SonarSnoop – A Technique Used to Steal Smartphone Unlock Patterns

Researchers from universities in Sweden and the UK have discovered a new method to turn the built-in speaker and the microphone from a smartphone into a crude sonar system that steals unlock patterns from Android Devices. The method was named SonarSnoop as it uses sound waves to track a user’s finger position across the screen.

The technique mainly consists of a malicious app on the device that emits sound waves from the phone’s speakers at inaudible frequencies to the human ear (18kHz – 20 kHz).

How does the app get the data to guess user’s fingerprint?

The malicious app uses the device’s microphone to pick up the sound waves and bounce to nearby objects which in this case are the user fingerprints. The Machine Learning Algorithms employed in the malicious application determines the possible unlock patterns. A research paper has been published in Lancaster University in the UK and Linköping University in Sweden which detailed the testing of SonarSnoop on a Samsung Galaxy S4 running Android 5.0.1.

The team was able to reduce the number of possibilities by more than 70% because of the data collected by the machine learning (ML) model. At present, SonarSnoop cannot unlock the device’s with 100% accuracy but as the data is collected the ML Algorithm will become more efficient and will be able to reduce the number of false patterns.

Which sensors are used to find the pattern?

The idea of using sonar is rapidly becoming reality with the use of accelerometers, gyroscopes and proximity sensors to record and steal PIN’s and patterns of mobile phones. SonarSnoop has credited FingerIO as the primary source of information for this to become a reality.

Researchers have observed that this experiment focusing on the smartphones could also be used in many other computing devices and physical environments where microphones and speakers are utilised.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients