Attack method #268324: Sonar Phishing
October 17, 2018 4:55 PM   Subscribe

Don't have a photo of your victim to break into their phone? Too lazy to walk to the printer to smash that fingerprint ID roadblock? Not to worry: now you lazy cracker kids can infect your mark's device with the latest and greatest sonar phishing tech. Thanks, Lancaster University: Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords (SL Motherboard).


- PDF of the research paper (no paywall).
posted by Juso No Thankyou (9 comments total) 9 users marked this as a favorite
My unlock pattern is certain Enocian characters; go ahead and try them.

My security system is also My Holy Guardian Angel.
posted by GenjiandProust at 5:07 PM on October 17, 2018 [4 favorites]

"The attack begins when a user unwittingly installs a malicious application on their phone"

Come on. This enables all kinds of attacks.
posted by adamrice at 5:13 PM on October 17, 2018 [26 favorites]

Wasn't this a plot point in The Dark Knight?
posted by Halloween Jack at 6:07 PM on October 17, 2018

Step 1: Compromise their device by having user install an application misrepresenting its purpose

There is no step 2
posted by mrzarquon at 7:15 PM on October 17, 2018 [10 favorites]

The framing of this post is pretty disingenuous too.

“Don't have a photo* of your victim to break into their phone?”

*And a 3D printer, and a digital 3D scan of your victim that requires five minutes to complete, and your victim’s phone, and by the way this hack has not been replicated, we’re just trusting a YouTube video
posted by ejs at 7:23 PM on October 17, 2018 [2 favorites]

In a similar vein: it's possible to hack someone by listening to the noises their laptop makes when decrypting an encrypted email: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
posted by L.P. Hatecraft at 7:48 PM on October 17, 2018 [1 favorite]

Lol, the researchers themselves suggest a solution to the hack, so all is well:

"[Continue] to improve protections against the downloading of malicious applications in the first place."
posted by riverlife at 8:29 PM on October 17, 2018

I really don't get the dismissive comments.

Yeah, it would be nice to live in a world in which nobody ever installed malicious software; in which app stores guaranteed that their contents had been touched only by the pure-of-heart, and we could rely on the evil bit to tell us whether or not a program was trustworthy. We don't live in that world, which is why application-level sandboxing has been a critical feature of smartphones ever since they came on the market. This paper adds another entry to the list of known ways for that sandbox to leak, which makes it a totally valid and worthwhile avenue of research.

Also, come on, it's a proof of concept. If there's one fundamental truth about computer security, it's that attacks only ever get better over time... they never get worse.
posted by teraflop at 8:48 PM on October 17, 2018 [5 favorites]

The dismissive comments aren’t dismissing security issues, they’re dismissing clickbaitiness.
posted by ejs at 6:00 AM on October 18, 2018 [1 favorite]

« Older Abortion to be decriminalised in Queensland   |   When I Came Out to My Parents, Kimchi Fried Rice... Newer »

This thread has been archived and is closed to new comments