PIN stealingStealing your PIN by tracking the motion of your phone

Published 12 April 2017

Cyber experts have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones. Analyzing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70 percent accuracy on the first guess — 100 percent by the fifth guess — using just the data collected via the phone’s numerous internal sensors.

Hackers are able to decipher PINs and passwords just from the way we tilt our phone when we are typing in the information.

Cyber experts at Newcastle University, U.K., have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analyzing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70 percent accuracy on the first guess — 100 percent by the fifth guess — using just the data collected via the phone’s numerous internal sensors.

Are your sensors spying on you?
NCL notes that despite the threat, the research shows that people are unaware of the risks and most of us have little idea what the majority of the twenty-five different sensors available on current smart phones do.

And while all the major players in the industry are aware of the problem, no-one has yet been able to find a solution.

Publishing their findings today in the International Journal of Information Security, the team are now looking at the additional risks posed by personal fitness trackers which are linked up to our online profiles and can potentially be used to interpret the slightest wrist movements as well as general physical activities such as sitting, walking, running, and different forms of commute.

Dr. Maryam Mehrnezhad, a Research Fellow in the School of Computing Science and lead author on the paper, explains:

“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.

“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

“More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.