“Eavesdropping” Side-channel Attack Can Spy Through Phone Vibrations
Using mmWave radar technology, Penn State researchers recently discovered how to tap into mobile vibrations to eavesdrop remotely.
Electronic devices are full of side channels, places where information can be leaked through a medium that wasn't intended for communication. Side channels can be exploited by a class of attacks known as side-channel attacks. This week, researchers at Penn State published a paper presenting a new side-channel attack, one that is capable of discretely and non-invasively eavesdropping on phone conversations.
Threat model of mmSpy. Image used courtesy of Basak et al.
A key to the researchers' side-channel attack, they revealed, was frequency-modulated continuous wave (FMCW) radar.
The Key to the Side-channel Attack: FMCW Radar
While many different types of radar technology exist today, one of the most powerful is frequency-modulated continuous wave (FMCW) radar.
FMCW radar is a continuous-wave radar technique, meaning that the device emits a continuous signal for the duration of the measurement. What is unique about FMCW radar is that the wave's frequency varies by a modulating signal at a constant rate over time. This sweep in frequency is often referred to as a “chirp.”
FMCW radar system. Image used courtesy of EverythingRF
In an FMCW system, the transmitter sends out a continuous frequency-modulated signal and waits to receive a reflected signal back from the target. The system can then measure the target's distance by calculating the frequency difference between the transmitted and echo signal. The FMCW system can also use the measured Doppler frequency of the signal to calculate the target's speed relative to the antenna. For this reason, FMCW radar is sometimes referred to as 4D radar because it adds the fourth dimension of speed to the measurement.
Penn State Taps into the mmWave to "Eavesdrop"
This week, researchers from Penn State published a paper describing a novel method for eavesdropping on audio signals from a cell phone.
When a user is on a phone call, the cellphone's earpiece vibrates as it outputs audio. These vibrations, which were measured to be on the order of 7 um, not only emit from the earpiece but also permeate through the entire body of the smartphone.
The architecture of mmSpy attack. Image used courtesy of Basak et al
In their paper, the researchers said their attack, dubbed mmSpy, works by leveraging an off-the-shelf mmWave FMCW radar sensor to detect these vibrations. The attack tracks the phase variations of each reflected FMCW radar signal, where a range FFT operations on the signal produces peaks. The researchers isolated the peak corresponding to the phone's reflections. They then "eavesdropped" by measuring the phase of this FFT peak and tracking its variations continuously over time.
By combining this FMCW radar-based method with other signal-processing techniques, the researchers fed the noise-free data into a speech-classification machine learning module that reconstructed the audio. The researchers pre-processed the radar sensor data with MATLAB and Python modules to remove hardware-related and artifact noise. They could then use machine learning modules trained to reconstruct the audio and classify speech.
The team reported that the mmSpy attack could detect speech through the phone with 83% accuracy from one foot away and dropped down to 43% accuracy at six feet.
The Feasibility of mmWave Audio Reconstruction
The researchers note that their technique works even when the audio is inaudible to nearby people and microphones. While the Penn State team concedes that this attack may seem impractical with its limited functional distance, the study proves that audio eavesdropping is possible through unexpected side channels.