Hackers can steal pin numbers or passwords from the way their devices tilt when they type on them, researchers claimed.
Researchers at Newcastle University experimented to guess four-digit pin and the results were shockingly 70% accurate at the first attempt. Using gyroscopes that are built in almost all smartphones were utilized to guess pin numbers. With just 5 attempts the researcher’s team was able to guess pin with 100% accuracy.
Theoretically hackers seek for the loopholes to break into ones phone or system, websites share sensitive information carefully, they ask for users permission to send or receive data. But device orientation is not considered sensitive and data is sent or received without user’s permission.
Dr Maryam Mehrnezhad, a researcher in the School of Computing Science, said: “Most smartphones, tablets, and other such devices are now equipped with a multitude of sensors, from GPS, camera and microphone to instruments such as the gyroscope, rotation sensors and accelerometer.
“In reality, mobile apps and websites doesn’t require permission to access most of these sensors, malicious programs can sneak in and ‘listen it’ on your sensor’s data, later they can use it to discover a wide range of sensitive information on your device, such as phone call timing, physical activities and even your touch patterns, passwords and Pins .”
Websites need to ask permission from users to access sensitive information, such as location data, or to access sensors such as the cameras or microphones on a device. But some information, such as the orientation of the device or the size of its screen, is considered non-sensitive and generally shared with any site that asks for it to enable interactivity and responsive webpages.
Thankfully, to train the system to enough precision to be able to guess even a simple four-digit pin (and most smartphones require a six-digit, or longer, password), the researchers required a lot of data from users: each had to type 50 known pin numbers in, five times over, before it learned enough about how they hold their phones to guess a hidden pin with 70% accuracy.
But with no uniform way of managing sensors across the industry, when research such as Mehrnezhad’s shows flaws, it can be difficult for manufacturers to give a coordinated response.
“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding,” she said. “So people were far more concerned about the camera and GPS than they were about the silent sensors.”
The team was able to identify 25 different sensors that came as standard on most smart devices and were used to give different information about the device and its user.
The researchers found that each user touch action – clicking, scrolling, holding and tapping – induced a unique orientation and motion trace and so on a known webpage, the team was able to determine what part of the page the user was clicking on and what they were typing.
They said they had alerted leading browser providers such as Google and Apple of the risks, but so far no one had been able to come up with an answer.