Security

Hackers Can ‘Crack’ Your PIN By Exploiting Smartphone Sensor Data

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

By monitoring sensor data, criminals web pages and malicious apps could potentially guess PINs to a surprising degree of accuracy

Researchers at Newcastle University have suggested that hackers are able to steal PIN numbers simply by tracking the angle and motion of a user’s phone when he or she is typing.

By monitoring sensor data, which has grown massively as a result of the boom in mobile gaming and health and fitness apps over the last few years, criminals could potentially guess PINs to a surprising degree of accuracy.

The same is also true for malicious websites and installed apps, both of which are able to spy on users using the information collected by the plethora of motion sensors now commonly present in mobile devices.

using smartphone mobile phone

Sensor threat

Amazingly, the research team was able to crack four-digit PINs with a 70 percent accuracy on the first guess and 100 percent accuracy by the fifth guess, highlighting the threats posed by internal sensors.

The majority of people have little idea of what the multiple sensors on modern smartphones – including the likes of an accelerometer, gyroscope, digital compass and proximity sensor – actually do, making them an interesting avenue for criminals to exploit.

“Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors,” said Dr Maryam Mehrnezhad, a Research Fellow in the School of Computing Science at Newcastle University.

“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

“More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter. And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.”

The study found that each user action, such as clicking, scrolling or tapping, produces a unique orientation and motion, which can then be pieced together to determine where the user is clicking and what he or she is typing.

All the major browser providers have been informed, but no-one has yet been able to come up with a solution.

Quiz: The world of mobile apps