Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Glitch in Time: Exploiting Temporal Misalignment of IMU For Eavesdropping

Ahmed Najeeb, Abdul Rafay, Naveed Anwar Bhatti, Muhammad Hamad Alizai

TL;DR

This work reveals a critical vulnerability in smartphone IMUs under Android's 200 Hz permission-free constraint by introducing STAG, a framework that induces temporal misalignment between accelerometer and gyroscope data to upsample to 400 Hz. The method leverages a LightGBM-based upsampling pipeline combined with cubic spline interpolation and strategic axis selection (accelerometer Z for SNR and gyroscope X/Y for correlation) to enable end-to-end SLU-based eavesdropping, achieving a substantial reduction in word error rate relative to prior zero-permission approaches. STAG demonstrates both a practical privacy threat and a pathway for more robust sensor security in mobile devices, highlighting the need for stricter access controls and potential hardware/firmware redesigns. The work also discusses defense strategies, implications for future OS updates, and directions for multilingual on-device SLU, stressing the urgency of proactive safeguards as smartphones become more capable targets for covert surveillance.

Abstract

The increasing use of voice assistants and related applications has raised significant concerns about the security of Inertial Measurement Units (IMUs) in smartphones. These devices are vulnerable to acoustic eavesdropping attacks, jeopardizing user privacy. In response, Google imposed a rate limit of 200 Hz on permission-free access to IMUs, aiming to neutralize such side-channel attacks. Our research introduces a novel exploit, STAG, which circumvents these protections. It induces a temporal misalignment between the gyroscope and accelerometer, cleverly combining their data to resample at higher rates and reviving the potential for eavesdropping attacks previously curtailed by Google's security enhancements. Compared to prior methods, STAG achieves an 83.4% reduction in word error rate, highlighting its effectiveness in exploiting IMU data under restricted access and emphasizing the persistent security risks associated with these sensors.

Glitch in Time: Exploiting Temporal Misalignment of IMU For Eavesdropping

TL;DR

This work reveals a critical vulnerability in smartphone IMUs under Android's 200 Hz permission-free constraint by introducing STAG, a framework that induces temporal misalignment between accelerometer and gyroscope data to upsample to 400 Hz. The method leverages a LightGBM-based upsampling pipeline combined with cubic spline interpolation and strategic axis selection (accelerometer Z for SNR and gyroscope X/Y for correlation) to enable end-to-end SLU-based eavesdropping, achieving a substantial reduction in word error rate relative to prior zero-permission approaches. STAG demonstrates both a practical privacy threat and a pathway for more robust sensor security in mobile devices, highlighting the need for stricter access controls and potential hardware/firmware redesigns. The work also discusses defense strategies, implications for future OS updates, and directions for multilingual on-device SLU, stressing the urgency of proactive safeguards as smartphones become more capable targets for covert surveillance.

Abstract

The increasing use of voice assistants and related applications has raised significant concerns about the security of Inertial Measurement Units (IMUs) in smartphones. These devices are vulnerable to acoustic eavesdropping attacks, jeopardizing user privacy. In response, Google imposed a rate limit of 200 Hz on permission-free access to IMUs, aiming to neutralize such side-channel attacks. Our research introduces a novel exploit, STAG, which circumvents these protections. It induces a temporal misalignment between the gyroscope and accelerometer, cleverly combining their data to resample at higher rates and reviving the potential for eavesdropping attacks previously curtailed by Google's security enhancements. Compared to prior methods, STAG achieves an 83.4% reduction in word error rate, highlighting its effectiveness in exploiting IMU data under restricted access and emphasizing the persistent security risks associated with these sensors.
Paper Structure (34 sections, 7 figures, 7 tables)

This paper contains 34 sections, 7 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Background
  4. MEMS Sensors:
  5. Gradient Boosting Machines (GBM):
  6. Sensor Fusion:
  7. Spoken Language Understanding (SLU):
  8. Related Work
  9. Problem Formulation
  10. Threat Model
  11. Attack Scenarios
  12. End-to-End Attack
  13. Design and Implementation
  14. Temporal misalignment
  15. Scenario 1: multiple accelerometer instances.
  16. ...and 19 more sections

Figures (7)

  • Figure 1: Data sampling of IMU sensors: contrasting optimal temporal misalignment vs. standard alignment in smartphones.
  • Figure 2: An end-to-end attack scenario: a malicious app captures IMU data from a navigation app and processes it via STAG to infer sensitive user information.
  • Figure 3: Temporal misalignment and sample distribution in the Samsung Galaxy A33 before and after integrating the magnetometer.
  • Figure 4: Normalized accelerometer and gyroscope responses to audio. The y-axis is scaled from 0 to 1. The accelerometer shows a stronger response than the gyroscope, but both sensors exhibit discernible patterns.
  • Figure 5: Gyroscope axes correlation with Z-axis of the accelerometer.
  • ...and 2 more figures