Singapore researchers used sensor information freely available to any mobile app to unlock Android phones in only three tries
Researchers in Singapore have demonstrated a machine learning technique that could allow hackers to accurately determine a smartphone’s access code in three guesses, based on information collected from the device’s sensors.
The Nanyang Technological University (NTU) study collected data from six Android smartphone sensors as three users entered a set of 70 randomly selected, four-digit passcodes, and used a machine-learning algorithm to analyse how the phone tilted or how much light was blocked by the user’s hand as each digit was pressed.
The system was able to unlock an Android smartphone with a 99.5 percent accuracy rate in only three tries, when used on a phone that was protected using one of the 50 most common four-digit access codes.
Researchers said the system could be expanded to work on all the possible combinations of four-digit numbers.
Their study is similar to one published by Newcastle University last year, which achieved 70 percent accuracy on the first try, rising to 100 percent in five guesses.
In both cases, researchers collected data from phone sensors, with the NTU Singapore study using information from the phone’s accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.
“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different,” stated Dr. Shivam Bhasin, who worked on the 10-month project with David Berend and Dr. Bernhard Jungk.
Both studies highlight the way seemingly unimportant sensor information can be used to crack even critical security protections.
The sensors used in the NTU study require no permissions to be granted to an app by a phone’s user and as such are available to any mobile software.
Automated PIN cracking
As a result, the researchers said a malicious app could conceivably be built that could collect code-entry data from thousands of users over a period of time and analyse it to the point of being able to reliably crack the code protecting any given handset.
NTU urged phone makers to place more restrictions on how apps can access sensor data.
“Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behaviour,” stated NTU professor Gan Chee Lip.
Researchers also recommended the use of passcodes with more than four digits and extra protective measures such as fingerprint sensors, two-factor authentication or one-time passwords.
Put your knowledge of artificial intelligence (AI) to the test. Try our quiz!