Music and lights could trigger malware
By Shona Ghosh
Posted on 17 May 2013 at 17:11
Pulling out your phone in a cinema or a room with flickering lights could be enough to trigger malicious software on your smartphone, researchers have found.
Mobiles infected with hidden malware could be "triggered" if their in-built sensors – microphones, cameras or vibration sensors – picked up pre-defined signals hidden in songs, TV programmes or flickering lights.
Researchers at the University of Alabama ran a set of prototype apps on an HTC Evo running on Android 2.2.3 (Gingerbread) which could access the phone’s sensors. Aside from cameras and microphones, smartphones also contain sensors that can detect vibrations or magnetic fields, which the researchers said could be similarly compromised.
The embedded malware was programmed to remain dormant until the sensor picked up the relevant trigger – which could be anything from a song played over the radio to a specific pattern of flickering lights. Once triggered, the activated malware would then carry out the programmed attack, either by itself or as part of a wider botnet of mobile devices.
Since most antivirus software doesn’t monitor how apps use standard smartphone features like cameras and microphones, the researchers said malware programmed for sensors posed a huge risk.
"When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks," said lead researcher Dr. Ragib Hasan. "We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that."
Crashing the airport Wi-Fi
Since the trigger needs to be relatively close to the smartphone to active any hidden malware, any threats would be limited to the local environment. For example, since audio signals can only travel so far without interference, an infected smartphone would need to be somewhere contained, like the cinema, for an audio trigger to work.
But researchers found they only needed a short distance to transmit their triggers, and that they could even overcome background noise. There was also nothing to stop them activating multiple infected devices in one go, creating a localised botnet to wreak some highly concentrated mayhem.
For example, if there were a number of infected smartphones in an airport, hackers could use the wider botnet to launch a denial-of-service attack and bring down the building’s Wi-Fi or other systems. More seriously, they could interfere with aircraft radio signals to disrupt take-off or landing procedures. Other threats to safety could include interfering with a car’s navigation system or a household’s burglar alarm.
The researchers found that cameras and microphones were the most effective way to trigger malware, but also noted that a heavy bass pattern could trigger the vibration sensor. The emergence of NFC as a payment mechanism also poses a potential danger, since particularly unscrupulous hackers could attach magnets to NFC readers and trigger a phone’s magnet sensors. Although that means attacks would be limited, the researchers said they could still take place even if phones were kept in phones or bags.
Scouring sensor samples
The researchers focused on Android, namely because apps are allowed to run in the background and access features like the microphone "without restriction". Although they didn’t test iOS for similar weaknesses, they suggested that Apple’s restrictive policies might make it more secure.
As a possible defence, they suggested that anti-malware software should scan sensor data for signs of any hacks – though that isn’t foolproof since that’s a "heavyweight" operation, and many apps make legitimate use of sensors anyway. Another solution could be to track how much battery sensor-using apps take up, since anything using more than one would need more power.
Is this story a joke? It's chock full of ridiculous statements and implausible situations!
"When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks". Just think that through for a minute. The malware has to be already on your phone and the "arena or Starbucks" has to play exactly the right music. Not even a comedy villain would come up with a plan so convoluted and full of holes.
"More seriously, they could interfere with aircraft radio signals to disrupt take-off or landing procedures" - so if they could get the exact same malware onto enough phones, and they could get enough of those phones onto the same plane, and all those phones were somehow left on, and they could get a trigger to activate all those phones, they could *possibly* cause a plane to miss its take-off or landing slot! That is truly terrifying. It will keep me awake at night, possibly for several seconds.
Sorry, but I think you've been 'had'.
By nelviticus on 17 May 2013
Agree with the poster above
How is this any different from a botnet which listens for a command from the 'net?
Researchers have proven that you can use a programming language to program stuff. Keep up the good work.
By ChrisH on 17 May 2013
I'm surprised to hear this is coming from researchers at a university. I was sure this had anti-virus company written all over it.
By steviesteveo on 18 May 2013
nelviticus used the phrase 'paradigm shift'.
Personally, I'd rather repurpose user-centric deliverables ;-)
By AndyChips on 18 May 2013
What is happening to PC Pro?
Has PC Pro been infected by malware too? Where is the sensible journalism in this article? Whilst it may be possible in an extreme lab test experiment, in reality, there are so many factors to consider (including a critical eye - sadly missing from this report), let alone the music/lights being picked up by the sensors at the specific frequencies required. Still it comes from the University of Alabama, ranking a heady 451 in the world's "top" 2012 Universities. Off to buy a tin foil hat.
By isofa on 18 May 2013
What is the actual news here?
What they're saying is that software on phones can respond to external sounds and inputs? And that it is possible for software on phones to be malware? Just as well clever people are researching this stuff for us isn't it.
By halsteadk on 19 May 2013
as the others have said, the story is bogus.
The sound and light cannot infect the machine, therefore the whole story is skewed. The phone first needs to be "infected" with malware, which then listens / looks for queues from outside.
As others have said, no different from any current bot, except it is "listening" through the sensors for its cues.
By big_D on 21 May 2013
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords