Smartphone motion sensors give can away your PINs and passwords

Researchers at UK's Newcastle University have demonstrated how easy it is to steal a four digit PIN by analysing how much your smartphone tilts as you type. A team of cyber researchers had discovered that hackers can steal your four-digit pin or passwords by just tracking the motion sensors on your smartphone.

Typing on a smartphone (be it a web browser or an app) creates distinct patterns of movement that if tracked can easily tell the four digit pin that you typed in. Researchers who tested this theory came up with surprising results. It turns out that they were able to figure out a user's four-digit PIN 74 percent of the time on just the first guess, while the number rose to 94 percent by third try, proving that its not too hard to do so.

According to Maryam Mehrnezhad, the entry point for an attack was to detect the PIN via a javascript exploit, one that was delivered through the browser of the phone and would differ from platform to platform.

All an unsuspecting user has to do is click on a link with malicious software that would then relay the phone's motion sensor data in the background.

"Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer."

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords." she explained.

The research team had to first get the data from people when they keyed in their pins. The same data was then used to train a neural network which was able to decipher the four digit codes with "high accuracy".

Since this is platform dependent and can be enabled using the browser, Popular Science reports that the team had contacted tech giants like Apple, Google and browsers like Firefox. Apple and Firefox delivered patches that would not let anyone collect sensor data last year. The same arrived in iOS 9.3 update. A Google representative told Popular Science that its team is aware and is looking into the issue.

Published Date: Apr 12, 2017 05:25 pm | Updated Date: Apr 12, 2017 05:25 pm