You could be the most careful mobile user ever, but hackers can still steal your PINs and passwords simply by spying on your phone’s motion sensors. A team of cyber researchers from the UK’s Newcastle University have demonstrated how easy it is to steal a four-digit PIN by analyzing the way your phone tilts and moves as you type.
Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity monitor, NFC, and rotation sensors and accelerometer.
But because mobile apps and websites don’t need to ask permission to access most of these sensors, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, which would include your PINs and passwords.
More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.
And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
Cyber-security experts from Newcastle University in the U.K. found that once a mobile user visits a website that has malicious code embedded on that site, that malicious code could then use the phone’s motion and orientation sensors to correctly guess the user’s’ PIN simply by knowing the movement of your phone based on you taping it.
The study, published in the International Journal of Information Security this week, also found that most people have little idea of what the sensors in our phones can do and the security vulnerabilities they pose.
The researchers identified 25 different sensors that are now standard on most phones. Yet websites and apps only ask for permission to use a small fraction of these — GPS and camera, for example.
It was determined that a lot of these sensors help people have a better experience and they bring a lot of advantages to our lives. For example, the accelerometer and gyroscope sensors play a key role in the fitness-tracking apps that are so popular these days. But, the sensor technology is well ahead of any regulatory restrictions pertaining to our privacy and so the Newcastle research is showing that malicious code from a website could end up controlling these fitness tracking sensors learning details such as the timing of phone calls, whether the user is working, sitting or running, as well as any touch activity on the phone while a user types in their pin code providing hints and clues as to what number they typed into their phone.
Also too, after interviewing many people in this study it was revealed that most were not aware of the sensors in their mobile devices and as the sensors were being developed even the phone manufacturers didn’t have a clear understanding of the risks associated with them.
So with that in mind, it was concluded that manufacturers of these sensors thought that accelerometer and gyroscope data (technology that tells when you lean, turn, and move your phone) would never be considered used for malicious purposes and so by default they do not request any permission and it looks like that all sensors are currently configured to allow permission by default.
It sounds obvious, but the first step users should take to protect themselves is to choose more complex passcodes. Previous research has found that 27 per cent of all possible four-digit PINs belong to a set of 20 that include dead-easy combinations such as “1111” or “1234,” .
I know people hate it because it’s not convenient, but it’s also critical to change your passwords regularly.
In addition, keep your operating systems up to date, only download apps from trusted sources like Google Play or the App Store, delete apps you’re not using, and close both apps and browser tabs when you’re done using them too.
That should help mitigate any security risk you might have with your mobile sensors and malicious code on a website until Apple And Google find a more secure way around it.