EarSpy Attack Allows Android Snooping Via Ear Speaker Vibrations

Researchers have devised a new eavesdropping strategy that targets Android users. Dubbed “EarSpy,” the attack allows listening to speech by capturing ear speaker vibrations on Android smartphones.

EarSpy Attack Spies On Android Phones

Android phones have long been a lucrative target for hackers and snoopers globally. That’s why it’s important to discover and remediate various ways attackers could breach users’ privacy before active exploitation.

Pursuing this prospect, a team of researchers has devised a new eavesdropping attack against Android phones – the ‘EarSpy’ attack.

Briefly, the attack exploits the impact of ear speaker vibrations on motion sensors in an Android smartphone. The researchers observed that most modern Android devices include powerful ear speakers (usually stereo speakers) that generate more sound pressure on the embedded accelerometer than conventional speakers.

Similarly, most modern handsets also bear more sensitive accelerometers and gyroscopes (motion sensors), contributing to the sensitivity toward sound vibrations. Hence, capturing these motion sensors’ vibrations can allow an adversary to decipher the speech (as the following image depicts).

The Experiment

The researchers played the word “Zero” six times with a 5-second interval through the ear speakers of the handset OnePlus 7T (which bears large dual speakers at the top and a loudspeaker at the bottom). They then captured accelerometer readings (as it serves better to capture sound vibrations than the gyroscope. Next, they repeated this experiment with the OnePlus 3T – an older device with relatively less powerful speakers. OnePlus 7T produced visibly higher sound vibrations than the 3T.

After that, they devised a MATLAB program to extract different features from the accelerometer data. Eventually, the researchers successfully detected time, region, and frequency domain features. Further processing of the collected data with machine learning and neural networks made them achieve accurate gender, identity, and speech detection of the speaker.

The researchers have shared the entire setup and other technical information about EarSpy in a detailed research paper.

Limitations And Countermeasures

Despite the sophistication, the EarSpy attack has some inherent limitations.

First, the researchers explained that they couldn’t achieve precise word detection (they could detect 45% to 80% of speech words only) because of the built-in volume reduction mechanism of ear speakers. Second, EarSpy’s success also depends on the distance between the ear speakers and motion sensors within the handset, which varies considerably. Then, the target user’s physical movements may also interact with the motion sensors, which may introduce noise in the captured readings.

Regarding the countermeasures, researchers first suggested that smartphone manufacturers need to improve the permission model of motion sensors. Restricting permissions may prevent third-party apps from abusing explicit access to multiple sensors. Besides, phone manufacturers should consider designing the handsets in a way to prevent such attacks. For instance, they can embed the motion sensors at a distance where they suffer minimal ear speaker impact. Similarly, they should consider maintaining a relatively low sound pressure from ear speakers during conversations (as in old handsets).

This isn’t the first study exploiting the impact of speaker vibrations on motion sensors for eavesdropping. In 2019, researchers also presented the “Spearphone” attack that typically focused on the effect of loudspeaker vibrations on the accelerometer.

Let us know your thoughts in the comments.

Related posts

Apple Zero-Day Flaws Exploited For Predator Spyware Attacks

How to View Incognito History on Android Without Them Knowing