Hackers now have yet another way to trace your keystrokes – but it’s not the physical keyboard with its sturdy, plastic keys that they’re now after.
A researcher at Trustwave Holdings Inc. has proved it’s possible to log keystrokes from touchscreen-enabled devices, namely devices running the Apple iOS and Google Android operating systems. All a hacker needs to do is install malware on one of these devices, making it possible to watch a user touch a screen.
The hacker can then gain X and Y coordinates for those keystrokes, as well as screenshots from the mobile device. From there, it’s relatively easy to deduce what a user’s been typing.
So for anyone typing in passwords while doing mobile banking or while accessing sensitive data, this latest piece of research presents some worrying ramifications.
“The fact is that a touchscreen on a mobile device replaces the keyboard and mouse on a physical computer,” says Neal Hindocha, senior security researcher at Trustwave. He has been researching this for the past eight to nine months.
“There’s a variety of ways you can capture all the touch events and see what the user is seeing on the screen – which now means that any code, any password, anything typed onto the phone is captured by the attacker.”
There are several variations of keylogging, he adds. One will just track X and Y coordinates from the touchscreen of a mobile device, and a hacker can take those over to a computer and run an application that will show the coordinates in sequential order. Another type takes screenshots on a timer loop, while another will also take screenshots, except it will do so any time a user touches the device’s screen.
However, he notes this isn’t something that a hacker can do to every mobile device out there. Keylogging on a mobile device is only really an issue for mobile device users who either jailbreak their iOS devices, or root their Android devices.
The Apple ecosystem is often called “the walled garden” because of the company’s very stringent rules on which apps can be allowed into the iTunes App Store and which can’t. So to even install an app that carries a Trojan virus with it, or another piece of malware, an iOS user would need to jailbreak his or her device and then download an app from a place like Cydia, an alternative app store specifically for jailbroken iOS devices.
However, it is highly unlikely Apple would allow apps bearing malware into its official store, and the company also discourages users from jailbreaking its products. So although Hindocha had the chance to test keylogging techniques with private application programming interfaces, he says he stopped there as hackers were unlikely to be able to attack someone using a non-jailbroken iOS device in this way.
On the other hand, Android devices are fair game, especially since many device manufacturers welcome rooting – sort of the equivalent of jailbreaking an iOS device, Hindocha says.
And even non-rooted Android devices can be at risk, as users sideloading third-party apps that are not from the official Google Play store can easily install malware, opening themselves up to keylogging attacks, he adds.
While it’s unlikely that hackers would launch attacks against millions of devices, seeing as they would need to comb through all of the screenshots and keystroke data to gain anything of value, this is still a concern for people who become hackers’ specific targets, Hindocha says.
It may also become an issue for retailers using tablets and iPads as mobile point-of-sales solutions – for example, if restaurant servers were to punch in credit card information on an iPad.
The best way to prevent these kinds of attacks is to ensure everyone is educated about the risks of carrying hacked mobile devices, Hindocha says.
App developers need to ensure the code they’re writing is secure, and they need to perform penetration testing on their work.
And on the other side, businesses also need to be aware of the mobile devices their employees are bringing to the workplace, and they should have a solid bring-your-own-device strategy in place, he says. Plus, if they use mobile devices in retail, they need to make sure those devices are compliant.