Smartphones are increasingly powerful devices, with all manner of functions built into them, from gyroscopes to accelerometers. Whilst these features are undoubtedly useful, a recent paper argues that they represent a fundamental security risk as well.
The researchers gathered data from six different sensors built into a smartphone, and used a smart algorithm to unlock a variety of Android smartphones with near complete success within three attempts, even when the phones had fairly robust security defences.
The team were capable of using the data generated by the sensors in the device to successfully guess which pin numbers had been pressed by the users. They were able to understand how the phone was tilted and how much light was blocked by the fingers, and from this guess the pin numbers used.
Flawed security
Whilst this probably isn’t a method of hacking that the average person could utilize, it does nonetheless highlight a flaw in smartphone security. All it took was for an app to be installed that could collect data from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.
“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9,” the researchers say.
The team trained their algorithm on data from just three people, each of whom entered a random set of around 70 different four-digit pin numbers on their phone. The algorithm was able to assign specific weightings to the data from each sensor based upon its importance for the number being pressed.
Despite each participant using slightly different technique when entering their PIN number, the algorithm was still able to accurately identify it from the sensor data. The researchers believe their work highlights how even seemingly obscure backdoors can be used to break into our devices and access sensitive PIN and password information.
“Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behaviour. This has significant privacy implications that both individuals and enterprises should pay urgent attention to,” the team explain.
At the moment, no permission is required to access the six sensors used in the research, and it’s a hole that the researchers believe operating system companies need to plug.
In the meantime, the researchers urge users to ensure their PINs are as complex as possible, and certainly more than four digits in length. If you can couple this with additional authentication methods, whether one-time passwords, facial recognition, two-factor authentication or fingerprint analysis.