How To: It's Not Just Your Camera & Mic — Here's All the Crazy Ways Your Phone Could Be Used to Spy on You

It's Not Just Your Camera & Mic — Here's All the Crazy Ways Your Phone Could Be Used to Spy on You

As you're surely aware, your phone can be used against you. Thanks to our cameras and microphones, a clever hacker can obtain access to your device and invade your privacy. But spying isn't limited to just these two sensors — gyroscopes, proximity sensors, QR codes, and even ads can be used to paint a very clear picture about who you are and what you're currently doing.

The examples below are theoretical. No known real-world threat exists that utilizes these tactics. However, as any good cybersecurity expert would inform you, you must think about how hackers will infiltrate in order to properly protect your system. We hope with this information, you will care a little bit more about your phone's security and protecting your privacy.

Keylogging Using the Gyroscope

All modern smartphones are equipped with a gyroscope. This sensor is used to detect the precise direction your phone tilts, which can be used for things like steering a car in your favorite racing game.

Thanks to the growth of smartphones, various sensors (including gyroscopes) have dramatically improved their ability to measure specific movements. Because of this accuracy, it possible to use the gyroscope maliciously. One potential cyber attack was demonstrated at Northeastern University, where a group was able to use both the gyroscope and the microphone to perform keylogging.

Keylogging is the capturing of text you input into a device — this is particularly dangerous when it comes to passwords. While there are other ways to accomplish this, the College of Computer and Information Science at Northeastern University demonstrated how it could be easily be performed with the two sensors.

The gyroscope used in racing games can also be used to determine to conduct keylogging.

As you type, your phone tilts slightly in reaction to each touch. By capturing this tilt, letters can be determined. As you tap the screen to type, a sound is produced, which is also captured by the microphone. Its position can be determined by measuring the distance of the sound using each of the phone's microphones. Using the combination of these two sensors and a set of algorithms, researchers were able to log the exact keys pressed with 90–94% accuracy on the first try.

Determining Your Location Without Using GPS

One type of sensitive data that our phone has access to is our location. Even with the GPS off, as we connect to cellular towers and Wi-Fi points with geolocation information attached to them, our phone has a rough idea of our location. However, even without access to these tools, a hacker could still determine your location using other sensors we don't normally think about.

The same group at Northeastern University attempted to demonstrate this by using sensors that don't require users to grant permission explicitly before apps can access them. The result was an app that used the gyroscope, accelerometer, and magnetometer.

With a map of the area the person was in, the app was able to track the user as they drove around. The accelerometer was used to determine movement and stoppage. The magnetometer (the compass) provided direction of their travel. The gyroscope measured the turning angles, allowing for accurate tracking as the person made turns.

Using an algorithm to match the observed movements against a map of the rough area, they were able to determine where the person traveled and visited. Similar to Google's Location History, by observing the location and the time spent at locations (both time of day and duration), the app could effectively determine the user's home and workplace addresses, along with their favorite places to visit.

Using your location history (with your permission) and a similar algorithm, Google Maps can automatically determine your home and work addresses.

Tracking Location Using Ads

Besides the previous method, there is another way to track someone's location without direct access to their GPS data. According to Wired, all it takes is $1,000 and a few mobile ads.

A University of Washington research team demonstrated this by creating a mobile banner ad and a website linked to the ad. They paid the minimum $1,000 deposit for ad space on major mobile platforms such as Google AdWords and Facebook. With their deposit, they were able to specify where their ads appeared, in which app, and for which unique phone identifiers. They also used geofencing to create a 3-mile square section that would place on their ads in a specific app when users traveled within the geofence.

Each time the target phone used the app, researchers were charged 2 cents, and information about the phone was sent to them, such as approximately where they were, what time they were there, and what phone they were using. With this info, the research group was able to track the user's location to within 25 feet )as long as the app remained open for four minutes in one location or was opened twice in the same location). While this method does require the opening of a specific app, this obstacle could be overcome by targeting commonly used apps.

