While it is unlikely that most people don’t have much to worry about, as the attack is a bit difficult, the researchers are the first to demonstrate that this kind of attack is even possible.
The team created a "SonarSnoop" attack to decrease the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they're being hacked.
Of course the users must unwittingly install a malicious application on their phone which enables their phone to begin broadcasting a sound signal that is just above the human range of hearing.
This sound signal is reflected by every object around the phone, creating an echo (and driving dogs in the area nuts).
This echo is then recorded by the phone's microphone. By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving.
The researchers used the sonar effect to track the movement of someone's finger across a smartphone screen by analysing the echoes recorded through the device's microphone.
There are nearly 400,000 possible unlock patterns on the 3x3 swipe grid on Android phones, but prior research has demonstrated that 20 percent of people use one of 12 common patterns.
While testing SonarSnoop, the researchers only focused on these dozen unlock combinations. Ten volunteers were recruited for the study and were asked to draw each of the 12 patterns five different times on a custom app.
The researchers then tried a variety of sonar analysis techniques to reconstruct the password based on the acoustic signatures emitted by the phone. The best analysis technique resulted in the algorithm only having to try 3.6 out of the 12 possible patterns on average before it correctly determined the pattern.