Motion Sensor-based Privacy Attack on Smartphones (1907.05972v3)

Abstract: In this paper, we build a speech privacy attack that exploits speech reverberations generated from a smartphone's in-built loudspeaker captured via a zero-permission motion sensor (accelerometer). We design our attack Spearphone2, and demonstrate that speech reverberations from inbuilt loudspeakers, at an appropriate loudness, can impact the accelerometer, leaking sensitive information about the speech. In particular, we show that by exploiting the affected accelerometer readings and carefully selecting feature sets along with off-the-shelf machine learning techniques, Spearphone can successfully perform gender classification (accuracy over 90%) and speaker identification (accuracy over 80%) for any audio/video playback on the smartphone. Our results with testing the attack on a voice call and voice assistant response were also encouraging, showcasing the impact of the proposed attack. In addition, we perform speech recognition and speech reconstruction to extract more information about the eavesdropped speech to an extent. Our work brings to light a fundamental design vulnerability in many currently-deployed smartphones, which may put people's speech privacy at risk while using the smartphone in the loudspeaker mode during phone calls, media playback or voice assistant interactions.

• The paper demonstrates a novel attack where a smartphone's accelerometer captures speech reverberations to infer user identity.
• Experiments reveal high classification accuracies, with gender detection over 90% and speaker identification above 80% using off-the-shelf ML techniques.
• The study highlights a critical vulnerability in zero-permission sensors, urging a reevaluation of current mobile security and permission models.

Overview of "Motion Sensor-based Privacy Attack on Smartphones"

This paper introduces a novel privacy attack on smartphones, termed "Spearphone," which exploits the embedded accelerometers to capture speech reverberations generated by inbuilt loudspeakers during audio playback, voice calls, or voice assistant interactions. The authors demonstrate the feasibility of this attack by achieving high accuracies in gender classification (over 90%) and speaker identification (over 80%) using off-the-shelf machine learning techniques on accelerometer data. The attack leverages the zero-permission nature of motion sensors on mobile platforms, particularly on Android devices, which presents a significant security concern given their market share.

Attack Methodology

The fundamental concept underpinning the Spearphone attack is the ability of a smartphone's accelerometer to sense minute vibrations caused by audio output from the device's loudspeakers. These vibrations, or speech reverberations, are capable of carrying enough information to infer the gender and identity of speakers, even allowing for some speech recognition and reconstruction tasks.

The authors conducted frequency response analysis to establish that accelerometers are more susceptible to these signal reverberations compared to gyroscopes, thus narrowing the attack vector to accelerometer readings. Through experiments, they identified that the accelerometer captures vibrations in the frequency range of 100Hz to 3300Hz, which encompasses key parts of human speech frequency.

Experimental Results

The Spearphone attack was implemented across different smartphone models, achieving notable classification accuracies under two primary scenarios: when the smartphone is placed on a solid surface and when it is hand-held. Table-based experiments demonstrated that devices such as the LG G3 and Samsung Note 4 were particularly conducive to the attack, with variations observed based on the phone model's hardware configuration, especially the location of the loudspeakers and motion sensors.

For gender classification, the attack achieved an f-measure of 0.95 or higher in several cases, showcasing its robustness. Speaker classification, while slightly lower, remained significant with f-measures exceeding 0.8 in optimal conditions.

Implications and Discussion

The findings of this paper highlight a critical privacy vulnerability via motion sensors that do not require explicit user permissions to be accessed, making them a practical target for malicious applications. The potential for speech privacy invasion is concerning, given the typical use cases of smartphones where loudspeakers are employed, such as voice calls, media playback, and interactions with voice assistants.

While the attack primarily considers an idealized scenario with minimal noise interference and stationary phones, its implications are far-reaching as it illuminates the security shortcomings of current smartphone designs and their default permission models. The susceptibility of accelerometers, a component common across almost all smartphones, to respond to loudspeaker vibrations justifies a reevaluation of design frameworks that currently overlook these vulnerabilities.

Future Directions

The research points toward several directions for future work. There is a need for deeper exploration into potential countermeasures, such as employing hardware isolation techniques to dampen vibrations or revisiting permission models to include motion-based sensors. Further, extending Spearphone's method to real-world noisy environments and exploring sophisticated signal processing and machine learning models could improve its robustness.

The paper also opens the avenue for security research to re-evaluate other sensors on mobile devices that might inadvertently leak sensitive information. Additionally, as hardware specifications evolve and improve, continuous assessment of the associated security risks will be necessary to preemptively address emerging threats similar to those presented by the Spearphone concept.