University researchers have created a method to steal a smartphone user’s PIN by leveraging sensor data generated by the targeted phone. Researchers say the method has a 74 percent success rate when it comes to accurately determining four-digit PIN data inputted by a phone’s owner.
April 7, 2017 , 11:50 am
March 23, 2017 , 11:16 am
March 22, 2017 , 1:45 pm
“Despite the threat, the research shows that people are unaware of the risks and most of us have little idea what the majority of the twenty five different sensors available on current smart phones do,” wrote Maryam Mehrnezhad, research fellow in the School of Computing Science and Newcastle University and lead author of the report.
“We assume that the user has loaded the malicious web content in the form of an iframe, or another tab while working with the mobile browser,” wrote researchers. “At this point, the attack code has already started listening to the sensor sequences from the user’s interaction with the phone.”
“Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe – the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly,” wrote Siamak Shahandashti, a senior research associate in the School of Computing Science and co-author of the study.
Different input methods used by the users for PIN entrance illustrated.
The researchers point out, most users are concerned about obvious sensors such as a camera or GPS and don’t consider other less obvious sensors as a threat.
“On some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter,” Mehrnezhad said.
That also applied to phones in a locked position, allowing a malicious app or website to capture password PIN data used to gain access to a phone.
Researchers said they have contacted browser vendors alerting them to the possible attack scenario.
“As the result of the research, some of the mobile browser vendors such as Mozilla, Firefox and Apple Safari have partially fixed the problem,” the researchers noted.
As for Google, it’s unclear what measures have been taken. “Our concern is confirmed by members in the Google Chromium team, who also believe that the issue remains unresolved,” the report stated. Google did not reply to a request to comment for this report.
Researchers suggest users change their PINs and passwords regularly. They also recommend closing background apps and browsers when you are not using them.
“Keep your phone operating system and apps up to date. Only install applications from approved app stores. Audit the permissions that apps have on your phone,” the report recommends.