Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Critical security flaw in smartphones and tablets has been detected

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Aug. 18, 2011

Internet security specialists have developed an Android user application that logs various keystrokes using a smartphone's sensors to measure the locations a user taps on the touch screen. TouchLogger, as their demo app is called, allowed its creators at the University of California to demonstrate a security hole in most smartphones and tablets that has largely gone unnoticed up until today.

While most of these devices lack physical keyboards that have long been known to leak user input, they nonetheless remain very susceptible to outside monitoring through similar side-channel attacks, and that represents a big security risk, according to the researchers.

Need to know more about the cloud? Sign up for your free Cloud Hosting White Paper.

Whereas eavesdroppers measure sound and electromagnetic radiation to capture input from traditional keyboards, they can also monitor the motion of the mobile device to achieve much the same result from a touch screen-- something that was never given any thought until this latest discovery.

“Motion sensors, such as accelerometers and gyroscopes, may also be used to infer keystrokes as well,” the researchers wrote in a paper presented last week at the HotSec 2011 workshop in San Francisco.

“When the user types on the soft keyboard on a smartphone (especially if the user holds the phone by hand rather than placing it on a fixed surface), the phone vibrates. We discovered that keystroke vibration on touch screens are highly correlated to the keys being typed,” the researcher wrote.

And applications like TouchLogger and others that are similar could be significant since they bypass protections built into both the Android OS and Apple's competing iOS that prevent a program from reading keystrokes unless it's active and receives focus from the screen.

It was designed to work on an HTC Evo 4G smartphone. It had an accuracy rate of more than 70 percent of the input typed into the number-only soft keyboard of the device. The app worked by using the phone's accelerometer to guess estimate the motion of the device each time a soft key was pressed.

With just a few minor adjustments, the security researchers also believe that they can expand the effectiveness of TouchLogger, as well as the devices it will work on-- creating major security concerns for users in the enterprise segment. So far, no significant amount of testing has been done on RIM's BlackBerry system, but it's only a question of time until the researchers begin.

“The tablet has a larger screen, so hopefully we can get a higher accuracy rate on a Qwerty keyboard,” said Liang Cai, a graduate student in U.C. Davis's computer science department who collaborated with his advisor Hao Chen. “We didn't really try it on a large scale of devices, but we will soon.”

Besides targeting devices with larger touch screens, the researchers added that TouchLogger could also be improved by using other sensors built into the targeted device. Prime candidates include gyroscopes to measure the rate of rotation and a camera to further detect motion.

The security researchers also noted that the W3C recently published a new specification for Internet applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project, and more details will be available soon.

But for now, all they are hoping is to get the word out that the motion detected by a smart device's own sensors could expose highly valuable information, including passwords, social security numbers and credit card information.

“We hope to raise the awareness of motion as a significant side channel that may leak confidential data,” they wrote.

In other internet security news

The well known hacking group Anonymous took credit Monday for an online attack targeting San Francisco's rapid transit system. The group has a reputation for targeting mission-critical and sensitive computer networks across the globe, and this one isn't any different than previous attacks made by the group.

But for now, their motives are still unknown, however. In a news release attributed to the group, and backed up by related Twitter pages, Anonymous said it would take down the website of the Bay Area Rapid Transit System, known as BART, between noon and 6.00 PM Pacific time yesterday.

The move is in response to the organization's management decision to cut off cellphone signals at select subway stations in response to a planned protest last week.

"By cutting off cell phone service, you have not only threatened your citizens' safety, you have also performed an act of censorship," a seemingly computer-generated voice said in a video posted online Sunday afternoon. "And by doing this, you have angered Anonymous."

Yesterday afternoon, a link off BART's website to apparently had been hacked as well. It showed a page featuring, among other items, the Anonymous logo -- a smirking mask above two crossed swords, all on a black background.

Need to know more about the cloud? Sign up for your free Cloud Hosting White Paper.

Additionally, Twitter traffic related to Anonymous also said that the hackers had been able to get into BART's internal network as well. Several related items and documents were posted, including one claiming to be "the User Info Database of" This had e-mails and, in some cases, phone numbers of hundreds of people.

"We apologize to any citizen that has his information published, but you should go to BART and ask them why your information wasn't secure with them in the first place," the posted item said. "Also-- don't worry-- probably the only information that will be abused from this database is that of BART employees, not you."

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Source: The University of California.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Get your Linux or Windows dedicated server today.

Click here to order your new fully dedicated Plesk server with the Linux operating system.