Department Gathering


How Innocent Speakers Can Be Exploited to Harm People's Privacy on Android Phones


Today, smart phones and tablets are so popular that almost everyone has one and uses it on daily bases. However, such trends also bring serious threats to people's security and privacy. There are already lots of study in different directions. Among the them, the security implications of various sensors, like accelerometer, light sensor, GPS, etc., have been widely studied, but none of them pay attention to speakers, simply because speakers is regarded as a output-only device and will not generate sensitive data. Unfortunately, this is wrong. In this talk, I will introduce some interesting work done in my group recently on how the innocent speakers can be abused to track devices and bypass Android existing security mechanisms. In the first part, I will talk about the study on how to generate an unique device ID for mobile phones stealthily by leveraging the manufacturing infections of phone speakers as well as the hearing characteristics of our human beings. In the second part, I will introduce a very interesting and novel attack which exploits design flaws of Google Voice Search apps, and even without requesting any permission, is still able to get lots of sensitive information that has been carefully protected by Android systems. Above work has either been accepted by ACM CCS 2014 (one top conference in security area) or widely reported worldwide by mass media (for more, please use Google: )