Tilted device could pinpoint pin number for hackers, study claims
Researchers were able to guess four-digit code with 70% accuracy at first attempt and 100% at fifth from how device held
By Alex Hern
Apr 11 2017
Hackers could steal mobile phone users’ pin numbers from the way their devices tilt as they type on them, researchers have claimed.
Computer scientists at Newcastle University managed to guess a four-digit pin with 70% accuracy at the first attempt by using the gyroscopes built into all modern smartphones. With five attempts, the team was able to correctly guess the pin 100% of the time.
The theoretical hack takes advantage of a loophole in how web browsers share data from a smartphone with websites that ask for it. While sensitive information such as location requires user permission, a malicious website can ask for, and be given, seemingly benign data such as device orientation without the user being notified.
But users need not be too concerned about hackers breaking into their devices. The method behind the attack has significant hindrances that would prevent it from being used in the real world.
Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said: “Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, rotation sensors and accelerometer.
“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you, such as phone call timing, physical activities and even your touch actions, pins and passwords.”
Websites need to ask permission from users to access sensitive information, such as location data, or to access sensors such as the cameras or microphones on a device. But some information, such as the orientation of the device or the size of its screen, is considered non-sensitive and generally shared with any site that asks for it to enable interactivity and responsive webpages.
Thankfully, to train the system to enough precision to be able to guess even a simple four-digit pin (and most smartphones require a six-digit, or longer, password), the researchers required a lot of data from users: each had to type 50 known pin numbers in, five times over, before it learned enough about how they hold their phones to guess a hidden pin with 70% accuracy.
But with no uniform way of managing sensors across the industry, when research such as Mehrnezhad’s shows flaws, it can be difficult for manufacturers to give a coordinated response.
“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding,” she said. “So people were far more concerned about the camera and GPS than they were about the silent sensors.”