University researchers have created a method to steal a smartphone user’s PIN by leveraging sensor data generated by the targeted phone. Researchers say the method has a 74 percent success rate when it comes to accurately determining four-digit PIN data inputted by a phone’s owner.
Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the phone’s sensors, including GPS, camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer and NFC protocols.
“Despite the threat, the research shows that people are unaware of the risks and most of us have little idea what the majority of the twenty five different sensors available on current smart phones do,” wrote Maryam Mehrnezhad, research fellow in the School of Computing Science and Newcastle University and lead author of the report.
In a likely attack scenario, a user would be tricked or enticed to visit a malicious webpage via their smartphone’s browser. The mobile site would run the PINlogger.js JavaScript and proceed to capture phone sensor data via the web browser. According to the report, many sensors on mobile devices do not require a user’s permission for a website or a web browser application to collect sensor data.
“We assume that the user has loaded the malicious web content in the form of an iframe, or another tab while working with the mobile browser,” wrote researchers. “At this point, the attack code has already started listening to the sensor sequences from the user’s interaction with the phone.”
In-browser JavaScript-based attacks can pose a security threat to users. Unlike in-app attacks, they do not require any app installation and user permission to work, researchers said in their report, released last week. Using a sample set of 50 PINs, researchers found that their script was able to correctly guess a user’s PIN 74 percent of the time on the first try, which increases to 86 and 94 percent success rates on the second and third attempts.
“Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe – the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly,” wrote Siamak Shahandashti, a senior research associate in the School of Computing Science and co-author of the study.
Different input methods used by the users for PIN entrance illustrated.
The researchers point out, most users are concerned about obvious sensors such as a camera or GPS and don’t consider other less obvious sensors as a threat.
“On some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter,” Mehrnezhad said.
That also applied to phones in a locked position, allowing a malicious app or website to capture password PIN data used to gain access to a phone.
Researchers said they have contacted browser vendors alerting them to the possible attack scenario.
“As the result of the research, some of the mobile browser vendors such as Mozilla, Firefox and Apple Safari have partially fixed the problem,” the researchers noted.
As for Firefox, starting from version 46 (released in April 2016), the browser restricts JavaScript access to motion and orientation sensors. Apple’s Security Updates for iOS 9.3 (released in March 2016), suspended the availability of motion and orientation data when the web view is hidden, according to researchers.
As for Google, it’s unclear what measures have been taken. “Our concern is confirmed by members in the Google Chromium team, who also believe that the issue remains unresolved,” the report stated. Google did not reply to a request to comment for this report.
Researchers suggest users change their PINs and passwords regularly. They also recommend closing background apps and browsers when you are not using them.
“Keep your phone operating system and apps up to date. Only install applications from approved app stores. Audit the permissions that apps have on your phone,” the report recommends.
