One of the biggest challenges facing any cat-burglar is knowing where to find the loot once they've broken in. Now US Navy researchers have developed a smartphone system that can not only case the joint for any would-be attacker, but can also steal virtual objects.
The proof-of-concept Trojan, dubbed PlaceRaider, surreptitiously slurps a smartphone's sensor data and hijacks the camera to take covert pics. This information is then sent back to the controllers, enabling them to build 3D models of their target.
The team, led by Robert Templeman of Indiana University and including David Crandall of the Naval Surface Warfare Center in Crane, Indiana, knew it was possible for smartphone malware to record and transmit data, without a user realising, but wanted to know whether they could gather enough image data, combined with sensor data, to build accurate 3G models of a room, having never set foot in it themselves.
To get the image data, PlaceRaider is disguised as an innocent camera app – in tests this was done for the Android platform, although the researchers believe it would be transferrable to iOS or Windows Phone. This disguise enables PlaceRaider to gain camera privileges, without raising suspicion.
But today's smartphone cameras are meaty beasts, capable of snapping 10MP images in some cases – constantly taking pictures would soon fill up on-board storage, and raising suspicions.
PlaceRaider also uses the photos' time stamps to establish which ones were taken around the same time, and uses a special algorithm to pick out the best quality ones, discarding ones taken closely together or where images were blurred.
To get round this, the PlaceRaider team got the targeted smartphone to 'down-sample' the images at 1MP. These could then be sent to the attackers without raising the alarm.
One other problem the team encountered was Android's insistence that the camera make a shutter sound, each time a picture is taken.
“The playback of this sound cannot be prevented without root access to the phone, but again there is a simple workaround: we mute the speaker immediately before a photo is taken and restore the volume afterwards, so that playback of the shutter sound occurs but at a volume level of zero,” the team wrote in their research paper.
The pictures are then surreptitiously transmitted to PlaceRaider's command and control servers, along with data snaffled from the smartphone's gyroscope and accelerometer sensors.
The team then used an image manipulation algorithm capable of tying the pictures together to create a 3D model of the phone's surroundings. Similar techniques have been used to recreate virtual versions of some historical landmarks. But PlaceRaider recreates these 3D models using low resolution images.
The team installed PlaceRaider on to volunteer's handsets to test it out. They were able to show in the first case that they could collect enough data to build a working model of the subject's environment.
PlaceRaider was installed on the phone and configured to take a photograph every two seconds. The camera was set with shutter priority so as to minimize motion blur and the resolution was set to 1MP. The study consisted of 20 separate data collection events in the same office environment, using 20 participants recruited from a university campus.
Having shown they could recreate an office using the captured data, the PlaceRaider believe it is possible to modify the system to actually commit a crime.
Once the layout of a room is known, they reason, it would be possible to use the 3D models to work out where computer screens or documents are located. That could potentially be used by attackers to direct the malware-laden smartphone to capture shots of bank statements or log on credentials.
PlaceRaider was designed as a proof-of-concept system, to alert users about the possible risks they face when using smartphones, the researchers said. Their work was published today on the ArXiv website.
Use the same password for every website? It might be time to change them all
Applicants for parking bay suspensions put at risk of credit card fraud by Islington Council
Robert Swan appointed interim CEO after Brian Krzanich's departure
Should you link your data sets to add value, or leave them separate to reduce risk?