Posted on January 2, 2018 at 5:05 PM
Smartphone Sensors Discovered To Expose Four-Digit PINs to Hackers
Singapore researchers recently discovered that hackers can compromise a smartphone device to gain access to its four-digit PIN.
Smartphones, especially Android-based smartphone devices, has served as a playground for cybercriminals in the last year, as hackers continue to experiment with new news to compromise and infiltrate devices. Researchers from Nanyang Technology University (NTU) in Singapore, recently discovered a new hacking technique wherein which hackers can compromise a device’s sensors to gain access to the four-digit PIN.
Hackers seem to be able to access a device’s four-digit PIN by compromising the device’s sensors. According to researchers, this technique worked 99.5% of the time to unlock a device. The researchers tested the technique by monitoring information from six different sensors on an Android smartphone. The sensor monitoring allowed the researchers to correctly guess the device’s four-digit PIN.
The researchers asked three individuals enter random 4-digit PIN codes around 70 different times in total. After the PIN was selected, the researchers exploited the sensors and used machine learning to guess the correct pin. The researchers tested six sensors which included the proximity sensor, the magnetometer, barometer, accelerometer, ambient light sensor, and gyroscope. According to the team, the gyroscope with the accelerometer conveyed the most accurate data, which allowed the team to hit 10,000 4-digit codes every time. The particular device they used had one of the 50 most commonly used PINs.
The researchers were able to guess the four-digit codes with 100% accuracy. This is remarkable as similar previous research conducted by the Newcastle University, only reached an accuracy rate of 70%.
The team noted that this latest finding emphasizes a critical flaw in smartphone device security. A smartphone device’s sensors do not operate on permission-basis and can, therefore, be easily accessed and subsequently exploited.
According to the team’s lead researcher, Shivam Bhasin, the very way in which a user enters their PIN reveals a lot about the PIN itself. For example, the sensors reveal the way in which a user’s hand moves around the screen to reach the different numbers.
In addition, the researchers noted that several malicious apps could exploit this vulnerability since several apps could claim to require data provided by sensors, which could be abused to compromise the device. The team recommended that users use PINs longer than four digits. In addition, the team suggested using fingerprint or facial recognition instead. However, the researchers noted that smartphone manufacturers will have to rethink the way in which their device store data from sensors.
In a paper which reported their findings, the research team noted that by prohibiting the maximum operating frequency, attacks can be reduced. The research team also added that it could also help if sensors are disabled while the PIN is entered. However, the team cautioned that these were just temporary solutions.
Interestingly, the researchers found that the algorithm they used became more accurate if it received more data. This suggests that even if fraudulent apps can’t guess the PIN correctly upon the first attempt, it will be able to guess it correctly eventually with enough machine learning.
Dr. Bhasin has urged mobile operating system developers to modify operating systems so that a device’s sensors would be disabled while entering the PIN and that users should be wary of which permissions they give. The research team, which consisted of Dr. Bhasin, David Berene, and Bernhard Jungk, spent 10 months on this research endeavor and published their results in Cryptology ePrint archive during December 2017.