Your phone's pin code can be hacked using its own sensors
Researchers have found a new way to crack into a smartphone — using the device's own sensors.
Recording how an Android smartphone reacts when buttons are pushed to enter a pin code, researchers at Nanyang Technology University, Singapore, (NTU Singapore) found that information was able to point to specific numbers. That detail then worked to unlock phones — 99.5 percent of the time within three attempts.
Recording three people entering 70 four-digit number sequences at random, researchers then applied machine learning to the data to predict the pin codes for the Android smartphones. They team tapped six sensors including the accelerometer, gyroscope, barometer, ambient light sensor, magnetometer and proximity sensor. The accelerometer coupled with the gyroscope provided the best information, the researchers noted.
Monitoring data from an Android phone's six sensors, researchers guessed a four-digit code with near 100 percent accuracyNTU Singapore
"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9," says Shivam Bhasin, the lead researcher on the project.
Previously, researchers at Newcastle University in the UK were able to accurately predict a smartphone's pin codes using sensors about 70 percent of the time. Researchers at NTU Singapore say they've upped that — hitting 10,000 four-digit combinations every time.
Malicious apps installed on smartphones, and recording this sensor data, could then theoretically use the information to hack into devices. NTU Singapore researchers suggest using pin codes with more than four digits — and back up systems such as facial or fingerprint authentication. But ultimately, they warn that smartphone makers must find new ways to lock down data that can be retrieved from sensors.
"Limiting the maximum operating frequency of the sensors can reduce the attack feasibility," researchers write in their paper. "Alternatively, disabling sensors while sensitive operations like PIN entry can also prevent such attacks. However, these are just temporary fixes, and sensors access in smartphones must be rethought, in general."