Your Phone Motion Sensors Can Give Away Your PIN and Password

Your Phone’s Motion Sensors Can Give Away Your PIN and Password.

Are you using fitness applications to track your run and the path you took? You might just be vulnerable to hackers who are out there steal your data, particularly your PIN and Password.
What do fitness applications have to do with hackers you ask? Well in a nutshell, motion sensors on your phone are operated by the applications you install which in turn can give away information to hackers. Any application that taps into your phone sensors, like the camera, microphone, GPS and a few others, can pick up information by the way your phone tilts or moves as you type.

Researchers, read cyber specialists at UK’s Newcastle University, have deciphered ways by which a malware can decipher data meted out to the sensors. Malware can be sneaked into a device in the form of applications or a web page and the hackers hit payday when these applications or web pages are kept open while accessing ones sensitive data, allowing them access to your private information. The researchers claim the accuracy of hacking these devices being so strong, that 70% of the 4 digit PINs can be deciphered in the first go and they have a 100% accuracy by the 5th try. This is really worrying, given the fact that our world is moving primarily towards a vision which incorporates digital banking that is poised to be accessible through popular chat systems like Facebook Messenger and WhatsApp.

Companies like Apple and Firefox issued patches to block such malware so that such data would not be available to hackers. This decision could only be purported by the ethical hackers these companies have on their payroll. Unfortunately, Google has not paid cognizance to this issue. Despite being the biggest OS provider in smart phones, Android is yet to provide such patches. Google has reportedly known about this issue, but has been quoted as saying that it is still developing its patches. The diversity of the Android versions out there seems to be slowing down their efforts for a secure patch.

To arrive at these findings, the team of researchers trained an artificial neural network comprised of data fed in by a sample of people and their behavior attributed to their active usage of PINs to access their bank accounts. Sensors primarily work on waves, which when hit the surface, reciprocate with readings, which are deciphered to draw out vulnerable information like PINs, Passwords, and of course physical activities too. Do you remember the time when we used physical landline / fixed phones and the hackers could guess the numbers your pressed by the tone emitted by the buttons you pressed, now they use the movement of your phone. To access an entry point into the phone’s sensors, a javascript exploit is delivered through a browser on the phone. When the user clicks or authenticates an ‘update’ from unknown sources, the malware does its trick and hacks into the phone’s sensors to send in information that the numerous sensors your device uses, so when you type a password, it can give away which characters are in the password by the movement of the device.

The report has recently been posted in the International Journal of Information Security and the team is looking at deciphering how these malware can potentially track wrist movements and when the user, is sitting, walking ,running etc. by hacking the user’s application profiles and the data that follows. The lead author, Dr. Maryam Mehrnezhad, a research scholar at the School of Computer Sciences, when asked about the report shared:

Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer. But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter. And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.”

Going by the technique, the wearables are also in the cross hairs – especially your smart watches. Be careful, while the devices may offer limited functionality in your life, they do open you up to fraudulent intent by nefarious hackers. We have looked at securing the main gate (locking the phone with alpha numeric and fingerprint passwords) and dredging the moat around the castle (securing the apps and including encryption on our stored data) however we need to seek out and secure all entry points like the air vent and sewage channels which enable unseen services to the users, just like the sensors on our smart devices.


Also published on Medium.