A new study out of NTU (Nanyang Technological University, Singapore) indicates that hackers could use smartphones internal sensors to crack users PIN codes. NTU researchers say that all of the tech bits inside your phone — including the proximity sensor, gyroscope, and accelerometer — are a potential security vulnerability. The researchers used data from six sensors found in today’s smartphones along with algorithms and machine learning to crack PIN codes on some Android smartphones. The researchers reached a 99.5% accuracy rate when hacking phones that had one of the 50 most common PIN codes.
Previously, researchers were able to crack the 50 most common PIN codes with a 74% accuracy rate. The researchers at NTU have come up with a formula that can guess all 10,000 possible 4 digit PIN combos which is why they accuracy rate is higher. The researchers are claiming this is a security flaw because the sensors require no special permissions to be used and are openly available.
The team of researchers took Android phones and installed a custom application which collected data from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.
“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9,” explains Dr Bhasin, who spent 10 months with his colleagues, Mr. David Berend and Dr. Bernhard Jungk, on the project.
The classification algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone. At the same time, it recorded the relevant sensor reactions.
Known as deep learning, the classification algorithm was able to give different weightings of importance to each of the sensors, depending on how sensitive each was to different numbers being pressed. This helps eliminate factors which it judges to be less important and increases the success rate for PIN retrieval.
Although each individual enters the security PIN on their phone differently, the scientists showed that as data from more people is fed to the algorithm over time, success rates improved.
So while a malicious application may not be able to correctly guess a PIN immediately after installation, using machine learning, it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later when the success rate is much higher.
Personally, I’m not sure how much this hack would affect most regular users but it is certainly something to talk about. The press release doesn’t mention Apple’s iPhone but that doesn’t mean the hack couldn’t be used on iOS as well.Source: Nanyang Technological University