are the characteristics of a system that have had their potential risks overlooked.

In this case, the two researchers use the Android’s orientation data — a set of three angles that give the phone’s orientation in XYZ space — to work out where a user was pushing on the screen. Basically, every key has a unique pitch, roll and yaw fingerprint that can be identified (see below). The accuracy varies from phone to phone — the HTC Evo 4G updates its orientation data every 30ms as opposed to 110ms for the Motorola Droid — but overall, the researchers managed to reach 71.5% accuracy for a 10-button keyboard (number pad). The missing 28.5% is made up of keys that are close together; the software (called TouchLogger, incidentally) can generally derive the right column or row for every key, but sometimes it just doesn’t have enough data to resolve the exact key.

A full QWERTY keyboard is obviously a lot harder to infer keystrokes from than a 10-button number pad, of course — but this is just an early proof of concept, and accuracy of 70% is more than enough to destroy the confidentiality of any data that you might type into your phone, anyway. Furthermore, the research paper goes on to note that larger devices, such as tablets, should be easier to keylog — and that both gyroscopes and cameras could be used to increase the resolution and accuracy of TouchLogger.

Finally, it’s important to note that this side channel isn’t just a security hole in Android: accelerometer and gyroscope data is available through the DeviceOrientation API, which is implemented by all modern desktop (and laptop) browsers, and Android 3.0 and iOS 4.2. In other words, this current exploit would require you to install TouchLogger on your Android phone — but in theory, someone could take the work of Chen and Cai, implement it in JavaScript, and then use it to steal your login details and credit card info when you surf the web.

Read more at New Scientist or read the TouchLogger paper [PDF]

[Image credit: Wade Morgan]