It seems like every week brings a new study that demonstrates that your mobile device is a sieve of information about you, potentially hackable in any number of exotic ways.
This week we learn that not only can hackers manipulate the motion sensors in your phone, they can read the motion sensors and guess what you are typing. Specifically, Maryam Mehrnezhad and colleagues at Newcastle University published a paper demonstrating that a simple hack can seal your 4 digit PIN with greater than 50% hit rate .
This attack takes advantage of the fact that most operating systems allow programs to access the motion sensors without asking permission. This has many potential security implications, but in this case they are looking at the use of numerical key boards type in PINs. They use a Javscript loaded in a browser to snoop on the sensors while when another tab asks for a PIN.
They train a classifier that learns to recognize the motion of the phone as numbers are tapped. The data uses features including orientation, acceleration, gravity, and so on. The resulting model then can guess what number is typed with absurdly high hit rates, even then a different person types the numbers.
The researchers note that this vulnerability needs to be addressed by operating systems and standards. Essentially, motion and touch sensors should be treated as IO devices, and managed similar to how microphones, cameras, and so on. (It is slightly scandalous that these sensors are so poorly protected, even after all these years.)
However, it isn’t really clear what kind of management would work, since the attack is done through the web browser.
The study also examined user expectations. The main point, of course, is that none of use would intuitively expect that our PIN could be stolen via these sensors. For that matter, many people don’t know about or understand these sensors.
You can’t do the right thing if you don’t even know it is there, and there isn’t any way to do anything anyway.
- Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao, Stealing PINs via mobile sensors: actual risk versus user perception. International Journal of Information Security:1-23, 2017// 2017. http://dx.doi.org/10.1007/s10207-017-0369-x