Mechanical Privacy: What Hardware Can Spy On You (Even With Software Locked)

The sensors you didn’t know could betray you: accelerometers, gyros, light sensors, barometers.

Even if a device’s camera, mic, GPS, and apps are locked down, other “innocent” components can still leak a surprising amount of information. Accelerometers can reveal what you type or when you’re walking; gyroscopes can pick up low-frequency audio cues; ambient-light sensors can help infer PINs; barometers can quietly help track your location and even floor level. Mitigations include hardware kill-switches, rate-limiting and permissioning these sensors, and operational discipline (where you place devices and when you carry them).

Why “mechanical privacy” matters

Most of us think privacy = “don’t grant mic/camera/location permissions.” But modern phones, laptops, and wearables are packed with micro-electro-mechanical (MEMS) sensors that observe motion, light, and pressure. Many were historically exposed to apps without explicit user permission (or with lax defaults/sampling rates), which led researchers to demonstrate real attacks that recover keystrokes, track movement, and infer speech. These are side channels: information leaks from how hardware physically interacts with the world, not from the explicit data you thought you were sharing. Android Open Source Project

Below: how four common sensors become privacy risks—and what you can do about each.

1) Accelerometers: motion as a keylogger

What they do: Measure linear acceleration; used for step counting, screen rotation, and activity detection.

How they leak:

Keystroke inference. A phone on the same desk as a keyboard can pick up vibrations from nearby typing; models then map patterns to likely keys/words. Early studies achieved striking accuracies under controlled conditions. WIRED+2netsec.ethz.ch+2
Touch/gesture inference. When you type a PIN or pattern on the device itself, motion traces can be learned to predict inputs. ResearchGate

Threat model notes:

Works best when the device is stationary on a rigid surface that couples vibrations (e.g., a desk).
Accuracy in the wild is lower than lab demos, but proof-of-concepts show feasibility when attackers control malware or a malicious webpage/app sampling motion data. PMC

Mitigations:

Keep phones off the desk while typing sensitive info on a PC.
Prefer platforms that throttle background sensor sampling and gate motion data behind permissions. Android Open Source Project+1
For high-risk contexts: use devices with hardware lockdown modes that depower inertial sensors. Purism

2) Gyroscopes: “listening” without the mic

What they do: Measure rotation; stabilize cameras, games, and UI orientation.

How they leak:

Acoustic eavesdropping. MEMS gyros are sensitive to low-frequency air vibrations (<~200 Hz). Researchers showed a “Gyrophone” attack that identifies spoken digits and speaker traits using only gyroscope data—no microphone permission required. WIRED+3USENIX+3blackhat.com+3

Threat model notes:

Needs the device to be near the sound source; quality depends on sampling rates the OS exposes.
Vendors have mitigated some risk by capping sensor rates and tightening access, but implementations vary by platform and browser. WIRED

Mitigations:

Treat gyros like mics in sensitive meetings: remove devices from the room or enable a lockdown mode that cuts power to motion sensors. Purism

3) Ambient-light sensors: PINs from screen glints

What they do: Adjust screen brightness and aid power saving by reading surrounding light intensity and color.

How they leak:

PIN inference via device tilts. Small, unconscious tilts while tapping digits change incident light; with training, an attacker can rank likely PINs from sensor streams. Proof-of-concepts demonstrated significant success rates vs. random guessing. arXiv+1

Threat model notes:

Requires malicious code (web or app) with access to the light sensor feed; performance depends on environment lighting and sensor precision.

Mitigations:

Limit or revoke websites’/apps’ access to motion & light sensors; newer browsers/OSes increasingly gate these APIs.
Use screen privacy filters and cover proximity/light sensors when feasible (at the cost of auto-brightness). Android Open Source Project

4) Barometers: turning air pressure into location

What they do: Measure air pressure; useful for weather apps and accurate step/floor counting.

