Three researchers from China’s Nanjing University have published a report that details the ease with which a person can use a malicious application to access the accelerometer of a subway rider’s smartphone.
The point in targeting this particular component is that its readings can be used to trace the individual, thereby informing the hacker / stalker of such things as where the victim gets on and off the train, daily destinations, and more.
The scenario the trio put together explains that in order to pull out an attack, the stalker / hacker must first learn a subway’s fingerprint, and then install malware on a target’s phone for the purpose of stealing accelerometer readings. There is no GPS involved with this particular strain of malware, as subway trains often run underground, but since these trains run on tracks, an individual’s motion patterns are distinguishable from cars or buses running on ordinary roads. This provides the hacker / stalker an easier time when it comes to tracking their victim.
Per the group, it’s even possible, “that the running of a train between two neighboring stations produces a distinctive fingerprint in the readings of 3-axis accelerometer of the mobile device, leveraging which attackers can infer the riding trace of a passenger.”
Three points of concern were raised in the research: first, the fact that it’s all too easy for an attacker to create malware to subtly record an accelerometer’s readings. Second, the subway is a preferred means of transportation for most people in major cities, so there are plenty of unsuspecting victims for an attacker to choose from. And third, subway-riding traces can be used to infer other private information.
“For example, if an attacker can trace a smartphone user for a few days, he may be able to infer the user's daily schedule and living/working areas and thus seriously threaten her physical safety,” the group explained. They added that an attacker could even find that two individuals often visit the same stations, at “similar non-working times,” thereby inferring a relationship.
The group’s experiment was conducted on a Nanjing metro line. They found that the inferring accuracy reached 92% if the user took the subway for six stations.
One way to tell if a piece of malware such as that which is described in this article, has been downloaded to a smartphone, is to constantly monitor the device’s power consumption. A hacker / stalker would need to continuously access the phone’s accelerometer to get the data necessary to track a victim; these repeated requests for data will, ultimately, drain the phone’s battery.
“If malware intends to steal the users' privacy through sensor data, constant request for the data from sensors will evidently boost the power consumption,” the authors explained. “No matter how the malware tries to conceal itself, the acquisition of sensor data will lead to an increasing power consumption of the smartphone.”
Read the group’s full report: We Can Track You If You Take the Metro: Tracking Metro Riders Using Accelerometers on Smartphones.
Via Phys.org
Learn more about Electronic Products Magazine