Researchers at Newcastle University have been able to guess 4-digit pin codes with amazing accuracy, just by analysing the data from rotation sensors, gyroscopes, and accelerometers. Unlike you camera and GPS for instance, mobile apps and websites don’t need to ask permission to access this information.
Using data collected by mobile device’s hardware tracking systems, the team was able to crack four digit PINs with 70-percent accuracy on the first try, with 100-percent accuracy by try number five.
Dr Mehrnezhad said: “On some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open [another one], then they can spy on every personal detail you enter.
“And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said may not be such a big deal because:
…the researchers required a lot of data from users: each had to type 50 known pin numbers in, five times over, before it learned enough about how they hold their phones to guess a hidden pin with 70% accuracy.
But with no uniform way of managing sensors across the industry, when research such as Mehrnezhad’s shows flaws, it can be difficult for manufacturers to give a coordinated response.
A malicious app running in the background can record as much data as it wants, and there are indeed a lot of different phones with different sensors out there, but I assume targeting the most used devices like the iPhone 6/7 and Samsung Galaxies would yield a pretty good result. Not to mention the accuracy improvements that can be made by combining the data from thousands of users, as well as being able to enter passwords multiple times so 100% accuracy wouldn’t even be necessary.
And while major players are aware of the problem, actually addressing it could prove easier said than done.
“All mobile platforms[…] are aware of this problem,” she says. “We reported it to them, and ever since we’ve been in touch with them, we’ve been trying to fix this problem together. It’s still ongoing research on both sides. But we’re in contact with these communities to figure out the best solution.”
I don’t see why websites would ever need to have access to this data, especially without asking permission. Anyone?
With malicious apps it might be a bigger concern. I don’t think most people even think about whether an app really needs to be granted certain permissions, so even adding a checkbox on first launch of an app to confirm it can use these sensors wouldn’t have much effect I guess.