News

Combination of Phone Sensors and Neural Networks Could Allow Hackers to Steal PINs

April 30, 2017 by Kate Smith

It's now possible for thieves to crack your PIN based on how you hold your phone when you input it.

Cybersecurity is a concept that's been around for decades, but public understanding of the risks we face every day is tenuous at best. For example, did you know that the sensors in your phone can give away your PIN to thieves? Did you know that all it takes to put your sensor data in the wrong hands is to visit the wrong website?

Sensors are becoming less expensive as time goes on, even as they become more sensitive and powerful. It's no surprise, then, that more and more of them are showing up in devices that don't strictly need them to perform their basest functions.

The average cell phone is outfitted with an accelerometer, gyroscope, camera, microphone, capacitive touch sensors, and GPS sensors. There's also a magnetometer and proximity sensors. Newer models may have a fingerprint sensor. Some phones are essentially wearables, with a pedometer and a heart rate sensor. 

 

A look at the various components and sensors in an iPhone 6 diagram. Image courtesy of Semiconductor insights.

 

The massive number of sensors jam-packed into modern phones is a marvel, a testament to the ingenuity of the engineers who designed them. Many of these sensors provide useful information for how you use your phone and how it maintains itself for your maximum benefit. Prudent battery usage, mobile responsive interfaces that respond to how you hold your phone, search results that are tailored to your physical location—all of these helpful features are possible thanks to sensor data.

But the information these sensors gather can be used in ways we may not be aware of—and may not be comfortable with.

 

Data-Gathering Tools and Unintended Consequences

It's no mystery why so many sensors are being added to smartphones and other devices. In this landscape of competing tech companies and increasingly complex electronics, adding functionalities to devices is an effective way to make a phone model stand out compared to its contemporaries.

Retina-scanning security, for example, requires the addition of an IR LED and iris camera. Note, however, that using an iris scanner means that you must allow your phone to file away your iris pattern, one of your most unique identifying features. 

This surrendering of personal information is thematic across the industry as sensors increase in personal devices, which really isn't accidental. It's advantageous for any party to track what they can access of your phone's information. Again, Google is able to return specialized search results to you because it tracks your every move via GPS sensors. Beyond that, it can model recommendations, ads, and much more off of what it learns from your sensor data, especially when paired with information on your web browsing habits and app usage.

In fact, some companies are turning to mobile phone sensor data to sidestep costly hardware they would need to implement for specific purposes. Sentiance, for example, is a Dutch data analytics company that has proposed using mobile phone data to track vehicle driver behavior information. They point out that smartphone sensors are more convenient and cost-effective for insurance companies to track driver behavior than installing a sensor-laden black box for insurance rate adjustment purposes.

Many programs and apps gain access to sensors without much more than a simple click of the "accept" button, leaving us wondering why a calendar app, say, needs access to our camera. As annoying as it is to know that companies are learning about your behaviors and preferences through your mobile device, there are larger issues at stake.

Sensors aren't often as secure as they should be. Malicious programs can gain access to sensors and monitor what they measure, as well. 

In fact, clever thieves can actually monitor the angle of a phone as it's being held to guess, with 70% accuracy, what a user's PIN is. 

"Stealing PINs via Mobile Sensors"

Studying this threat of PIN theft are Dr. Maryam Mehrnezhad and Dr. Siamak Shahandashti from the University of Newcastle's School of Computing Science. They've just published a paper in the International Journal of Information Security this month: "Stealing PINs via mobile sensors: actual risk versus user perception". The study focuses on PIN theft via phones and how users perceive the risks they face. 

While public awareness about only downloading trustworthy apps is growing, Mehrnezhad warns that you don't even need to download an app for these vulnerabilities to be exploited. All it takes is to visit a website with malicious code on it.

According to Mehrnezhad, "...on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter." 

The study looks at PINlogger.js, a JavaScript-based code capable of accessing mobile phone sensors without the user's permission. The code "listens" in on the sensors and feeds data to an artificial neural network that cracks PINs with "a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively".

Essentially, the sensors in your phone are capable of recording patterns of how your phone tilts when you hold it, how your fingers move on the screen, and more. 

The Newcastle team says they alerted companies like Google of the threats inherent in unsecured phone sensors. Some browsers, such as Mozilla and Apple Safari, have reportedly taken steps to address this issue, but no information was readily available on what those steps are.

The only way to completely protect yourself from sensors that betray your personal information is to not use them. In this day and age, however, it's difficult to completely forego all of the sensor-laden devices that are vulnerable to exploitation.