Researchers say certain instruments in today’s smartphones could enable hackers to guess a user’s PIN.
A new study, led by Dr. Shivam Bhasin of Nanyang Technological University, Singapore (NTU), found that common sensors in most smartphones–such as accelerometer, gyroscope, and proximity sensors–may highlight a significant security vulnerability in smartphones.
Using a combination of information gathered from six different sensors found in smartphones and machine learning algorithms, the researchers were able to unlock Android smartphones with a 99.5 percent accuracy within just three tries when the device had one of the 50 most common PIN numbers.
Shows which numbers were pressed
Researchers used the sensors in a smartphone to show which number had been pressed by its user based on how the phone was tilted and how much light was blocked by the thumb or fingers.
“The hack exploits unintentional physical activity of the phone that is captured by the sensors.
When a user enters their PIN, the sensors detect activity,” Bhasin, senior research scientist at the Temasek Laboratories at NTU, told ConsumerAffairs.
“This activity is slightly different for each digit and can be distinguished for each digit.
Using machine learning algorithms, a PIN recovery mechanism is developed on this idea, to find the whole 4-digit PIN.”
Beat previous success rate
The technique the researchers used beat the previous best phone-cracking success rate of 74 percent for the 50 most common PIN numbers.
The hack showed that by measuring unintentional physical activity of the sensor, it’s possible to capture a user’s private data. Although the study was limited to PIN numbers, the researchers say other private data (like a user’s daily routine) could potentially be exploited.
The researchers say the hack can be used to guess all 10,000 possible combinations for four-digit PINs. However, for the proposed hack to take place, the attacker would need a malicious app to access sensor data.
To keep cell phones safe, Bhasin recommends being extremely selective about apps and websites, as hackers typically bury malware in seemingly harmless features.
The researchers also recommend choosing PINs with more than four digits, as well as using secondary identification, like fingerprint scans, two factor authentication, or facial recognition software where applicable.
The full study has been been published online in the Cryptology ePrint Archive.