The sensors built into your phone could help a hacker correctly guess your PIN in just three attempts.
Researchers have built a new algorithm that reveals a person’s passcode using data from six smartphone sensors.
This data allows hackers to study the tilt of the phone and how much light is being blocked by the user’s fingers, helping reveal a four-digit pin number. The researchers succeeded in unlocking Android smart phones with a 99.5 per cent accuracy within only three tries, when tackling a phone that had one of the 50 most common PIN numbers.
A team of researchers in Singapore discovered which numbers users had pressed based on how the phone was tilted and how much light was blocked by the thumb or fingers. The team took Android phones and installed a custom application which collected data from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.The sensors are open access and require no authorisation to access the data.
“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9,” said Bhasin. The classification algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone. At the same time, it recorded the relevant sensor reactions.
Known as deep learning, the classification algorithm was able to give different weightings of importance to each of the sensors, depending on how sensitive each was to different numbers being pressed.
This helps eliminate factors which it judges to be less important and increases the success rate for PIN retrieval.
Although each individual enters the security PIN on their phone differently, the scientists showed that as data from more people is fed to the algorithm over time, success rates improved.
So while a malicious application may not be able to correctly guess a PIN immediately after installation, using machine learning, it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later when the success rate is much higher.
The study shows how devices with seemingly strong security can be attacked using a side-channel, as sensor data could be diverted by malicious applications to spy on user behaviour and help to access PIN and password information, said Professor Gan Chee Lip from NTU.
To keep mobile devices secure, Dr Bhasin, who spent 10 months with his colleagues, on the project advises users to have PINs with more than four digits, coupled with other authentication methods like one-time passwords, two-factor authentications, and fingerprint or facial recognition.