How Sensor-Packed Smartphones Can Read Your Mood, Guard Your Data — and Wreak Havoc in the Wrong Hands

Newswise — Smartphones can already do pretty much everything, right? Actually, UAB computer scientists have a few more ideas. They’re tapping into the accelerometers, proximity sensors and other environment-aware chips packed into modern phones to help users stay safe — and keep ahead of the bad guys.

Here are seven innovations that could be coming soon to your favorite device.

1. Watching your back

Most of us are very protective of our phones. Ragib Hasan, Ph.D., an assistant professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences and director of SECRETLab, wants them to return the favor. He is developing software to turn a phone into a digital wingman, using information from its camera, microphone, accelerometer and other sensors to gauge a user’s attentiveness and respond appropriately. When it detects that a person is driving, for example, it could silence all but the most important alerts. If it decides from the way that you’re walking and talking that you are drunk, it could prevent you from making bank transactions. Hasan’s code will also save important security warnings for times when you are alert, rather than groggy from sleep.

The project builds on a study by Munirul Haque, Ph.D., who recently completed a postdoctoral fellowship in Hasan’s lab, and collaborators at Marquette University. The researchers found that a phone can do a remarkably good job at sensing mood. They parsed camera images to read facial expressions and accelerometer data to judge energy expenditure (anxious people tend to pace; inactivity is often a signal of depression). Their system was able to recognize six different “affective states”: anger, disgust, fear, happiness, sadness and surprise.

Learn more: Read the paper “In Situ Affect Detection in Mobile Devices: A Multimodal Approach for Advertisement Using Social Network”

2. Learning your style

You may be only one of millions of people with an iPhone, but the way you hold your phone — and take pictures and send text messages — may be unique. Nitesh Saxena, Ph.D., an associate professor in the CIS department and director of the SPIES lab, is a pioneer in “behavioral biometrics” security research. He’s pulling together data from accelerometers, gyroscopes and proximity sensors to chart the characteristic gestures a user makes when answering a call or snapping a selfie. Once his software learns your moves, it could unlock your phone automatically — and freeze when it detects that it is in the wrong hands. A system that taps into user interactions with multiple connected devices, such as Google Glass or the new Apple Watch, would be even more secure, Saxena says.

Learn more: Read the Mix feature Swagger security: How your smartphone style could keep your digital assets safe

3. Replacing your password

Newer phones can measure temperature, humidity — even barometric pressure. A combination of these readings could offer a secure way to log in to your computer and make passwords obsolete, according to research in Saxena’s SPIES lab. “Zero-interaction” authentication systems operate much like the keyless entry and starting systems on some cars — they rely on Bluetooth or other signals from a smartphone to grant a user access. But existing systems, such as the publicly available app BlueProximity, are vulnerable to relay attacks. A team of criminals — one close to the user, the other near his or her computer — can relay/eavesdrop on the verification process and defeat the system, Saxena says. His team has found that combining readings from multiple sensors, including GPS, audio, temperature and altitude, can thwart relay attacks. They have developed an Android-based app, called BlueProximity++, that uses these readings to instantly — and securely — unlock laptops and other devices as soon as the user’s phone gets within range. (See a demonstration in the video above.) This is a joint work with a team of researchers at the University of Helsinki and Aalto University in Finland.

Learn more: Read the paper “Comparing and Fusing Different Sensor Modalities for Relay Attack Resistance in Zero-Interaction Authentication”

4. Tracing your steps — without sacrificing your privacy.

The GPS sensors found in most smartphones are a great way to track location history — where a person has been and when. That information could be a big help for people in many professions, including salespeople and insurance adjustors. But central tracking is unpopular with employees, and relying on an individual’s own logs is equally problematic. All it takes to game the system is a $10 device that can alter GPS readings. Hasan’s team has developed a middle way between these alternatives. Known as WORAL, or Witness Oriented Asserted Location Provenance, it relies on inexpensive WiFi routers and strong encryption methods that enable a user to check in at a designated location on the WORAL app and store that information securely on his or her own phone. That check-in is validated automatically by another WORAL user who is present in the same location, creating a collusion-resistant proof that the person actually was where he or she said she was. The technology, which was funded by a $583,000 grant from the Department of Homeland Security, could also be used to track products through a supply chain, Hasan notes. His team is now developing WORAL as a commercial product.

Learn more: Read the Mix feature Watching the watchers: WORAL system tracks location without giving away data

5. Protecting your payments

Apple Pay, Google Wallet and a host of competing mobile payment systems rely on near-field communications (NFC) technology, which is built into many Android phones and the latest version of Apple’s iPhone. With NFC chips, users can make payments by tapping their phones against a reader at retail stores. The trouble is, NFC is vulnerable to “ghost and reader” attacks (a form of relay attack), where a criminal intercepts a user’s credentials at one location and transmits them to a confederate waiting to make a purchase at another location. When an unsuspecting customer buys a burger at a restaurant, for example, the confederate may use the credentials to make a simultaneous purchase at a jewelry store. But Saxena’s team has developed a countermeasure to verify that the payment request is actually coming from a user in the same location as the reader. Their system uses signals from a combination of sensors, including lists of nearby WiFi hotspots and their signal strengths, and short audio snippets captured by the phone’s microphone. The NFC reader compares notes with the phone — if the signals match, the payment is authorized.

Learn more: Read the paper “Secure Proximity Detection for NFC Devices based on Ambient Sensor Data”

6. Guarding your digits

Criminals have come up with plenty of ways to steal PINs from unsuspecting ATM users. The latest high-tech wrinkle, according to Hasan, involves heat-sensing cameras. Criminals read the buttons a customer has pressed immediately after he or she has walked away. Hasan’s SECRETLab is devising a new way to beat the “shoulder surfing” problem: generating an extra set of randomized numbers that surround an accountholder’s real PIN. All the customer would have to do is use his or her phone to snap a picture of a QR code that appears on the ATM screen. It would return a list of numbers, with spaces left blank for the actual PIN: 64_51_90_19_, for instance. The random numbers would change each time a customer uses an ATM, so even if criminals managed to get that password, they wouldn’t be able to access the account. Banks could implement the system with minimal investment, Hasan adds; it would require only a simple software update and no new hardware.

Learn more: Read up on Hasan's "secure identity" research on the SECRETLab site.

7. Sensing danger

There’s potential trouble in all these high-tech sensors, however. Researchers from the SPIES and SECRET labs found that they could hijack smartphone sensors to trigger previously implanted malicious code. Using messages hidden in music, videos, magnetic fields and vibrations, the researchers were able to take control of devices from as far as 55 feet away. These “context-aware” attacks could be used to create mass chaos by setting off alarms or even interfere with an aircraft’s communications during landing. And such schemes would be “very hard to detect and even harder to prevent” with current security measures, the researchers say. They are now working on novel methods to block such attacks.

Learn more: Read the paper “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices”

Support cutting-edge research with a gift to the Department of Computer and Information Sciences