Ads, such as this, can be used to track your location.

The researchers needed to know the device's specific advertising ID beforehand in order to target a specific person, but this still has potential privacy implications even when a user isn't specified. For example, the researchers were able to see the number of people using the Grindr app in an area, or those of a specific religious denomination (they used Quran Reciter to determine the number of Muslims in the area), which could be used to conduct targeted surveillance of a populace.

Seeing What Links You've Visited Using the Light Sensor

The ambient light sensor measures the light in your environment and adjusts the brightness of your phone's display for optimal viewing. This sensor, which is normally not considered a potential threat, can be used for hacking purposes.

Lukasz Olejnik illustrated the ambient light sensor's malicious potential by creating an app that uses its data to determine the links visited by a user. In short, the light emitted by your screen can be read quite precisely by your phone's ambient light sensor. This could let an attacker see the exact color of a webpage you're viewing.

Websites can display different colors for links you've previously visited and those you haven't, but for security reasons, they not allowed to "know" which color you see (this is determined by your browser, not the site). In other words, a link might be light blue if you haven't visited it before, then it may turn purple after you click on it — but the website itself doesn't know this; it only knows what color it told your browser to show for visited and unvisited links.

If websites get access to your ambient light sensor's data, they can read the light emanating from your screen to determine whether or not you've previously clicked a link on the page.

For instance, if a website had a black background with dark grey text and even darker gray unvisited links, it would know that the ambient light sensor should be reading fairly low levels of light from the screen. It could then request that your browser shows visited links as white, and when you scrolled to that portion of the page, the ambient light sensor would see the extra light from the white link and the website would know you visited that link. After analysis, the site could create a list of all sites you've visited.

Stealing QR Codes & Other Cross-Origin Resources

Lukasz Olejnik also demonstrated how the ambient light sensor could create complete copies of the cross-origin elements on a site, such as QR codes.

Normally, resources from different origins aren't able to access each other's data — for instance, an embedded QR code from an ad can't see what's on a website, and the website it's displayed on can't see where the QR code links to. This is known as the same-origin policy, and it protects users against hackers.

Let's say a site uses a QR code for account recovery purposes. The intention is that you'll scan the code with your phone and it will verify you as a user, then allow you to log back in after you've forgotten your password.

Using data from the ambient light sensor, Olejnik was able to create a pixel-perfect representation of QR codes and other elements displayed on a site — elements that are normally protected by the same-origin policy. The sensor is precise enough to map out the subtle differences between black and white pixels emitting light on your screen, so the same principles could be used to recreate avatars or security codes displayed on websites.

Identify Users and Nearby Objects

The vast majority of smartphones have a proximity sensor. This is used to turn off the touch screen when you're in a call — otherwise, your face would accidentally touch buttons on the dialer or even hang up the call.

The proximity sensor not only detects when objects are close to the screen, but it can also accurately measure distance. According to Lukasz Olejnik, one possible measurement is how close we hold the phone to our face.

While this may not seem obvious at first, each one of us holds our phones at a different distance based on height, arm length, the strength of our vision, and other factors. With this information, an app could differentiate users and use this information to discriminate against them. While the accuracy of this method may not be high, when combined with other identifiable factors (such as the advertising ID), advertisers could differentiate users pretty easily.

Additionally, Lukasz Olejnik identified another possible security risk with the proximity sensor: Identifying nearby objects. By measuring the distance between the phone and the objects around it, an app could feed a third party (whether advertisers or hackers) your location in relation to the objects, even while your GPS sensor is turned off.

Each one of these potential threats is theoretical, and as far as the public knows, there has been no widespread attack utilizing one of these methods. However, the risk is there, so we wanted you to know about it. What do you think of these potential attacks? Were you aware of these possibilities? Let us know in the comment section below.

Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.

Cover image and screenshots by Jon Knight/Gadget Hacks

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest