"The motion sensors embedded in smartphones could offer attackers a way to infer security PINs, researchers at Newcastle University have discovered.
Today’s smartphones come stuffed with these sensors, which range from well-known ones such as GPS, camera, microphone and fingerprint readers, but include also accelerometers, gyroscopes, ambient light sensors, magnetometers, proximity sensors, barometers, thermometers, and air humidity sensors – to name only a few of the estimated 25 in the best-equipped models.
That’s a lot of data for a rogue app or malicious website to aim at, much of which is not covered by any consistent permissions or notifications system.
The Newcastle University study focused on the sensors that record a device’s orientation, motion and rotation which, the team theorised, could be used to reveal specific touch actions.
The methodology involved 10 smartphone users entering 50 four-digit test PINs five times each on a webpage, which provided data to train the neural network used to guess the PINs.
In the event, the network guessed the correct PIN on its first try an impressive 70% of the time. By the fifth guess, the success rate reached 100%.
For comparison, the team reckons a random guess of a four-digit PIN (from 10,000 possibilities) would have a probability of being right only 2% of the time on the first occasion and 6% of the time by guess three.
That’s an impressive guessing rate – so should smartphone users be worried?
In the short term, not really. Training the neural network to reach this level of accuracy required a large amount of training data – 250 PINs per targeted user – on which to base its inferences about which keys individuals had touched.
Gathering each of those PINs could only be achieved under specific conditions, such as if an attacker were running a rogue app or had lured the user to a website running malicious JavaScript code in a tab that remained open while they entered a PIN in another site.
Under real-world conditions this would be pretty hard to pull off. In any case, the team points out, up to a quarter of smartphone users choose PINs from a predictable set of 20 common sequences such as 1234, 0000, or 1000, so advanced neural PIN guessing might be overkill.
What the study tells us is that how someone holds, clicks, scrolls and taps on a smartphone generates data that is not as indecipherable or random as people probably think it is.
The study’s lead author, Dr Maryam Mehrnezhad, said: "We all clamour for the latest phone with the latest features and better user experience but because there is no uniform way of managing sensors across the industry they pose a real threat to our personal security."
One solution would be to extend sensor permissions so that users can see when a malicious site or app is accessing them. But there are now so many of them inside smartphones this might lead to notification overload.
The team’s other suggestions – change PINs regularly, check app permissions before installation, close background tabs and apps – are sound but unlikely to make much impression on the average smartphone user if the history of security advice is anything to go by.
Alternatively, people could simply use longer PINs or, better still, the industry could ditch them altogether (as is being done elsewhere) in favour of better security options. Users like PINs, but as the punchline goes, their days are surely numbered."
Source: John E Dunn, nakedsecurity.sophos.com