How they leak:

Route reconstruction without GPS. The PinMe system fused barometer, accelerometer, and non-sensory metadata (e.g., IP, time) with public maps to track users with GPS disabled, and to infer which floor they’re on. arXiv+2oar.princeton.edu+2

Threat model notes:

Works best when attackers can combine pressure data with auxiliary information (maps, transit timetables) or other sensors.

Mitigations:

Restrict barometer and motion sensor access in background apps; audit which fitness/weather apps truly need continuous access. Android Open Source Project

But I already “locked down” my phone—am I safe?

Not entirely. Traditional toggles (mic/camera off, GPS off) don’t necessarily affect inertial, light, or pressure sensors, unless your device/OS includes a system-wide lockdown that physically cuts power. Privacy-focused phones like the Purism Librem 5 and PinePhone ship hardware kill switches; Librem’s “Lockdown Mode” also depowers GNSS, IMU (accelerometer/gyro), and ambient-light/proximity sensors, leaving a usable mini-computer with radios and sensors truly off. PINE64+3Purism+3Purism+3

Practical defenses (ranked by effort)

Change your habits (zero cost)

Don’t place a phone on your desk while entering passwords on a separate keyboard. WIRED
In sensitive meetings, remove phones and wearables from the room—or put them in a lockbox/Faraday pouch (for RF) and outside the door.
Disable “always-on” wellness tracking unless required.

Tighten software settings (low cost)

On Android/iOS and in browsers, deny or limit access to motion/light sensors for most apps/sites; prefer “While Using” access and disable background sampling where possible. Android Open Source Project
Keep OS/browsers up to date to benefit from sampling-rate caps and API permission prompts introduced after sensor-leak research. WIRED

Use privacy-centric hardware (medium cost)

Consider devices with physical kill switches that cut power to radios and (ideally) sensors. Verify what each switch actually disables. Purism+1
For laptops/desktops, external USB mic/cam cutoffs and hardware mute switches are preferable to software toggles.

Operational security for high-risk roles (higher effort)

Adopt two-device patterns: one everyday phone; one hardened, sensor-locked device for sensitive travel/meetings.
Use secure meeting rooms with device-free zones and white-noise/sound-masking.

Sensor-by-sensor quick reference

Sensor	Typical purpose	What can leak	Real-world demos	Mitigations
Accelerometer	Screen rotation, steps	Nearby keyboard keystrokes; on-device PIN patterns	ACCessory, desk-typing keyloggers	Keep phone off the desk; throttle/permission motion APIs; hardware lockdown. netsec.ethz.ch+1
Gyroscope	Rotation/orientation	Low-freq speech cues (digits, gender)	Gyrophone (USENIX ‘14)	Remove devices during sensitive talks; OS caps; hardware lockdown. USENIX
Ambient-light	Auto-brightness	PIN inference via tiny tilts and luminance changes	PIN Skimming via ALS	Gate sensor access; cover sensor when needed. arXiv
Barometer	Altitude/floors	Route & floor tracking without GPS	PinMe	Restrict background access; audit app needs. arXiv

A realistic risk assessment

These attacks often need malware on the device or a malicious webpage with sensor access—and many require training data per device/user/environment.
However, they prove feasibility and have driven platform changes. If you’re a journalist, executive, activist, or anyone facing targeted threats, treat these as practical risks, not curiosities. PMC

The mechanical-privacy checklist

Device placement: keep phones off desks during sensitive typing. WIRED
Meeting protocol: no personal electronics in confidential rooms; if that’s impossible, enable sensor lockdown (airplane mode ≠ sensor off). Purism
App diet: ruthlessly uninstall apps you don’t need; deny motion/light access by default. Android Open Source Project
Hardware options: prefer devices with kill switches; know exactly what they cut (radios only vs. radios + sensors). Purism+1
Update everything: OS and browsers ship mitigations over time (sampling caps, API prompts). WIRED