Coffee Shop Hackers Could Be Stealing from Non-Connected Devices, Researchers Say

Promo poster from the 1995 movie “Hackers.”

With public wifi and high volumes of people clacking away on their laptops, coffee shops are notoriously fertile ground for hackers.

Scientists at the Georgia Institute of Technology working to make that ground more secure have released some troubling new discoveries based on the idea that hackers can still access a plethora of a coffee shop visitor’s personal information even when that person’s computers or smart phones are not connected to the public wifi.

By studying various emissions from computers — including mechanical sounds and power fluctuations — the researchers have developed a metric for measuring the strength of these kinds of unintentional leaks, referred to technically as “side-channel signal.”

“People are focused on security for the Internet and on the wireless communication side, but we are concerned with what can be learned from your computer without it intentionally sending anything,” Alenka Zajic, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering, said in an announcement of the study today. “Even if you have the Internet connection disabled, you are still emanating information that somebody could use to attack your computer or smartphone.”

In coffee shop applications, some experienced “ethical hackers” suggest users avoid public wifi altogether, since software manufacturers and network security systems have been behind the game. But a generally promoted rule of thumb among cybercrime experts is that users should never share or submit any kind of data that they would not want in the hands of an unknown third party. This kind of non-connected hacking capability merely represents added vulnerability, not only to shop visitors, but also to the shop operators providing the public wifi.

For their research, the scientists simulated coffee shop environments, setting up hacks on non-connected laptops and smartphones through various devices like microphones and transmitters. Says the GIT team:

Some signals can be picked up by a simple AM/FM radio, while others require more sophisticated spectrum analyzers. And computer components such as voltage regulators produce emissions that can carry signals produced elsewhere in the laptop.

As a demonstration, Zajic typed a simulated password on one laptop that was not connected to the Internet. On the other side of a wall, a colleague using another disconnected laptop read the password as it was being typed by intercepting side-channel signals produced by the first laptop’s keyboard software, which had been modified to make the characters easier to identify.

“We are trying to understand why these side channels exist and what can be done to fix these leaks,” says Zajic. “We are measuring computers and smartphones to identify the parts of the devices that leak the most. That information can guide efforts to redesign them, and on an architectural level, perhaps change the instructions in the software to change the device behavior.”

While vulnerability remains, the odds of a coffee shop visitor being hacked remain extremely slim. One issue that the GIT researchers note, however, is that more hacks are certainly occurring than are reported, since individual hackers are not likely to trumpet their conquests.