How do you hold your phone?
Hackers can get hold of your cell phone pin numbers and other passwords just from the tilt of the device when you type it in, a new research study shows.
The culprit: your smartphone’s motion sensors.
Newcastle’s new discovery
The study, by computer scientists and security experts at United Kingdom’s Newcastle University, is causing an uproar in the entire tech community for its alarming findings.
In a report released this week, the study found that hackers can analyze your motion sensors and figure out your four-digit PIN with very high accuracy.
Researchers could correctly guess the pin 74% of the time on their first attempt, which increased to 94% accuracy after three tries. With only five attempts, the accuracy of the team was 100%.
Hackers love loopholes
This theoretical hack is possible because of a loophole in how web browsers share data between smartphones and websites. While highly sensitive information, such as location require explicit user permission, other data, such as device orientation, or size of the device screen (not seen as sensitive information) is shared with websites freely so that webpages can be responsive and interactive.
As shown by the researchers, such information is enough for a malicious website to hack into your device and decode your PIN.
Of the 25 sensors found to be playing a part in this issue, only a few require user permission before activating for certain apps. The rest are always on by default.
The devices
Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said: “On some browsers, we found that if you open a page on your phone or tablet which hosts of these malicious codes and then open [another one], then they can spy on every personal detail you eventually enter.”
“And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.”
Not practical
The public need not worry too much about this latest news, however. It seems that the methods used by the experts in the study itself faces many significant hindrances “in real life,” that would make the hack unlikely to be successful in the real world.
For example, the researchers needed a lot of data to train its hacking system, an artificial neural network, to acceptable accuracy levels.
Each user had to type 50 known pin numbers in, five times over, before the system learned enough about how users hold their phones to guess a hidden pin with 70% accuracy—a very unlikely scenario in the real world.
Stopping hackers early
Research studies like these are usually welcome by the tech world, as loopholes can easily be fixed before malicious parties can take advantage of such web weaknesses.
In 2014, for instance, hackers at the Hamburg Chaos Communications Congress demonstrated how pin codes could be extracted by simply taking a video of the user’s cornea movements, dubbed the “corneal keylogger,” as they entered data. Similarly, Firefox had loopholes that allowed hackers to track user activities via their battery status.
The latest sensors scare, although overhyped, shall need a sophisticated solution.
There seems to be no practical solution readily available. Apple and Google have been contacted about the issues by the university researchers, but there has been no official statements from either company.
#Sensorscare
Barnil is a Staff Writer at The American Genius. With a Master's Degree in International Relations, Barnil is a Research Assistant at UT, Austin. When he hikes, he falls. When he swims, he sinks. When he drives, others honk. But when he writes, people read.