Long gone are the days when hackers used to conduct massive cyber attacks on other devices to steal passwords and other information. Now, they can just hear what you type.

This shocking fact was found in a recent study conducted by the researchers of Cambridge University and the Linköping University of Sweden. The researchers working on the study were able to glean passwords by reading the sound waves coming from the finers tappings on a smartphone touch screen.

As dangerous as it sounds, the hacking groups can decode what a person types by using an app that controls the smartphone’s microphone. This spying app, that was first discovered by the Wall Street Journal, asks for microphone permissions on a device and as soon as you allow it, you can lose sensitive data to malicious actors. The researchers wrote, “We showed that the attack can successfully recover PIN codes, individual letters, and whole words.”

Using Microphones To Decipher Passwords

It is not necessary that hackers use this particular spying app to steal data. A sound-based attack can be executed by any app with microphone permissions, that is infected with such malware. The researchers also quoted, “Many apps ask for this permission and most of us blindly accept the list of demanded permissions anyway.”

To conclude the attack, researchers designed an algorithm based on machine-learning that could read vibrations coming from specific keystrokes. A test group of 45 people went through several tests and researchers were able to replicate correct passwords seven times out of 27 smartphones within just 10 attempts. The results on tablets were even better where researchers decoded a password 19 times within 10 attempts out of 27.

The researchers wrote, “We found the device’s microphone(s) can recover this wave and ‘hear’ the finger’s touch, and the wave’s distortions are characteristic of the tap’s location on the screen.” They further added, “Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device.”

The experiment was concluded on an Android app that allowed users to enter words and letters on one Nexus 9 tablet and two LG Nexus 5 smartphones. As the participants entered the passwords, the app successfully recorded their tapping audio through the built-in microphones on the devices. To keep the situation similar to the real world, researchers asked participants to tap in the passwords from three different locations for three different levels of background noise. First, they used a common room that was crowded with people and a coffee machine was in use. Second, they chose a reading room that had computers. And lastly, they went for a quite place- library.

According to the report, the study is yet to be published but it is available online on an academic research website maintained by Cornell University.

Giving a solution to such attacks, researchers suggested that app developers or smartphone makers can add a switch or software feature that can turn off the microphone instantly. Another option according to them can be a simple flash message on the device about the microphone usage while entering passwords.

The research is about a broader study of security vulnerabilities coming from the built-in sensors of a device such as accelerometers or cameras to extract sensitive information without user’s knowledge.