Let’s hope not, and if so, not for long, thanks to a team of researchers from the University of Pittsburgh’s Swanson School of Engineering.
A recent study by scientists has shown that the graphics processor (GPU) in some Android smartphones can be used to listen to user credentials when the user enters credentials using the on-screen keyboard of the smartphone. The discovered hardware security vulnerability poses a much more serious threat to the user’s confidential personal data compared to previous attacks, which can only infer about the user’s general actions, such as the website visited or the length of the password entered.
“Our experiments show that an attack can correctly identify user-entered credentials, such as username and password, without requiring any system privileges or causing any noticeable changes in the operation or performance of the device. Users won’t be able to tell when they’re being attacked,” said Wei Gao, associate professor of electrical and computer engineering, whose lab led the study.
During the experiment, the researchers were able to correctly determine which letters or numbers were pressed, in 80% of cases, based only on data received from the GPU.
The researchers focused on the Qualcomm Adreno video chip, but it is assumed that the vulnerability can also be exploited on other GPUs. The team reported a breach discovered by Google and Qualcomm. Google noted that it will release a security patch for Android at the end of this year.
For example, an attacker can create a secure application and inject malicious code into it that will run in the background. As a result of the attack, a malicious application can get usernames and passwords entered in online banking or on websites. Such a code cannot be detected by the standard security tools of the Google Play store.
The document “Eavesdropping on User credentials through third-party GPU channels on smartphones” was co-authored with Boyuan Yang, Ruirong Chen, Kai Huang, Jun Yang and Wei Gao. It was presented at the ASPLOS conference, held from February 28 to March 4, 2022 in Lausanne, Switzerland.