How criminals could ‘eavesdrop’ on your phone’s motion sensors, and steal your PIN

Science Friday

Researchers have demonstrated that it’s possible to crack smartphone PINs using data gleaned from phone sensors. 

kote baeza/CC BY 2.0 (Image cropped).

Modern smartphones are full of sensors that can make the devices more intuitive — counting your steps, for example, or detecting when you’ve tilted your screen. But according to a new study published in the International Journal of Information Security, those features could come at a price: your security.

“These sensors can provide us — or hackers — with much more than people would think,” says Maryam Mehrnezhad, lead author of the report and a research fellow in the School of Computing Science at Newcastle University in the UK.

Mobile apps and websites generally need to ask for permission to access sensors like the camera and microphone. But as Mehrnezhad explains, there are actually more than two dozen sensors that come standard on many modern smartphones — and not all of them are as protected. 

In the study, she and her colleagues hacked smartphone motion and orientation sensors by embedding a bit of malicious JavaScript code into a webpage. When volunteers opened the webpage on their phones, the spy program eavesdropped on the phones’ sensors, gleaning information about touch-screen movement — including as users entered four-digit PIN numbers.

Then, using a machine learning algorithm, researchers analyzed the sensor data to guess the personal identification numbers that had been entered. The algorithm was startlingly precise — guessing PINs with more than 70 percent accuracy on the first try. “And it goes up to 100 percent in the fifth try,” Mehrnezhad says.

That’s not all that a smartphone sensor could divulge about its user, she adds. “These sensors are very accurate, so they can figure out various slight changes that happen on the device. So it could reveal a lot of information about the user, as we proved: PIN, touch actions.”

And then there’s our personal activity data: “People know about all of these fitness trackers, if you're sitting, walking, running and all those other physical activities,” she says. (According to a Newcastle University press release, her team is looking into the security of fitness devices next.)

The simplest solution would be to require that mobile apps and web pages ask permission to access any of a phone’s sensors. But that’s not likely, Mehrnezhad says — modern phones just have too many of them.

“It could be very unusable for the users to get notification for each single use, every time that they open a web application or when they install an app,” she says. “So it's a battle between security and usability, really.”

For now, she says, her team is working with the industry to figure out security patches. But until one emerges, she suggests that individual users take basic steps to keep their sensor data private. For one, change your passwords and PINs regularly, and close out apps or browser windows you don’t need, rather than letting them run in the background.

“You can also uninstall the apps that you no longer need,” she adds. “Also, keeping updated your operating system would help all the time, and installing applications from approved app stores would help out as well.”

This article is based on an interview that aired on PRI's Science Friday.

Sign up for our daily newsletter

Sign up for The Top of the World, delivered to your inbox every weekday morning.