A group of researchers from Lancaster University showed how to use the microphone and speaker of a smartphone on Andriod in order to steal a graphic key.

Android smartphones offer owners three user identification systems to choose from:

by fingerprint (or fingers), by numerical password and by drawing. There are about 400 thousand ways to connect part or all of the nine dots on the smartphone screen, but an earlier study showed that 20% of people use only the twelve most common options. Researchers from Lancaster used these methods to connect the dots to find out the password from the gadget without approaching its owner. The description of the attack is published on arXiv.

In order for the attack to take place, the user must install the application with the SonarSnoop program written by scientists; immediately after installation, she gets the rights to control the speaker and microphone and turns on both devices. Then it forces the speaker to generate sound at a frequency inaccessible to human hearing, and analyzes the data of the speaker collecting the sound reflected from the surrounding objects.

The creators of the program have ensured that the algorithm recognizes even small pauses that occur when the position of the speaker relative to objects around the user changes. Even very small changes that occur when a person touches the screen with his finger can be analyzed; by the nature of these fluctuations, it is possible to determine the position of the finger on the screen and the direction of its movement. By “listening” to the smartphone in those few seconds when its owner draws a password pattern on the screen, scientists were able to install a graphic key to unlock. A Samsung Galaxy S4 smartphone was used for the demonstration. On average, the algorithm allows you to narrow down the search and try 3.6 out of 12 keys before hacking a smartphone. “The system is not perfect, but it allows you to discard 70% of the options and go through the remaining 30%,” the authors explain. The creators of SonarSnoop believe that iOS smartphones can also be hacked by controlling the speaker and microphone, but they conducted tests only with an Android device.