Did you know that while you innocently play games or browse Facebook on your smartphone or tablet, someone might be tracking your every move? Through a stream of data “leaked” by your mobile gadgets, cybercriminals can determine which direction you’re headed, how fast you’re walking and how long your strides are. Leaked data can even tell hackers whether you walk or take the subway to work or where you put your phone down when you get home.
Creepy, right?
McAfee’s latest white paper reveals details about a new type of HTML5 data leakage called physical eavesdropping that allows hackers to use your mobile device to access detailed information about your everyday life.
How Does it Work?
The technology that most of today’s smartphones and tablets are equipped with is designed to improve the mobile experience and ultimately make our lives easier. For example:
- Accelerometers are used to present landscape or portrait views of a device’s screen, based on the way the device is being held.
- Gyroscopes are used for measuring or maintaining orientation and provide users with a richer experience when they’re playing mobile games.
- Compasses allow the gadget to sense exactly what direction it’s facing.
- HTML5-compliant web browsers allow for greater functionality and improve the user’s mobile web experience.
The flipside is that hackers use these technology features to collect and analyze the directional and orientation data of mobile devices. That data is then translated into human motions giving cybercriminals the opportunity to obtain physical information about you and your device – which is where the notion of “physical” eavesdropping comes in.
For example, McAfee Labs found that it’s easy to detect whether a phone is placed on a tabletop or a charging dock. And while that may not seem like a huge red flag, it’s really just the tip of the iceberg. Detection becomes more complex and disturbing when things such as posture, step strides, and variances in clothing are taken into account. McAfee discovered that hackers can determine whether users are carrying their phone in their pocket or their hands while they walk. They can calculate the length and pace of a user’s steps, which reveals an approximate height of a target and potentially indicates whether a child or an adult is using a device.
When the information gathered through a physical eavesdropping attack is combined with a standard location-based attack, a stalker can capture a sequenced view of someone’s daily routines and schedule. The hacker can extract GPS coordinates, device orientation, acceleration and directional data to determine the exact physical position of a mobile device. When all the pieces are put together a stalker can find out if a user is sitting outside at a coffee shop with their mobile device lying flat and facing north while they browse through their Instagram feed.
Who’s At Risk?
Apple users listen up – this attack is not an Android-specific hack. Users across both platforms are vulnerable as are all popular devices – everything from the iPhone 5 to the Samsung Galaxy S3 – are at risk. Hackers would most likely perform this attack via a third-party web app or within emails, specifically a web-based email such as Gmail. The scariest part though, is that it’s fairly easy to carry out, so we’re all at risk. It could be used by jealous boyfriends or girlfriends spying on their better halves, or a “modern day” stalker attempting to learn a target’s every move. Perhaps the paparazzi could even use this to track down popular celebrities.
How to Best Protect Yourself
Currently, most mobile devices are not equipped with an easy way for users to restrict access to the motion and orientation data being leaked by our everyday activities – whether it’s playing a game, checking emails or checking movie times at your local theater. However, while the ultimate fix for this hack lies in the hands of mobile OS developers, there are ways to reduce the risk of vulnerability. It’s important to make sure you’re using a mobile security solution so you aren’t an easy target for hackers. By using a security solution that allows you to block access to certain types of data through safe searching and app use, you will avoid leaving a data trail that would allow hackers to piece together a comprehensive picture of your every move.