Researchers at Georgia Tech and MIT have developed a proof of concept to demonstrate that it is possible to record a computer user's keystrokes using an iPhone 4's accelerometer. The researchers developed a method to accurately translate the vibrations from typing on a keyboard picked up by the device's accelerometer when placed on a desk near a PC. Though they warn that hackers could potentially use their method to eavesdrop on a user's keystrokes, they believe the actual threat is quite low.

The method, detailed in a paper titled “(sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers,” works by interpreting pairs of keystrokes in successive order. According to principal researcher Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science, the method can't reliably pinpoint single keystrokes. But by characterizing the successive strokes as left-right, right-left, left-left, or right-right, and then whether the pair is nearer or further away form the device, the pairs can be statistically analyzed to represent probably letter pairs. Then those pairs can be compared to a dictionary.

According to Traynor, the method is 80 percent accurate with a 58,000 word dictionary. Even that accuracy, though, requires thoroughly modern equipment. “We first tried our experiments with an iPhone 3GS, and the results were difficult to read,” Traynor said in a statement. “But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”

Similar keylogging methods have been developed which use a smartphone's microphone. But malware masquerading as a legitimate app can usually access a smartphone's accelerometer without tripping built-in security features, according to the researchers, which tend to prevent access to a device's sensors without a specific OK from the user.

Traynor characterized the likelihood of a smartphone user succumbing to such keyboard eavesdropping as "pretty low." With only 80 percent accuracy, the attack would likely have trouble accurately interpreting usernames or passwords that aren't common dictionary terms. And with an effective range of just three inches, users can easily mitigate any potential threat by keeping their iPhone further away from their keyboard, or off the desk entirely.

The paper will be presented Thursday at the currently in progress 18th ACM Conference on Computer and Communications Security in Chicago.