We’ve all seen movies and television shows where a hacker sprinkles powder on the pin pad to reveal latent fingerprints and guesses the passcode using the most pressed buttons. What if I told you that hackers can now use the gyroscope data and machine learning to guess your pin number?
Researchers from Newcastle University managed to guess a four-digit pin with 70% accuracy on their first try and correctly unlocked the phone 100% of the time after their fifth guess. So if you have a four-digit pin and your phone allows more than five guesses before locking you out, your phone is potentially insecure. Now before you go change your pin (which you should do periodically anyways), know that this theoretical hack faces significant hinderances for real world use — for now.
How Does This Work?
While websites and apps need to ask for your permission to access sensitive information such as GPS, camera, or microphones on your cell phone, malicious programs can covertly collect “non-sensitive” information such as screen size, phone orientation, and touch actions without your consent. Websites usually collect this information to enable better interactivity and responsiveness on mobile view.
Dr. Maryam Mehrnezhad’s team used this loophole to collect user touch actions (tapping, scrolling, holding down) and the corresponding phone orientation. This information was fed into a machine learning algorithm to classify which digit the user pressed given the gyroscope’s output. While the program required entering 50 known pin numbers at least five times to achieve high accuracy, one can imagine a malicious website silently collecting this information over a long stretch of time before putting it to use.
Given the wide fragmentation in the phone industry — and the IoT industry as a whole — Dr. Mehrnezhad highlighted the difficulty in forming a coordinated response from manufacturers and app makers. What’s more troubling is people’s misguided perception of risk:
“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.”
What Does This Mean for Me?
Dr. Mehrnezhad’s team alerted Google and Apple about the security risks, but no one has immediate answers for this theoretical hack. Currently, this hack is only in the research phase. A user would have to allow a website or app to collect this latent information. Also, the algorithm currently works for four-digit pins and would require more training data for other smartphones that use alphanumeric passwords longer than four characters.
Still, the concern lingers. In 2015, another research team reported a loophole that was used to track users via battery status. By 2016, various firms were using this hack to track user behavior based on the information given by the battery status API. Eventually, Firefox was forced to disable this feature given the privacy concerns.
While IoT security is a hot topic nowadays, we often forget that our smartphones also constitute an IoT device, full of more than 25 smart sensors. The conversation about IoT security should extend to all devices given the loopholes that researchers with tuned machine learning algorithms are now discovering.