An average smartphone these days is packed with a wide array of sensors such as GPS, Camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC, to name a few.
Now, according to a team of scientists from Newcastle University in the UK, hackers can potentially guess PINs and passwords – that you enter either on a bank website, app, your lock screen – to a surprising degree of accuracy by monitoring your phone's sensors, like the angle and motion of your phone while you are typing.
The danger comes due to the way malicious websites and apps access most of a smartphone's internal sensors without requesting any permission to access them – doesn't matter even if you are accessing a secure website over HTTPS to enter your password.
Your Phone doesn't Restrict Apps from Accessing Sensors' Data
Your smartphone apps usually ask your permissions to grant them access to sensors like GPS, camera, and microphone.
But due to the boom in mobile gaming and health and fitness apps over the last few years, the mobile operating systems do not restrict installed apps from accessing data from the plethora of motion sensors like accelerometer, gyroscope, NFC, motion and proximity.
Any malicious app can then use these data for nefarious purposes. The same is also true for malformed websites.
"Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera, and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer," Dr. Maryam Mehrnezhad, the paper's lead researcher, said describing the research.
"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."
Video Demonstration of the Attack
Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
Now all an attacker need is to trick victims into either installing the malicious app or visiting the rogue website.
Once this is done, whatever the victim types on his/her device while the malicious app or website running in the background of his phone, the malicious script will continue to access data from various sensors and record information needed to guess the PIN or passwords and then send it to an attacker's server.
Guessing PINs and Passwords with a High Degree of Accuracy
Researchers were able to guess four-digit PINs on the first try with 74% accuracy and on the fifth try with 100% accuracy based on the data logged from 50 devices by using data collected from just motion and orientation sensors, which do not require any special permission to access.
The scientists were even able to use the collected data to determine where users were tapping and scrolling, what they were typing on a mobile web page and what part of the page they were clicking on.
Researchers said their research was nothing but to raise awareness to those several sensors in a smartphone which apps can access without any permission, and for which vendors have not yet included any restrictions in their standard built-in permissions model.
"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding," Mehrnezhad said. "So people were far more concerned about the camera and GPS than they were about the silent sensors."Mehrnezhad says the team had alerted leading browser providers such as Google and Apple of the risks, and while some, including Mozilla and Safari, have partially fixed the issue, the team is still working with the industry to find an ideal solution.
More technical details can be found in the full research paper, titled "Stealing PINs via mobile sensors: actual risk versus user perception," published Tuesday in the International Journal of Information Security.