Malicious Apps Can Guess Smartphone PINs Using Sensor Data
A research team from Nanyang Technological University has once again demonstrated a fundamental security issue affecting smartphones running both Android and iOS. The problem lies in the fact that any app—including malicious ones—can access data from a smartphone’s sensors without any restrictions or permissions. As a result, this information can be exploited by attackers, for example, to guess a user’s PIN code.
To prove their point, the researchers created a special Android app, which they installed on test devices. At first glance, the app appeared harmless, simply collecting background data from six sensors: the accelerometer, gyroscope, magnetometer, barometer, proximity sensor, and ambient light sensor.
The algorithm developed by the researchers processed the data collected by the app and used it to distinguish which keys were pressed on the device’s on-screen keyboard. The algorithm relied on the angle at which the smartphone was held and also took into account changes in ambient lighting as the user’s fingers moved while entering a PIN code.
During testing, the experts worked only with sensor data collected during 500 random PIN entries provided by three participants. Based on these samples, the algorithm was able to guess the correct four-digit PIN on the first try with 99.5% accuracy when working with a list of the 50 most common PIN codes. The accuracy dropped to 83.7% when the algorithm was given a list of 10,000 PIN codes and allowed 20 attempts per code. The researchers also noted that this methodology can be easily adapted for longer PIN codes. Moreover, the more data the app collects, the better the algorithm “adapts.”
It’s worth noting that the Nanyang Technological University team is far from the first group of cybersecurity experts to highlight this issue. The discussion about apps not requesting any permissions and being able to freely access device sensors has been ongoing for some time. For example, a similar study was presented in April of this year by analysts from Newcastle University, and in September, a research group from Princeton University conducted an experiment showing that a user’s geographic location can be tracked using sensors even if GPS is turned off.
In all these cases, experts urge Apple and Google developers to take a simple step: require apps to notify users when accessing specific sensors and make it mandatory to request permission for such activity.