Android keylogging with no access to keystrokes?

July and August – summer in the Northern Hemisphere, especially in Nevada and California – often produce some interesting and unusual computer security research.

This is when the media-meets-hacker-in-Vegas two-ring circus of Black Hat and DEFCON (BH/D) takes place.

It’s also when you can attend the academically-styled, but in many ways much groovier, USENIX Security Symposium.

(BH/D probably has way more beards per capita than USENIX events, but USENIX beards are the ones to watch. BH/D is to beards as the United States is to Olympic medals in athletics. USENIX is Usain Bolt.)

We’ve already reported on various intriguing work presented at BH/D. There was Charlie Miller hacking Macbook batteries, and Jay Radcliffe attacking insulin pumps.

Artem Dinaburg took a somewhat chasmic leap of faith to suggest that DRAM errors might be exploited by typosquatters, whilst the gloriously-named triumvirate of Markus, Mlodzianowski and Rowley had fun with juicejacking.

Because it was August when we wrote about these, a handful of our readers complained that both the research and our reporting was nothing more than ‘silly season’ trivia. Maybe.

But if I might mix a metaphor for a moment, it’s only silly season stuff until someone loses an eye.

With that in mind, here’s an interesting paper from the USENIX HotSec ’11 workshop, by Liang Cai and Hao Chen from the University of California, Davis.

Talk titles are another aspect in which USENIX events outshine their Vegas cousins, since they tend to be written for the reader rather than for the media, like this one: TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion.

I won’t do more than give the briefest of summaries here – if you want to do it justice, you can read or even watch the whole paper for yourself.

Simply explained, the authors decided to see if they could guess what you’d typed on your mobile phone by looking only at the data stream from the motion sensors as you pecked at the on-screen keys.

The experiment was rather limited, using a dedicated, full-screen application with a numeric keypad. This allowed the researchers to record what keys you’d actually typed, as well as how you’d typed them.

The results were satisfactory, but far from excellent: the average accuracy was just 70%. One key – the one, as it happens – was correctly diagnosed 80% of the time. But the seven was misidentified almost half the time.

So I don’t expect to see this technique used by cybercrooks any time soon, if at all. But the research is neverthless not just ‘silly season’ stuff.

One of the goals of the authors was to give us a clear and practical security reminder: operating system data which, during design, seems to be of low sensitivity and of little value to an attacker, may turn out to be no such thing.

In particular, the authors point out that most smartphone operating systems deliberately prevent applications from reading from the keyboard unless they are active, visible and have focus. This is a sensible security precaution. But the paper reminds us that we can’t simply assume that this is enough, on its own, to prevent a background keylogger of the sort we’re used to on operating systems such as Windows or Linux.

In short, this sort of ‘silly season’ research is not silly at all.

By making regular attempts to expect the unexpected, research like this helps stop us getting bogged down in a rut of security assumptions.

And the researchers get to have some fun with computer science at the same time.