Smartphone manufacturers have done a lot in recent years to better protect their software from eavesdropping by malicious apps. Whatever they do, there appear to be “windows” for eavesdropping, as evidenced by security researchers from five US universities. Malicious apps can eavesdrop without access to a smartphone’s microphone, says the study, which was co-authored by experts from Texas A&M, Dayton, Temple, Rutgers, and the New Jersey Institute of Technology. Researchers have developed a program called EarSpy to record phone conversations without being detected.
The main finding isn’t entirely new: the sensors built into every smartphone can register even small vibrations in such detail that they could theoretically also be used to monitor conversations – for example when using hands-free mode. However, the new study now shows that thanks to advances in technology, even phone calls in which users hold the smartphone to their ear can be intercepted.
Two factors are responsible for this: on the one hand, increasing the quality of sensors and on the other hand developing better and better speakers integrated into smartphones.
Speech recognition – that is, the assessment of what was said – is still relatively inaccurate: in the research conducted by experts, the recording of conversations was found to be 56.42% complete. However, security researchers speculate that this rate could also be greatly improved with better algorithms.
As it turns out, interception of conversations can work on most smartphones. The difference between the individual models is particularly interesting: for example, the data provided by the Oneplus 3T was barely useful, while the Oneplus 7T provided much more data. The difference: The newer model has significantly better (stereo) speakers that produce more “feel”. In contrast, it was difficult to capture data on older OnePlus models due to the lack of stereo speakers, the researchers said.
The fact that the various sensors built into smartphones today can be used for all kinds of malicious attacks has not gone unnoticed by the manufacturers. For example, with Android 12, released in 2021, Google has significantly restricted access to sensor data.
The new study confirms that Google’s actions at the time did indeed work — but today they are in danger of being outdone.
Security researchers offer two pieces of advice: Operating system manufacturers should ensure that sensor data is accessed after user permission. Thus, device users must explicitly agree — as has been the case for years with cameras, microphones, and the like. Until now, all applications had access to this data by default. The second tip is aimed at device manufacturers and has to do with the internal architecture of smartphones. With the correct arrangement of sensors on the device, measurable “vibrations” can be reduced – making such attacks more difficult.
“Avid problem solver. Extreme social media junkie. Beer buff. Coffee guru. Internet geek. Travel ninja.”