Weaponizing IoT Sensors: When Table Choice Poses a Security Vulnerability

The security threat posed by keyloggers on laptop and desktop computers is traditionally understood from the perspective of malware that directly reads keystrokes on the victim’s machine. While recent research on smart phone platforms has shown that motion/vibration sensors inbuilt in these phones also pose a keylogging threat, this line of attack has never been investigated in desktop and laptop settings given that no such sensors exist in these settings. In this paper, we show that the vibration dynamics of commonly used computer table materials transmit keyboard vibrations during typing with such fine granularity that keyboard typing locations (and hence keystrokes) could be learned from the vibrations. In practice such an attack would be executed by methodically rigging the underside of a computer table or keyboard itself with a series of motion sensors, and then mining the data generated by these sensors during typing. Taking the case of typical computer table materials such as glass, plastic, metal and wood, we study this line of attack and highlight scenarios where it poses a potent threat. Thanks to fast growing IoT platforms making available easy-to-use, fully featured, cheap sensors, we argue that this line of attack is accessible to even casual "computer hackers" having no knowledge of low-level hardware programming. The paper brings to light a previously unexplored privacy threat that security practitioners and end-users need to pay attention to as IoT goes mainstream.