A smartphone"s internal sensors may be able to provide hackers with a way to steal your PIN and passwords, according to a new study.
Researchers over at Newcastle University in the UK analyzed the movement of the smartphone while the keyboard is being used. They found through tests that they were able to crack passwords with 70% accuracy on the first guess, and 100% on the fifth attempt. This is just by using the data collected via smartphones" numerous internal sensors.
Despite this threat, the study acknowledges that people are unaware of the risks and that most users have no idea what sensors actually do on a smartphone.
Smartphones and tablets today are equipped with a number of sensors like the GPS, camera, microphone, and less known ones like the gyroscope, compass, NFC, and accelerometer, among many others.
"But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords," said Dr. Maryam Merhnezhad, a Research Fellow in the School of Computing Science and lead author on the paper. She goes on to explain further:
More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter. And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.
The study goes on to indicate that sensors have helped in the boom in mobile gaming and health and fitness apps, which will include those in the Internet of Things (IoT).
Furthermore, they found that every user touch action, such as clicking scrolling, holding, or tapping induces a unique orientation and motion trace. This makes snooping people able to determine what part of the page the user was interacting with, and what they were typing.
The team stated that they have alerted major browser providers like Google and Apple regarding risks, but so far, no one has reportedly been able to come up with an answer.
Source: Newcastle University via ESET