I don’t think this is using a gyroscope– linked article even uses the work accelometer. I can’t think of a single phone that has a gyroscope. The new Wii (and maybe the new Playstation) controllers have gyros. Most smartphones have accelerometers.

Accelerometers measure linear acceleration. Gyros measure rotational acceleration.

So, your touch screen presses generate distinct patterns, yes, that’s a given as it’s how phone games work for things like rotation.

I see how this works to identify individual presses (aka, you can tell you’ve pressed *a* certain button) on a phone by phone/user by user basis.

However, matching up those distinct presses to a value so you can actually figure out *which* button has been pressed is harder if not near impossible due to the variables involved.

Ie, is phone free standing, on a surface, is left or right hand being used, in transit (vibrating/jittering around), on a motherchuffing boat, etc…

I think this while a nice discovery and may end up causing things like accels/gyros to be accessed only by whitelisted or active apps, I don’t think it’s much of a security problem.

Seconded on the “Improve Accuracy” concept.

@Khanzerbero: How did you arrive at the use of Hamming as opposed to several other tools for Error Detect/Correct? My background is more hardware than software and I am trying to learn :]

This hack seems in two parts- accessing the sensor data and parsing it into the desired keystrokes. Hmnm- exploiting a market app for something innocent appearing that needs positional data+communications would serve as the judas data conduit? One part of exploit seems plausible to me. Of the many ways to hack the rest?

One being grepping the keystroke handling of the firmware. As reputedly there are internal math models for device’s using variants of timing detection for several common categories of input error:

berkeley.intel-research.net/~klyons/pubs/autowhiteout++chi08.pdf

autowhiteout, in one phrase for the tl:dr version=detects timing and blanks a suspect keystroke/s which prompts the human to retype.

The semi-related one for speech to text software:

http://www.research.ibm.com/compsci/spotlight/hci/halverson99.pdf

That study by IBM of speech-to-text software offers little depiction of “math tools” so it only serves to help build our understanding of Human>Machine parsing correction “overview” in a limited case. But- it’s on track to taking a 70~% confidence level character stream and someday raising the confidence level far enough to risk burning up blown access attempts.

Oh- I updated a friend’s phone to Android 2.2x and it’s feature of “haptic by vibrate” might offer a way to totally FUBAR this not even fully formed as an exploit keylogger CONCEPT.

Which made me contemplate having the phone begin a soft vibrate after keystroke n to frustrate this proposed exploit rather completely.

What everybody (or at least the hackaday poster) misses is that even with a statistical chance of 72% of being right, you weaken the security a lot.

Suppose there is a 4-digit PIN that allows 10 tries, for a 1/1000 chance of breakin by random guesses. You have to steal on average 1000 phones and randomly try PINs before you hit the jackpot.

But with say a 90% (the calculations are easier with a round number) chance of getting the numbers right from the attack means you have only 0.9^4 = 65% chance of getting the pin right on the first try. But if you didn’t get it right on the first try, you have 9 tries left. You often have a “next candidate”. So you can try the 4 “second-best” tries next. If the second-best has a 90% chance of being correct (given the first try was wrong), then we again have 65% chance of success on the next 4 tries… With 5 tries left, we can try a few two-wrong PINs but that doesn’t make a big difference. In this example with imperfect pin-stealing, the average number of phones to steal before the PIN can be guessed goes from 1000 to under two.

With the reported 72% accuracy and only 3 tries, there is still a significant advantage over “blind guessing”. The first guess has a 27% chance of success. With the two next tries this can be raised to almost 40%. On average after stealing 2.5 phones you have guessed the PIN correctly within 3 tries.

Now