"Pitt Electrical and Computer Engineers Uncover Hardware Security Vulnerability on Android Phones"
A study conducted by a team of researchers at the University of Pittsburgh Swanson School of Engineering found that the Graphics Processing Unit (GPU) in some Android smartphones could be used to eavesdrop on a user's credentials when they type them using the device's on-screen keyboard, thus making it an attractive target for hackers. The hardware security vulnerability poses a more significant threat to users' personal data than previous attacks capable of inferring a user's coarse-grained activities, such as the website being visited. The team's attack can correctly infer a user's username and password without the need for any system privileges. In addition, their attack does not cause any noticeable change in the smartphone's operations or performance, so the user would not be able to tell when it is occurring. A phone's GPU processes images that appear on the screen, including the pop-up animations when a letter on the on-screen keyboard is pressed. The researchers correctly inferred which letters or numbers were pressed by a user over 80 percent of the time, based on how the GPU produces the displayed keyboard animations. This study focused on the Qualcomm Adreno GPU. However, the team's demonstrated attack could also be used against other GPUs. The team disclosed their findings to Google and Qualcomm, and then Google confirmed that an Android security update will be released to address the vulnerability later this year. This article continues to discuss the hardware security vulnerability discovered on Android phones.