Security researchers have developed a number of different methods to steal or bypass the passcodes on most of the common mobile phone platforms, some of which rely on software bugs and others that are simple social engineering techniques. Now, a pair of researchers from the University of Cambridge have come up with a new side-channel attack that enables them to infer users’ mobile PIN codes with pretty good accuracy by using the camera and microphone on a mobile phone.
The technique is deceptively simple in concept: The researchers’ software runs on the mobile device and when a user types in her PIN code, the software records keystroke sounds through the microphone and uses the camera to judge the phone’s orientation and watch the user’s face while she’s typing. Using those inputs, the researchers’ software has shown that it can infer the user’s four-digit PIN code better than 50 percent of the time after just five attempts on a Samsung Galaxy S3.
“By recording audio during PIN input, we can detect touch events (see Section 3.4). By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users,” the researchers said in the paper, “PIN Skimmer: Inferring PINs Through the Camera and Microphone“, written by Ross Anderson and Laurent Simon.
In order to execute the attack, an attacker would need to get their PIN Skimmer software onto a victim’s device. They assume in their paper that the victim has downloaded a malicious app from Google Play or another app store, which carries their software as a payload. They initially figured that their app would then need to exploit a vulnerability on the device in order to run as root, but they soon discovered that wasn’t necessary and that the app could get access to the camera and microphone with some clever tricks. Once it’s on the phone, PIN Skimmer can run in several different modes, including monitoring, collecting, learning and logging modes.
Collecting mode is where the app gathers the data it needs to help infer the key touches the user makes while entering her PIN code. This comprises a simple game in which the user touches the screen several times to match various icons on the screen. The camera takes a photo with each keystroke and then later uploads that saved data to a remote server, where it cam be processed offline. That data is fed to an algorithm that learns the user’s behavior and improves the malware’s ability to guess the user’s PIN.
The malware has a number of stealth capabilities, including the ability to disable the LED light when the camera is on and tamper with the OS to hide the number of packets sent. PIN Skimmer also has the ability to reduce the noise captured by the phone in the environment around it, improving the accuracy of the microphone key touch collection.
Defending against side-channel attacks such as this one is difficult, but the authors said there are some things that can be done to mitigate the effects of their attack.
“An OS-level mitigation is appealing because it centralizes the changes in one place and benefits all ap- plications. In Android, there are mainly 2 ways to prompt a user to enter a PIN. The first is to use an AlertDialog with the option android:password=”true” in the mani- fest file. The option instructs the OS to display the star character (‘*’) instead of the digit typed. Upon display- ing an AlertDialog with this option, we suggest the OS also deny access to shared hardware resources from other user- installed applications. The second way to prompt for a PIN is via a GUI component (Activity). In this case, we suggest the OS expose a PasswordActivity which inherits from the Activity,” the paper says.
Other options could include randomizing the location of keys on the keyboard, which could be a pain for users, or enforcing longer passcodes.
“An orthogonal countermeasure to mitigate side-channel attacks is to use longer PINs (or passphrases) to increase the guessing entropy, but this affects memorability and usability. Another additional countermeasure is to enforce a maximum number of PIN attempts like for banking cards. Unfortunately, the number of smartphone applications requiring a PIN will increase over time, forcing users to re-use them across applications and services (e.g. banking). Hence, it becomes more difficult to enforce a maximum number of PIN attempts,” the authors said.