You are using an older browser version. Please use a supported version for the best MSN experience.

How A Simple Business Card Can Turn Your iPhone Into A Spyphone

Forbes logo Forbes 24-06-2016 Thomas Fox-Brewster, Forbes Staff

Samsung data theft Ben Gurion University attack© The Ben Gurion researchers attached their device directly to a Samsung to use it as a portal to send... Samsung data theft Ben Gurion University attack Hoarding business cards seems to be a requisite habit of every modern business role. But what if hidden inside the next one you receive was a little spy device, one that could use your phone to transmit information to a snoop’s computer via its gyroscope?

That’s what researchers from Israel’s Ben Gurion University have proposed in a paper released today, authored by Benyamin Farshteindiker, Nir Hasidim, Asaf Grosz and Yossi Oren from the Faculty of Engineering Sciences. It’s a novel, silent and cheap method for transmitting data, such as sound recordings or location data of a target, to a spy’s server, and proof that gyroscopes remain a nice target for advanced hackers.

Oren told FORBES that for just $3, he could install a small device in a business card or even a sticker (yes, even the tiny kind that Mark Zuckerbergputs on his webcam) that would use an audio signal to force a phone or tablet gyroscope to vibrate at its resonant frequency. This would be registered by code running on the target’s phone – most likely within an innocent-looking web page – that queries the gyroscope as quickly as possible, uploading its reading to a central server. If the implant is recording audio and location, it can transmit that information in 1s and 0s at a fairly quick rate – hundreds of bits per second of data – by just activating and deactivating the gyroscope.

In their own proof of concepts, the researchers used an iPhone 5S, a Samsung Galaxy S5 and a Microsoft Surface Pro 3 tablet: as they received the audio signal from the implant device, the state of the gyroscope was collected and sent to an external server by JavaScript code running on a web page. They also wrote an Android app that did the same.

“Exfiltration is the real problem… it’s very expensive and risky,” said Oren, senior lecturer at Ben Gurion University’s Cyber Security Research Center. The researchers believe the attack method would allow an intelligence agency “to monitor many implants at the same time at a low cost, with no risk of exposure to their field agents.”

“State actors typically spread thousands of implants through supply-chain intervention or other methods, but only interrogate a few dozen due to the operational costs and risks involved with signal collection. This new attack vector changes the economics of state-sponsored attacks, and may induce malicious intelligence agencies to activate all of the implants they distribute, not only a selected few, thus drastically raising the amount of people targeted by hardware-based spying methods,” the paper read.

As the modulations of the gyroscope are so slight and the sound inaudible to the human ear, the attack would work without the target noticing. There are two obvious barriers to a successful attack, however. First, the implant must be close enough to the gyroscope for the attack to work (best hope the target isn’t doing any vigorous exercise). Second, it requires the target to visit a web page or app that contains malicious code for transmitting data back to the snoop’s command and control server. The attacker could, the researchers theorized, purchase ads for the target’s favourite websites to run the code, or hack into those sites to add the relevant lines. The same could be done with mobile apps.

Ben Gurion University gyroscope hack proof© Diagram shows the basic methodology to turn a phone’s gyroscope into a spy tool for transmitting dat... Ben Gurion University gyroscope hack proof What makes the gyroscope such an attractive feature for exploitation is that unlike microphones or cameras, the rotation sensor does not require any special permissions to be used by external parties. Web pages, for instance, can request information about how a device is being rotated from browsers on Apple's iOS, Google’s Android and Microsoft’s Windows with no permission required and no notification given.

Gyroscopes have been proven to be useful spy tools before. In 2014, researchers from Stanford University and Israel’s defense research group Rafael presented an attack called Gyrophone, which was able to pick up on certain words and act as a makeshift microphone.

Some good news: there is the potential the researchers’  little implant could also be used as part of a two-factor authentication mechanism. Typically, two-factor authentication requires a user to enter a one-time code sent either via text or in an app. If the user had an implant only they could access, they could simply hold the device near their phone. After it transmitted a unique audio signal and the gyroscope was put into action, the relevant site, say Facebook or Twitter, would register that and accept they were the legitimate owner of the account.

Nevertheless, given the potential for malicious use, it might be time phone companies and web developers asked permission before accessing people’s gyroscopes.

More From Forbes

image beaconimage beaconimage beacon