Attack method #268324: Sonar Phishing
October 17, 2018 4:55 PM Subscribe
Don't have a photo of your victim to break into their phone? Too lazy to walk to the printer to smash that fingerprint ID roadblock? Not to worry: now you lazy cracker kids can infect your mark's device with the latest and greatest sonar phishing tech. Thanks, Lancaster University: Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords (SL Motherboard).
Bonus
- PDF of the research paper (no paywall).
Bonus
- PDF of the research paper (no paywall).
"The attack begins when a user unwittingly installs a malicious application on their phone"
Come on. This enables all kinds of attacks.
posted by adamrice at 5:13 PM on October 17, 2018 [26 favorites]
Come on. This enables all kinds of attacks.
posted by adamrice at 5:13 PM on October 17, 2018 [26 favorites]
Wasn't this a plot point in The Dark Knight?
posted by Halloween Jack at 6:07 PM on October 17, 2018
posted by Halloween Jack at 6:07 PM on October 17, 2018
Step 1: Compromise their device by having user install an application misrepresenting its purpose
There is no step 2
posted by mrzarquon at 7:15 PM on October 17, 2018 [10 favorites]
There is no step 2
posted by mrzarquon at 7:15 PM on October 17, 2018 [10 favorites]
The framing of this post is pretty disingenuous too.
“Don't have a photo* of your victim to break into their phone?”
*And a 3D printer, and a digital 3D scan of your victim that requires five minutes to complete, and your victim’s phone, and by the way this hack has not been replicated, we’re just trusting a YouTube video
posted by ejs at 7:23 PM on October 17, 2018 [2 favorites]
“Don't have a photo* of your victim to break into their phone?”
*And a 3D printer, and a digital 3D scan of your victim that requires five minutes to complete, and your victim’s phone, and by the way this hack has not been replicated, we’re just trusting a YouTube video
posted by ejs at 7:23 PM on October 17, 2018 [2 favorites]
In a similar vein: it's possible to hack someone by listening to the noises their laptop makes when decrypting an encrypted email: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
posted by L.P. Hatecraft at 7:48 PM on October 17, 2018 [1 favorite]
posted by L.P. Hatecraft at 7:48 PM on October 17, 2018 [1 favorite]
Lol, the researchers themselves suggest a solution to the hack, so all is well:
"[Continue] to improve protections against the downloading of malicious applications in the first place."
posted by riverlife at 8:29 PM on October 17, 2018
"[Continue] to improve protections against the downloading of malicious applications in the first place."
posted by riverlife at 8:29 PM on October 17, 2018
I really don't get the dismissive comments.
Yeah, it would be nice to live in a world in which nobody ever installed malicious software; in which app stores guaranteed that their contents had been touched only by the pure-of-heart, and we could rely on the evil bit to tell us whether or not a program was trustworthy. We don't live in that world, which is why application-level sandboxing has been a critical feature of smartphones ever since they came on the market. This paper adds another entry to the list of known ways for that sandbox to leak, which makes it a totally valid and worthwhile avenue of research.
Also, come on, it's a proof of concept. If there's one fundamental truth about computer security, it's that attacks only ever get better over time... they never get worse.
posted by teraflop at 8:48 PM on October 17, 2018 [5 favorites]
Yeah, it would be nice to live in a world in which nobody ever installed malicious software; in which app stores guaranteed that their contents had been touched only by the pure-of-heart, and we could rely on the evil bit to tell us whether or not a program was trustworthy. We don't live in that world, which is why application-level sandboxing has been a critical feature of smartphones ever since they came on the market. This paper adds another entry to the list of known ways for that sandbox to leak, which makes it a totally valid and worthwhile avenue of research.
Also, come on, it's a proof of concept. If there's one fundamental truth about computer security, it's that attacks only ever get better over time... they never get worse.
posted by teraflop at 8:48 PM on October 17, 2018 [5 favorites]
The dismissive comments aren’t dismissing security issues, they’re dismissing clickbaitiness.
posted by ejs at 6:00 AM on October 18, 2018 [1 favorite]
posted by ejs at 6:00 AM on October 18, 2018 [1 favorite]
« Older Abortion to be decriminalised in Queensland | When I Came Out to My Parents, Kimchi Fried Rice... Newer »
This thread has been archived and is closed to new comments
My security system is also My Holy Guardian Angel.
posted by GenjiandProust at 5:07 PM on October 17, 2018 [3 favorites]