Stealing your PIN by tracking the motion of your phone
“And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.”
Access without permission
Sensors are now commonplace in smart devices and are largely responsible for the boom in mobile gaming and health and fitness apps, and soon in all devices in the Internet of Things (IoT).
The data provided by them combined with the growing computational ability of mobile phones and tablets has transformed the way we use them.
In total, the team identified twenty-five different sensors which now come as standard on most smart devices and are used to give different information about the device and its user. Only a small number of these – such as the camera and GPS — ask the user’s permission to access the device.
The study found that each user touch action – clicking, scrolling, holding and tapping – induces a unique orientation and motion trace. So on a known webpage, the team were able to determine what part of the page the user was clicking on and what they were typing.
“It’s a bit like doing a jigsaw – the more pieces you put together the easier it is to see the picture,” explains Dr. Siamak Shahandashti, a Senior Research Associate in the School of Computing Science and co-author on the study.
“Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly.
“So the internal sensors each provide a different bit of the jigsaw. Personal fitness trackers which you wear on your wrist and, by their very nature, are designed to track the movement of your hand and pass information to your online profile pose a whole new threat.
“Potentially, they are able to provide additional information which, when combined with this sensor data, will make it even easier to decipher personal information.”
So are we able to protect ourselves?
The team has alerted all the major browser providers — including Google and Apple — of the risks but for the moment, says Dr. Mehrnezhad, no-one has been able to come up with an answer.
“It’s a battle between usability and security,” she says.
“We all clamor for the latest phone with the latest features and better user experience but because there is no uniform way of managing sensors across the industry they pose a real threat to our personal security.
“One way would be to deny access to the browser altogether but we don’t want to lose all the benefits associated with in-built motion sensors.”
As the result of the research, some of the mobile browser vendors such as Mozilla, Firefox and Apple Safari have partially fixed the problem, but for an ultimate solution, the Newcastle team is still working with industry.
Dr. Mehrnezhad, who together with her colleague and co-author Ehsan Toreinirun the Cyber Security: Safety at Home, Online, In Lifecourse, part of Newcastle University’s series of MOOCs (Massive Open Online Courses), say there are some simple rules people should follow:
— Make sure you change PINs and passwords regularly so malicious websites can’t start to recognise a pattern.
— Close background apps when you are not using them and uninstall apps you no longer need
— Keep your phone operating system and apps up to da
— Only install applications from approved app stores
— Audit the permissions that apps have on your phone
— Scrutinize the permission requested by apps before you install them and choose alternatives with more sensible permissions if needed
More information on how to stay safe can be found at Newcastle University’s “Auditing Your Mobile Apps Permissiopns.”
— Read more Maryam Mehrnezhad et al., “Stealing PINs via mobile sensors: actual risk versus user perception,” International Journal of Information Security (7 April 2017) (DOI: 10.1007/s10207-017-0369-x)