Various researchers from American universities have discovered an attack method called EarSpy. This uses the phone’s accelerometer to decipher the words passing through the phone’s listening loudspeaker.
This second speaker is on the top edge of the phone // Source: Arnaud Gelineau for Aroged
This is news that is enough to raise an eyebrow or two. According to Security Week, researchers have managed to develop a security flaw that uses your phone’s top speaker, the one to hear the person you’re calling, to spy on you.
In a paper published on Christmas Eve, researchers from various American universities demonstrated that the phone’s accelerometer could capture the vibrations generated by the listening speaker. Their attack method is called EarSpy. If other studies had been able to use the main loudspeaker, this is a first, without any help from an external device.
Fewer permissions requested
This new attack can be particularly dangerous and effective in the sense that it does not require, unlike traditional malware, advanced permissions. Phone and app developers generally consider accelerometer vibration data to be raw, insensitive data, unaware that conversational content can be extracted from it.
The researchers conducted their study on two smartphones, the OnePlus 7T and OnePlus 9, so this is a flaw that concerns Android and not iOS. Their findings lead them to believe that the latest generations of Android smartphones are more affected, since the progressive improvement of earphones makes capture easier.
A maddening precision on specific elements
It should be noted, however, that EarSpy, as sophisticated as it is, is not capable of extracting the content of a conversation in full. It is able to analyze the reverberation from the loudspeaker to the accelerometer by extracting “time-frequency domain characteristics and spectrograms”.
The analysis produced focuses on a few sensitive pieces of information: the gender, the identity of the person speaking at the end of the line and more broadly, speech recognition. For the first two elements, the precision is strong. 98% success in determining the gender and 92% in identifying the caller. On the other hand, for pure and hard voice recognition, the success rate drops to 56%, which is still quite high based on simple vibrations.
To follow us, we invite you to download our Android and iOS application. You can read our articles, files, and watch our latest YouTube videos.