Attackers can steal smartphone users’ PINs by tapping into data collected by mobile sensors
Researchers have demonstrated that a malicious website or app could work out smartphone users’ PINs or passwords based just on the data collected by various motion sensors on modern mobile devices.
Motion sensor data is up for grabs
“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer,” Dr Maryam Mehrnezhad, a Research Fellow in the School of Computing Science at Newcastle University, explained.
“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.”
Dr Mehrnezhad and her colleagues have proven the viability of the attack by creating a JavaScript file that can gather sensor data and embedding it into a web page. As soon as a test subject on a mobile phone visited the site, the code started listening to the motion and orientation sensor streams (without needing any permission from the user). Finally, by analysing these streams, it infers the user’s PIN with the help of an artificial neural network.
“Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security,” the researchers noted in their paper.
The same attack can be mounted through a malicious app.
Possible solutions
Designing a mechanism for secure and usable sensor data management is a problem that remains to be solved.
“After many years of research on showing the serious security risks of sensors such as accelerometer and gyroscope, none of the major mobile platforms have revised their in-app access policy,” the researchers noted.
“Following our report of the issue to Mozilla, starting from version 46 (released in April 2016), Firefox restricts JavaScript access to motion and orientation sensors to only top-level documents and same-origin iframes. In the latest Apple Security Updates for iOS 9.3 (released in March 2016), Safari took a similar countermeasure by ‘suspending the availability of this [motion and orientation] data when the web view is hidden’,” they also shared.
“However, we believe the implemented countermeasures should only serve as a temporary fix rather than the ultimate solution. In particular, we are concerned that it has the drawback of prohibiting potentially useful web applications in the future. For example, a web page running a fitness program has a legitimate reason to access the motion sensors even when the web page view is hidden. However, this is no longer possible in the new versions of Firefox and Safari. Our concern is confirmed by members in the Google Chromium team,16 who also believe that the issue remains unresolved.”
They believe a combination of approaches will ultimately do the trick.