When it comes to guessing keystrokes from user behavior, telltale signs can say volumes. Researchers at Newcastle University have managed to guess a four-digit PIN on a smartphone using information about the way the phone is tilted.
And it’s not a lucky guess, either: They correctly identified the PIN with 70% accuracy for first attempt, and 100% accuracy by the fifth attempt.
The hack has to do with the fact that many sensors on a modern smartphone will share seemingly benign information—such as the gyroscope sharing the directional orientation of a device—with websites and apps without needing user permission.
In total, the computer science team identified 25 different sensors which now come as standard on most smart devices and are used to give different information about the device and its user. Only a small number of these—such as the camera and GPS—ask the user’s permission to access the device.
“Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC and rotation sensors and accelerometer,” said Maryam Mehrnezhad, a research fellow in the School of Computing Science at Newcastle and lead author on the paper detailing the findings.
The study found that each user touch action—clicking, scrolling, holding and tapping—induces a unique orientation and motion trace.
“Depending on how we type—whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe—the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly,” explained Siamak Shahandashti, senior research associate in the School of Computing Science at Newcastle and co-author of the study.
And the more sensor information is captured, the clearer picture remote listeners are able to get. Using a range of data points, the team was able to determine what part of a webpage the user was clicking on and what they were typing, for instance.
“It’s a bit like doing a jigsaw—the more pieces you put together the easier it is to see the picture,” explained Shahandashti.
It’s easy to see the malicious applications for this—spoof sites or fake apps could covertly listen in and capture such information, and hackers could use machine learning and data analytics to harvest credentials and more.
“More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter,” added Mehrnezhad. “And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.”
Going forward, the team is now focused on the additional risks posed by personal fitness trackers, which are linked up to our online profiles and can potentially be used to interpret the slightest wrist movements as well as general physical activities such as sitting, walking, running and different forms of commute. That, combined with sensor data, can yield a bonanza of information for nefarious types.
As the result of the research, some of the mobile browser vendors, such as Mozilla, Firefox and Apple Safari have partially fixed the problem, the Newcastle team said, but it is still working with industry to go further. For now, users should make sure to change PINs and passwords regularly so malicious websites can’t start to recognize a pattern; close background apps when not in use (and uninstall unneeded apps); keep phone operating system and apps up to date; only install applications from approved app stores; audit the permissions that apps have on the phone; and scrutinize the permission requested by apps before you install them and choose alternatives with more sensible permissions if needed.