Establishing Digital Trust: Don't Sacrifice Security for Convenience
For years, security researchers have warned about the risks of keylogging software on computing platforms. Keyloggers, quite literally log and record the keystrokes taken by a user in a bid to learn passwords and other valuable information.
According to Trustwave security researchers, that risk has now jumped to mobile devices with the risk that touchlogging software can log user actions on mobile devices.
Neal Hindocha, Senior Security Consultant at Trustwave explained to eSecurityPlanet that on mobile devices the entire touchscreen replaces the traditional keyboard and mouse. As such the touch screen is now a target.
Hindocha said that in his research he wanted to see if it was possible to capture the X and Y co-ordinates on a mobile touchscreen as well as capture screenshots from the device of what a user sees. He found IOS devices to be at risk when they are jailbroken, as well as both rooted and unrooted Android devices.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In his test case, Hindocha said that the collected mobile touch screen data is outputted to a file that can then be sent back to an attacker to collect.
The Trustwave research currently is just that - research.
Hindocha has a few ideas of how an attacker might be able to leverage the same techniques to actually exploit users. For one, there can be a malicious app built, that an unsuspecting user simply downloads. The app then runs in the background, continuously collecting the touch screen data.
The other potential path to infection that Hindocha sees is via a desktop computer connection, whether that desktop is Windows, Mac or Linux doesn't matter either.
"The attacker just needs to wait for the mobile device to connect to the desktop and then the touchlogger functionality can be triggers," Hindocha said. "I would assume a lot of mobile users connect to their desktop for charging and data transfer."
Hindocha first presented his findings at the RSA conference last week in a session titled, Touchlogger on IOS and Android. He noted that since the flaw on IOS only can be executed on jailbroken IOS devices, there was no need to disclose the flaws directly to Apple.
"If you jailbreak your device you're basically letting anything to run on your device," Hindocha said. "So the real vulnerability is in the jailbreaking, after that this what you are enabling."
For IOS users in particular the advice is clear - don't jailbreak your device.
"If you are jailbreaking your device you should be aware of what you're doing," Hindocha said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist