"While the privacy risks associated with some sensors like a microphone (eavesdropping), camera or GPS (tracking) are obvious and well understood, some of the risks remained under the radar for users and application developers," the researchers noted in a paper.
"In particular, access to motion sensors such as gyroscope and accelerometer is unmitigated by mobile operating systems. Namely, every application installed on a phone and every web page browsed over it can measure and record these sensors without the user being aware of it."
Gyroscopes are used to measure a mobile device's orientation, and the data they provide is crucial for camera apps and certain types of games to work properly. But gyroscopes found on modern smart phones are also sensitive enough to measure acoustic signals in the vicinity of the phone (speech, ambient noises).
The researcher found a way to extract information from gyroscope measurements and, by using automatic speech recognition, they managed to "translate" it into sounds and speech.
Most human voices have a fundamental frequency from 85 to 255 Hz. The results the researchers have achieved are confined to Android devices, as the OS (currently) imposes a gyroscopes' sampling rate of 200Hz, which allows the app - Gyrophone - created by the researchers to capture "a large fraction of the interesting frequencies."
On the other hand, iPhone's sensors are limited to frequencies below 100 Hz, so not enough data can be captured.
The researchers admit that the results they have achieved are not good enough to present a threat at this moment, but they also noted that improving the speech recognition algorithms could lead to better and even usable results in the future.
Luckily, there is a simple way for mobile OS manufacturers to shut down this particular attack vector: filter the raw samples provided by the gyroscope and limit them, for example, to 20 Hz.
"In case a certain application requires an unusually high sampling rate, it should appear in the list of permissions requested by that application, or require an explicit authorization by the user," they noted, and added that "to defend against attackers who gain root access, this kind of filtering should be performed at the hardware level."