According to the researchers, the Spearphone attack can be used to learn about the contents of the audio played by the victim—selected from the device gallery over the Internet, or voice notes received over the instant messaging applications like WhatsApp.
Researchers also tested their attack against phone's smart voice assistants, including Google Assistant and Samsung Bixby, and successfully captured response (output results) to a user query over the phone's loudspeaker.
The researchers believe that by using known techniques and tools, their Spearphone attack has "significant value as it can be created by low-profile attackers."
Besides this, Spearphone attack can also be used to simply determine some other user's speech characteristics, including gender classification, with over 90% accuracy, and speaker identification, with over 80% accuracy.
Nitesh Saxena also confirmed The Hacker News that the attack can not be used to capture targeted users' voice or their surroundings because "that is not strong enough to affect the phone's motion sensors, especially given the low sampling rates imposed by the OS," and thus also doesn't interfere with the accelerometer readings.
For more details, we encourage our readers to head onto the full research paper [PDF], titled "Spearphone: A Speech Privacy Exploit via Accelerometer-Sensed Reverberations from Smartphone Loudspeakers."
The paper also discussed some possible mitigation techniques that may help prevent such attacks, as well as a few limitations, including low sampling rate and variation in maximum volume and voice quality of different phone that could negatively impact the accelerometer readings.
In a previous report, we also explained how malware apps were found using motion-sensors of infected Android devices to avoid detection by monitoring if the device is running in a run emulator or belongs to a legitimate user with movements.
source:- TH news
"The proposed attack can eavesdrop on voice calls to compromise the speech privacy of a remote end-user in the call," the researchers explain.
"Personal information such as social security number, birthday, age, credit card details, banking account details, etc. consist mostly of numerical digits. So, we believe that the limitation of our dataset size should not downplay the perceived threat level of our attack."
Researchers also tested their attack against phone's smart voice assistants, including Google Assistant and Samsung Bixby, and successfully captured response (output results) to a user query over the phone's loudspeaker.
Besides this, Spearphone attack can also be used to simply determine some other user's speech characteristics, including gender classification, with over 90% accuracy, and speaker identification, with over 80% accuracy.
"For example, an attacker can learn if a particular individual (a person of interest under surveillance by law enforcement) was in contact with the phone owner at a given time," the researchers say.
Nitesh Saxena also confirmed The Hacker News that the attack can not be used to capture targeted users' voice or their surroundings because "that is not strong enough to affect the phone's motion sensors, especially given the low sampling rates imposed by the OS," and thus also doesn't interfere with the accelerometer readings.
For more details, we encourage our readers to head onto the full research paper [PDF], titled "Spearphone: A Speech Privacy Exploit via Accelerometer-Sensed Reverberations from Smartphone Loudspeakers."
The paper also discussed some possible mitigation techniques that may help prevent such attacks, as well as a few limitations, including low sampling rate and variation in maximum volume and voice quality of different phone that could negatively impact the accelerometer readings.
In a previous report, we also explained how malware apps were found using motion-sensors of infected Android devices to avoid detection by monitoring if the device is running in a run emulator or belongs to a legitimate user with movements.
source:- TH news
Comments
Post a Comment