Researchers at the Pennsylvania State University have found a new way to snoop on phone conversations: they use a radar to detect vibrations in a phone’s earpiece. Suryoday Basak and Mahanth Gowda refer to their technique as ‘mmSpy’ because their radar uses radio waves with a wavelength between 1 and 10 millimeters, commonly referred to as mmWave. Such technology may previously have only seemed available to James Bond-style secret agents but mmWave radars can now be found in modern cars, virtual reality headsets and industrial robots. The use of mmWave technology has also been incorporated into 5G and other networking standards, supporting the ability to provide sensors and networking for IoT devices. As these radars become more readily available so there is a risk that they will be used for criminal purposes. This is how the academics explained the risk to privacy and the methods they developed.
This paper proposes mmSpy, a system that uses off-the-shelf mmWave radar devices for eavesdropping the audio spoken by the remote caller during phone calls. The core intuition is that the earpiece device that users listen to during phone calls generate minute vibrations in the order of 7 µm. mmSpy senses these vibrations by detecting the changes in phases of mmWave signals reflected from the body of the phone. This opens up the possibility of eavesdropping the audio content of the remote caller during a phone conversation. In particular, mmSpy can eavesdrop the contents of the audio even when the audio is completely inaudible to both humans and microphones nearby. In addition, since the audio is detected directly from the source of vibrations, mmSpy’s spying capabilities are immune to ambient noise, which makes the attack suitable in noisy and crowded spaces where suspicion is low. This opens up an interesting attack scenario. An attacker can eavesdrop on nearby users on phone calls, especially in a social setting like conferences, or parties and spy on users who might be seated and engaged in a phone conversation. Credit card numbers, one-time passwords, SSN numbers, etc. can be stolen within the capabilities of mmSpy.
The good news is that mmSpy is not capable of accurately identifying much more than single digits or keywords, though this would be enough to potentially eavesdrop on credit card numbers and passcodes, especially if this information was being relayed using an automated call. Accuracy drops off as the distance between the radar and the phone increases; mmSpy is able to achieve greater than 80 percent accuracy when the radar is 1 foot away from the phone but accuracy falls to less than 50 percent when the distance is 6 feet. Nevertheless, even this limited range could prove sufficient to spy on strangers in cramped situations where people often use their phones, such as when sitting inside a commuter train. The accuracy of the technique roughly correlated to the loudness of the voice being listened to, and the technique was similarly effective for both male and female voices. The most significant practical limitation of mmSpy is the interference caused when people move around, meaning much more work would be needed before this technique would prove effective at eavesdropping on a phone held by someone as they walk. Perhaps the greater risk lies with the potential to interfere rather than spying upon the increasing number of devices that utilize the mmWave band.
The full text of Basak and Gowda’s paper, entitled “mmSpy: Spying Phone Calls using mmWave Radars”, can be found here.