AsianScientist (Jan. 8, 2018) – Scientists in Singapore have revealed that data from physical sensors in a smart phone could be used by hackers to guess the security PIN and unlock the phone. They report their findings in the open-access publication Cryptology ePrint Archive.
Instruments in smart phones such as the accelerometer, gyroscope and proximity sensors enable us to do many things with a single device. However, a team of researchers at Nanyang Technological University (NTU), Singapore, led by Dr. Shivam Bhasin, revealed that these sensors could provide hackers with a means to unlock the devices remotely, thus presenting a security risk.
Using information gathered from six different sensors found in smart phones, analyzed with state-of-the-art machine learning and deep learning algorithms, the researchers succeeded in unlocking Android smart phones with a 99.5 per cent accuracy within only three tries. The phones had been locked with one of the 50 most common PIN numbers.
The previous best phone-cracking success rate was 74 per cent for the 50 most common pin numbers, but NTU’s technique can be used to guess all 10,000 possible combinations of four-digit PINs.
Although each individual enters the security PIN on their phone differently, the scientists showed that as data from more people is fed to the algorithm over time, success rates of guessing the PINs improved.
So while a malicious application may not be able to correctly guess a PIN immediately after installation, using machine learning, it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later, when the success rate is much higher.
“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9,” explained Bhasin.
Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, said this study shows how devices with seemingly strong security can be attacked using a side-channel, as sensor data could be diverted by malicious applications to spy on user behavior and help to access PIN and password information, and more.
“Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behavior. This has significant privacy implications that both individuals and enterprises should pay urgent attention to,” said Gan.
Bhasin added that it would be advisable for mobile operating systems to restrict access to these six sensors in the future, so that users can actively choose to give permissions only to trusted apps that need them.
To keep mobile devices secure, the researchers advised users to use PINs with more than four digits, coupled with other authentication methods like one-time passwords, two-factor authentication and fingerprint or facial recognition.
The article can be found at: Berend et al. (2017) There Goes Your PIN: Exploiting Smartphone Sensor Fusion Under Single and Cross User Setting.
———
Source: Nanyang Technological University; Photo: Pexels.
Disclaimer: This article does not necessarily reflect the views of AsianScientist or its staff.
