PlaceRaider: Virtual Theft in Physical Spaces with Smartphones

TL;DR

PlaceRaider is a novel visual malware that exploits smartphone sensors to create 3D models of indoor environments for virtual theft, demonstrating significant security risks and potential defenses.

Contribution

The paper introduces PlaceRaider, a new visual malware leveraging smartphone sensors for remote reconnaissance and virtual theft, an understudied threat in mobile security.

Findings

PlaceRaider can accurately reconstruct indoor environments in 3D.

Human studies show effective virtual theft capabilities.

Potential defenses against visual malware are discussed.

Abstract

As smartphones become more pervasive, they are increasingly targeted by malware. At the same time, each new generation of smartphone features increasingly powerful onboard sensor suites. A new strain of sensor malware has been developing that leverages these sensors to steal information from the physical environment (e.g., researchers have recently demonstrated how malware can listen for spoken credit card numbers through the microphone, or feel keystroke vibrations using the accelerometer). Yet the possibilities of what malware can see through a camera have been understudied. This paper introduces a novel visual malware called PlaceRaider, which allows remote attackers to engage in remote reconnaissance and what we call virtual theft. Through completely opportunistic use of the camera on the phone and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments. Remote burglars can thus download the physical space, study the environment carefully, and steal virtual objects from the environment (such as financial documents, information on computer monitors, and personally identifiable information). Through two human subject studies we demonstrate the effectiveness of using mobile devices as powerful surveillance and virtual theft platforms, and we suggest several possible defenses against visual malware.