Smartphones are equipped with an ever-growing numbers of sensors, including light and motion detection, and GPS location.
But some of the latest are so sensitive that outside hackers can determine a four-digit PIN pass code within a few tries, reports a team from Newcastle University in the latest International Journal of Information Security.
The PIN could be cracked on the first chance 74 percent of the time, and 100 percent of the time by the fifth attempt, they report.
“Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation,” said Maryam Mehrnezhad, lead author. “But because mobile apps and website don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.”
The Newcastle team created a hacker program called “PINlogger.js.” The program took a look at four key sensors: device orientation, device acceleration, device acceleration including gravity and device rotation rate.
They then had 10 users enter in 250 PINs each. They were allowed to enter the four digits in whatever manner they would naturally do so: either with thumbs from both hands, one hand to hold the device and another to enter the code, or completely one-handed with a single thumb.
Each of the sensors (orientation, acceleration, etc.) were represented by six different “correlation values”—pairs which could zero in on how the phone was moving at the most minute level.
Within just a few attempts, the PINlogger.js program was able to correctly identify from a series of 50 different PIN numbers.
As part of the study, they were also able to reconstruct what the user was scrolling on, typing and browsing through, as well.
“It’s a bit like doing a jigsaw—the more pieces you put together the easier it is to see the picture,” said Siamak Shahandashti, co-author. “Depending on how we type—whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe—the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly.”
Limitations exist, however. They only used a grouping of 50 different PIN numbers, since generally users don’t pick completely random sequences of four digits. Mathematically, there are 10,000 possible combinations of four digits from 0 to 9. The Newcastle team considered that 27 percent of all PINs used by people are among a set of 20 of the most common combinations, including “1111,” “1234,” or other simple (and hackable) sequences.
Previous studies have indicated that accelerometers and gyroscopes on mobile phones could have the potential to be hijacked by hackers. But this latest study proved the efficacy of building a program and putting it to use. The computer scientists from Britain said they have alerted Google and Apple, but no single fix has been found.
“It’s a battle between usability and security,” said Mehrnezhad. “One way would be deny access to the browser altogether but we don’t want to lose all the benefits associated with built-in motion sensors.”