Watch out: Your Devices May Be Listening to You

“It’s not really the devices, but the apps running on these devices that may gather personal information, if they wish to,” Saxena said. “The Android OS employs a permission-based security model whereby the user is alerted at the time of the app’s installation as to what resources on the device — microphone, camera, GPS, etc. — the app has access to for its overall functioning. So, if the user allows that app to have access to the microphone, that app can turn the microphone on. If that app is benign, it would just do what it is supposed to be doing. For example, a calling app will turn your microphone on only during a call. However, if the app happens to be a malicious one, it could turn the microphone on even when the user is not aware, and it may record the audio and exfiltrate it to a remote attacker.” 

Another issue for users lies in checking the permissions an app requests. Some permissions may make a device vulnerable to malicious apps’ accessing resources to which they are not supposed to have access.

“A vast amount of security research shows that users do not pay much attention to these permissions while installing the apps on their devices; they don’t have the right mental models for these things or can easily get habituated to accepting without paying attention,” Saxena said. “It is also possible for two malicious apps to collude with each other. For example, app A with user-granted access to a resource can share the data with app B, which may not have user-granted permission to access that resource.”  

Alabama says that researchers have also demonstrated side channel attacks in which a malicious app can exploit benign-looking resources — motion sensors such as accelerometer or gyroscope or power consumption readings — for which the Android OS does not explicitly ask any user permission prior to granting access. By doing this, it can infer personal and sensitive information, including:

• The PIN codes entered on the touch screen, an otherwise restricted resource, based on vibrations of finger presses;
• Speech/speech characteristics, especially if you use your phone in the speakerphone mode. It picks these up via the speech reverberations;
• Tracking your locations when you are driving via vibration information captured from your phone placed in the car; and
• Tracking your location based on the power consumptions. Your phone incurs different amounts of power when it is near different cell towers, etc. 

Although these attacks may not be fully practical today, they definitely showcase the underlying vulnerability.

Saxena says some recent research studies have demonstrated that many apps in the Android ecosystem have actually been exploiting Android’s permission model to learn sensitive information, such as the device’s IMEI, MAC address or geolocation information to track the device/user, and even exploiting and exfiltrating audio and video data. 

“The security vulnerability of smart speakers, like Amazon Alexa or Google Home, is slightly different,” said Saxena. 

“Here, the user has installed a device in his home or office, and this device has a microphone that receives and understands users’ vocal commands,” Saxena said. “Ideally, the speaker system should wake up only when the user issues a wake phrase like “OK, Google,” but there is nothing that prevents it from recording the audio at will on regular user conversations. Also, it is likely that, as the speaker listens to our commands, which are often stored on the cloud servers of these companies, the audio could contain sensitive information spoken in the background — music and TV programs played in the background — that may be of interest to some malicious actors.

What can users do to prevent the threat to their privacy?

• Check all permissions given to various apps. Does each app really need to access sensitive sensors — GPS, microphone, camera — to function? If something has requested and received more access and privileges than it should have, turn that off from the settings.
• When installing new apps, do the same check. Do not give permission to all privileges the app is asking for, unless it really needs the privilege to function.
• Only install apps from official or legitimate sources.
• For sensitive conversations, it might be a good idea to put your phone away or turn it off.
• Disable apps from recording and maintaining users’ location history — Google Maps, Facebook.
• Utilize anti-virus apps.

Research is underway attempting to solve some of these problems. Google is currently working on a project called Project Alias that aims to prevent the smart speaker devices, like Google Home, to eavesdrop on people’s conversations. The device works by inserting random noise into the microphone of the speaker except when the user issues a command to the speaker.

The bottom line, Saxena says, is that our phones and tablets now have eyes and ears and they can easily collect very intimate details about our personal lives. “We must be aware of the phone’s capabilities and take proactive actions,” he said.

What Can Users Do to Prevent the Threat to Their Privacy? 

• Check all permissions given to various apps. Does each app really need to access sensitive sensors — GPS, microphone, camera — to function? If something has requested and received more access and privileges than it should have, turn that off from the settings.
• When installing new apps, do the same check. Do not give permission to all privileges the app is asking for, unless it really needs the privilege to function.
• Only install apps from official or legitimate sources.
• For sensitive conversations, it might be a good idea to put your phone away or turn it off.
• Disable apps from recording and maintaining users’ location history — Google Maps, Facebook.
• Utilize anti-virus apps.