Researchers have discovered a disturbing new hacking method that turns your smartphone’s own sensors against you to steal your 4-digit PIN code.
All smartphones have a large number of in-built sensors.
These enact a variety of functions such as helping your GPS and camera to work, as well as background data gathering by apps.
Mostly they are benign and are vital to the working of the phone.
Most sensors do not require user permissions for storing data and are always open to apps seeking access. But research found that this open access could jeopardise the phone’s security.
Security analysts at a Singapore university showed how exploiting sensors such as its gyroscope enabled them to know which number had been pressed by its users, based simply on how the phone was tilted and how much light was blocked by your thumb or fingers.
When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9 is very different.
Likewise, pressing 1 with your right thumb will block more light than if you pressed 9.- Dr Shivam Bhasin: Senior Researcher, Nanyang Technological University
In the tests the researchers utilised machine learning calculations and algorithms alongside a combination of data gathered from six different sensors installed in a smartphone.
Using these they were able to unlock Android smartphones with a 99.5% precision in just three attempts.
The problem arises because apps do not need to ask your permission to grant them access to sensors. Any malicious app can then use the sensor data to exploit your phone.
Because mobile apps and websites don’t need to ask permission to access them, malicious programs can covertly listen in on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINS and passwords.- Dr Maryam Mehrnezhad: Senior Researcher, Newcastle University
What to do now
To keep your smartphone and all that valuable personal and contact data safe, Dr Bhasin recommends users to set up PINs with more than four digits.
If combined with other validation techniques such as one-time passwords, two-factor identification, alongside fingerprint and facial recognition, it would go a long way to securing your phone as an easy hacking target.